Attracting Attackers: Windows vs. Unix

Lots of people believe that the reason there are more attacks on Windows machines than on Unix machines is simply that Windows dominates desktop markets. According to their logic, 90 plus percent of the desktops should lead to 90 plus percent of the attacks. The question is whether they are right.

Look just at the number of victims and they’re more than right. Microsoft, according to Netcraft’s surveys, only has about one third of the Web servers on the internet, but it also has about all of the servers known to have been compromised through external attack.

The same Microsoft over-representation takes place on the desktop with Microsoft users accounting for almost all of the virus and worm victims known.

Of course, this skewing doesn’t help decide the question because it’s more likely to be effect than cause. A better way to approach the issue is to ask a very different question: Are the ideas behind the attacks on the two environments sufficiently closely related that we can say they’re drawn from the same hypothetical population of possible attacks?

If so, the numerical dominance of one type of target (Windows) over another (Unix) should lead to comparable dominance in the number of attacks. However, if the attacks are drawn from different populations, then the numerical dominance in the target universe won’t suffice as an explanation for numerical dominance on the attack side.

Peeling the Layers

There are lots of layers to this onion. First, we need to strip away the impact the click and drool crowd has on the numbers. These are people who sometimes modify but don’t originate attacks, and spray them at all and sundry.

Speculatively, you have to assume that the real originators feed code to the drooloids because their activities are of benefit to the criminals. In particular, the hue and cry set off by these people casts a protective layer of noise and confusion over criminal activities, keeps the police focused in the wrong places, distracts prosecutors and reinforces the stereotype of the destructive hacker as a socially incompetent 16 year old with mental problems — an image the real criminals, many of whom seem to have legitimate computer science degrees, don’t fit.

We need to understand how the value returned to the criminal influences decisions affecting the relative number of attacks. Some attacks are just naturally targeted at the Windows communities simply because that’s where the money is. For example, second-generation phishing schemes with HTML interpretation dependencies have to target the PC community because the distribution method, spam, is a numbers game and random e-mail is something like nine times more likely to hit a PC user than a Mac or other Unix user.

To the rogue programmers developing attack code, however, simply hitting a bunch of users doesn’t achieve anything. They’re out to steal for personal gain and you don’t do that by going around annoying the grownups. Their goal, instead, is to steal information, remain undetected and then turn that information into cash or political advantage. Look at how that’s actually done and a dramatic, nearly absolute difference shows up between attacks aimed at Unix and those aimed at Windows variants like Windows 2003 Server and XP.

Attacker Communities

Although I’m only about halfway through trying to categorize attacks listed in the ICAT database in terms of whether or not they can be exploited to steal data, it’s already obvious that one difference is so sharply demarcated that it allows an unambiguous answer to the question: Windows and Unix attacks are not drawn from the same population of possible attacks.

Dropping denial-of-service and x86 architecture attacks on Linux as unlikely to remain undetected leaves a stark contrast between “qualifying” attacks on Windows and “qualifying” attacks on Unix. Windows attacks play the numbers game: Spray the code around the internet and wait for vulnerable systems to self-report. Nearly all known effective attacks on Risc-based Unix require legal access to the machine and therefore have to be targeted one machine at a time.

Don’t misunderstand. There are lots of attacks on Risc/Unix that require Internet distribution. They just don’t work for data-theft purposes. Like denial-of-service attacks, they don’t make money for the perpetrators. For example, my server gets probed almost every day and seriously attacked several times a week with dtlogin being a favorite target. Fundamentally, however, that’s just vandalism; even if they got full control of the machine, it wouldn’t get them a nickel.

Bottom Line

Right now, all known real attacks on Unix outside the x86 world require that the attacker have the right to compile and run new code on that machine. Indeed, most are variants of traditional Unix attacks focused on upgrading user authority by taking advantage of a timing or control issue in a legal call to a suid function or on making use of a piece of linked or re-entrant code running under an authority higher than the user’s.

The Windows situation is completely different. There the rule seems to be that you own any machine you can access with no one looking over your shoulder. The vast majority of even the most recent attacks assume you don’t have any kind of legal access.

There are claims (on, for example, that Microsoft’s firewall after SP2 always opens the same port for DNS queries and waits a full minute for a response — thereby enabling DNS spoofing, in turn enabling the attacker to connect the user’s browser to a Web site from which more direct attacks like MHTML embedded scripts can be launched.

The bottom-line difference is that essentially all Unix attacks currently considered likely to succeed require legal access, while those on Windows uniformly don’t. The comparisons on this are so skewed that you don’t need a statistical test — the Kolmogorov-Smirnov two-sample test — to know that this isn’t a coincidence and thus that the root populations are different.

Relative Dominance

What that means is that the number of attacks of each kind doesn’t reflect the relative dominance of the targets, which leaves us free to pursue alternative hypotheses, including my favorite: Windows gets attacked more simply because it’s easier and therefore more profitable for comparable levels of effort. Getting legal access, knowing enough about Unix to initiate and benefit from an attack, and then covering your tracks can all be hard things — much harder than spraying an attack script at the world and waiting for results.

Overall, it also produces less data, although whether that translates to less value for the thief is a difficult question. It might be possible, for example, for someone renting Web space and a sign-on account allowing him or her to compile code on an Apache virtual hosting box run under Linux, to get the mod_perl module to issue apparently legal queries to the other guy’s online database without getting caught. What that’s worth, however, depends on the target and the criminal’s access to markets or other means of exploiting the information.

Certainly, value isn’t a question we can answer in general, but it’s obviously easier and less risky for the criminal to obtain value from the undetected theft of lots of identity data from tens or hundreds of e-commerce databases stored using SQL Server then from a few records stolen from one database.

It’s also technically easier, so what we have here is a winning combination for Microsoft of easier thefts producing greater value at lower risk — something that has everything to do with technology and nothing at all to do with market dominance.

Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.


  • Your article makes several assumptions. The first is about Netcraft’s survey results. Netcraft does not say that Microsoft […] only has about one third of the Web servers on the internet. It says that only about 1/3 of all hostnames are hosted on Microsoft based servers. There is not a one-to-one ratio of hostnames to servers. Large hosting services like ISP’s tend to run hundreds or thousands of hostnames on a single server, and the have been traditionally unix based. Corporations, on the other hand, tend to have only a few hostnames assigned to a single server, and these have traditionally been Windows based.
    In fact, at least one Netcraft physical server survey shows that Windows has more than 50% of the physical servers on the internet, and certainly the vast majority of clients.
    The second incorrect assumption is that Windows servers account for "about all" of the known servers that are attacked. If you go to just about any kind of compromise archive, such as the one at, you see that Linux typically acounts for 70-90% of the compromises they track.
    Your arguments are also rather simplistic, and ignore other factors, such as the average competency of a Windows administrator versus a unix one. Typically, the large demand for Windows administrators means that employers are usually forced to hire substandard staff, and often relegate some non-technical (or most computer literate) office worker to the task. Unix/Linux is almost impossible to adminster without a solid foundation of Unix fundamentals. This means that a Unix system is likely to be more secure than a Windows system from sheer competence of the administrator, although there are certainly a ton of people out there experimenting with Linux who have little experience. These machines are typically exploited quite heavily if they’re not behind a firewall.

    • Your response makes as many bad assumptions. One you assume that a majority of attacks are defacements or web server based attacks, when the reality is that a majority are viruses or trojans. You also assume that a majority of corporations are running their websites on Windows. You also assume that the average Linux administrator is better trained than the average windows adminatrator. Also the number of parked domains on Windows versus Linux has shifted back and forth frequently. Because some places will park more domains on Unix based system than Windows isn’t all that telling, it just means that the Unix systems are better at hosting a large number of domains. It also is a good target because people tend not to watch them as much. Not to mention 1 attack can hit hundreds of sites all at once.
      Defacements are about glory getting, and do not fall into the same realm as the information thieves. It is also true that many of these defacements aren’t even defacements but file drops. A large number were text files dropped into the web space using poor settings in upload tools on the web sites. While a problem admittedly, they do not allow for the farming of information from the site. There is also the fact that it has been shown that a large number of remote exploits to Windows allow for a high level of access, why deface the computer when you can park something there that is so much more valuable?
      I am certainly not saying that Linux doesn’t have its security issues, nor that Windows is horrible. I am saying that if you look at one small segment of attack types, one will come out better at avoiding them then the other. You should looks at how you are going to deploy the system and how realatively secure it is in that deployment when making your decision. Also are you going to spend the time it takes to ensure that your site remains secure by keeping up with security updates and learning how to properly configure your system to be secure?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels