On Mon, Jan 19, 2009 at 02:47:09PM -0600, Gordon Peterson wrote:
If 90% of all the computer workstations were running Linux, then the
virus/malware authors would be writing viruses for THAT platform. Same
is true for Macs.
This is nonsense: there *was* a time when most of the computer workstations
on this network were running Unix, yet we did not see massive malware
infections with network-wide negative impact on a recurring and persistent
basis.
We saw one. Over twenty years ago. And it was eradicated in 48 hours.
That's roughly 10000 times lower than the malware incidence rate for Windows.
And if this claim were true today, then we would expect to see
infected systems roughly in proportion to their deployment: if OS type
A was 6% of the population, then we would expect to see systems of OS
type A accounting for 6% of infections.
But we don't. We don't see anything even remotely close to that.
( Actually, since Unix/Linux systems are vastly preferable targets --
thanks to their markedly superior capabilities and their frequent use
in security-critical applications, we should expect to see infection
rates somewhat *higher* than their population percentage. We see
precisely the opposite. )
What we do see is a minimum of at least a hundred million compromised
Windows systems. Credible and experienced observers have postulated
that the real number may now be two to three times that, and I've found
no contradicting evidence.
( Of course, that speculation can't be directly proven or
disproven, since any system which doesn't provide evidence to an
external detector won't be observed. Every those with very large
numbers of detectors, e.g., the CBL, are no doubt missing large
numbers of these. Moreover, any system which has been zombied
but which emits no traffic signalling that state will remain
undetected indefinitely no matter how many detectors there are
and how adept they are at noticing the signs. Given what we
know of abuser strategy and tactics, it seems very likely that large
numbers of such systems are held in reserve. )
Whatever the "real" number is: it's very big, and getting bigger.
And there's no reason to anticipate that the trend will reverse, and
a number of reasons to believe it will get worse. [2]
But don't take my word for it: run the experiment yourself. Turn on
passive OS fingerprinting in your perimeter devices (or on your servers)
and correlate that data with:
- spam attempts
- ssh attempts
- ftp attempts
- pop/imap attempts
- port scans
- crafted packet attacks
- http-based exploit attempts
- DoS attacks
- etc.
After a year or two, I think you'll find is what I've found after running
this experiment in multiple environments of different sizes, characteristics,
purposes, etc.: the abuse problem is largely (in some cases, almost
exclusively) a Microsoft Windows problem. [1] And it's clear that
the correlation far exceeds the population percentage, either as-observed
or as-guesstimated. (Some of my sensors have gone for months without
detecting a non-Windows-originated ssh attempt, for instance.)
Incoming spam, for example, differentiates into three categories:
(a) zombies, and the number of non-Windows zombies is negligible;
(b) incompetently-run mail servers, e.g., Yahoo, Hotmail, of varying OS
composition; and (c) spammer-owned/leased mail servers, also of varying
OS composition.
And category (a) dominates - by attempts, by volume, by extent, by everything.
(Hardly surprising: it's the most cost-effective and anti-spam-resistant
method for abusers. They'd be silly not to exploit it.)
This isn't a new observation nor is it original with me: note this
wonderfully clever hack, from almost exactly 5 years ago:
openbsd's fingerprinting and shaping used for evil^Wgood
http://use.perl.org/~merlyn/journal/17094
As a result, it's long since become part of my anti-spam and overall
security strategy to consider anything originating on a Windows system
as "suspect", at best, and to subject such traffic to (a) rate-limiting
(b) refusal (c) higher scrutiny and/or (d) modified services. I highly
recommend this approach for anybody with the facilities to use it:
the results are striking.
---Rsk
[1] You'll also find that zombies are obviously acting in concert. We've
known for years that a variety of techniques are used to coordinate their
activities: top-down control, P2P methods, etc. It seems more than likely
that following incidents like the McColo shutdown that abusers will
reconsider and develop more resilient methods that are more resistant
to the loss of any control point.
[2] Among those reasons: I'm waiting for the use of virtualization by
malware, so that (a) the putative owner of the system can be sandboxed
into a VM which checks out as "clean" when scanned by anti-malware
products and (b) VM instances can be separately created and leased in
bulk, thus permitting multiple abusers to utilize a system's hardware
resources simultaneously.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg