A Grain of Salt: dealing with Operating Systems security debate
An article (ref: http://www.zone-h.org/winvslinux ) recently released by Zone-h website and containing data updated to May 2003 takes into account the evolution of the number of confirmed defacements (attacks conducted by humans to web servers which leave a trace in the form of modified webpages on the server and are then reported to Zone-h for verification, called also overt attacks) performed by cybercriminals on various server platforms. This study has been taken by many as a demonstration of the superior security of Windows server operating systems in respect to Linux.
Part 1: Overt Attacks
The charts included, taken from that very Zone-h feature, are indeed worth a lot of words.
This one shows the evolution of this kind of attack by hostnames. Given the fact that a single webserver can host multiple sites, the chart itself is not valid 'per se' to describe how many machines running Linux or Windows have been successfully attacked by human crackers and 'defaced'. This is easily assessed looking at the following chart:
Here the situation appears quite different: the number of actual machines compromised is currently kind of equal for the two OS families, but the recent past shows a peak in damaged machines running Windows. This can lead to a bit of confusion among readers: the two charts seem to be in stark contrast.
This is only partially true: we can guess that an increasing number of providers are using Linux to deploy multiple websites on single webservers, and an attack to a single machine can lead to a so-called mass defacement, which weighs on Linux statistics heavily. Windows machines are also used by ISPs, but it seems that Linux for economic and flexibility reasons is more and more used for this kind of deployments.
An interesting point of the above chart is the correlation shown in the image between the Slammer worm (an automated attack by a malicious program which affected Microsoft SQL Server at the end of 2002) and the increase in Windows defacements. This appears at least strange, because Slammer did not attack IIS webservers (at least directly) and can't be held responsible of web defacements (at least directly). Besides it attacked a number of machines which is estimated much higher than 7000
at a lightning speed. So why the patching of Slammer marks a decrease of web defacements? Again we can guess that many sistem administrators, while patching their SQL servers for the Slammer worm have also given a look to their IIS servers and applied security measures (patching, firewalling...) which led to a more normal exploitation susceptibility for the Windows platforms. The big peak in Windows defacements could be due to vulnerabilities which went unpatched for a long time; besides, the Sept.11 anniversary could be also a reason for the general explosion of defacements? Could be, but the effect of an anniversary is not typically lasting for 6-7 months...
The total approximate number of defacements is accessible also through a release of mi2g (ref: http://www.mi2g.com/status ) and show, for 2002 (the last complete year) a number of defacements of about 85000 machines (assuming most probably a count by single IP) with Windows systems accounting for about 49000 attacks and Linux systems accounting for 24000 'overt attacks'.
So what can we conclude from the comparative analysis of this data? Not very much in absence of other data like the actual number of hosts running Linux or Windows on the Internet or the percentage of mass defacements among the two platforms. But also in presence of accessory data like this, we have to take into account a big number of factors, as the money invested by site owners to secure and keep up to date their webservers, the functionalities enabled typically in every platform (ie. Apache with PHP or IIS with ASP) and the ease of patching for every platform.
2. Some automated attacks
In contrast with the human-led defacements, many Internet servers are daily compromised by automated attacks, frequently by worms (malicious code which self-replicates and spreads using known vulnerabilities of host systems).
On July 19, 2001 more than 359,000 computers were infected with the Code-Red (CRv2) worm in less than 14 hours. At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute.
The quote is from the CAIDA website
(ref: http://www.caida.org/analysis/security/code-red )
and is interesting for a comparison between figures of human-led and worm-led attacks. Code Red exploited a flaw in Microsoft IIS webservers.
In the largest such incident since the Code Red and Nimda worms bored into servers in 2001, the Sapphire worm--also known as Slammer and SQLExp--infected more than 120,000 computers(...)
This quote is from News.com website
(ref: http://news.com.com/2100-1001-982135.html?tag=nl ).
The Slammer worm has been held responsible for networks overloads worldwide, all this obtained attacking just a class of Internet connected computers (Microsoft SQL Servers). Strictly speaking this worm did not attack webservers, but it is worth mentioning in the bigger picture of 'server operating systems security' debate. Besides, as noticed before, this worm has been held responsible (not correctly, we guessed) for Windows defacements.
The most recent major outbreak--Nimda, which infected hundreds of thousands of systems in September--was "the ultimate cocktail," a worm that exploited multiple methods of spreading, and attacked systems through multiple security holes in Microsoft's Internet Information Services software(...)
This quote is from the Pcworld.com website
(ref: http://www.pcworld.com/news/article/0,aid,71343,00.asp )
and testifies about another popular worm which targeted Windows mixed platforms back in 2001.
For a comparison, it's worth quoting an article regarding the Slapper worm, taken from the Vnunet website
(ref: http://www.vnunet.com/News/1135137 )
The Internet Storm Centre (ISC), the early warning system from the Sans Institute, is on yellow alert for the first time in months as the Slapper worm continues its infection of Apache web servers. (...) Slapper-infected servers have already been linked to denial of service (DoS) attacks against other machines. It is thought that some script kiddies found the source code for a concept attack known as peer-to-peer UDP Distributed DoS (PUD) on a security site and turned it into a working worm. The ISC has confirmed that around 6,000 servers are currently infected. But speculation on the BugTraq security mailing list suggests that numbers may be as high as 30,000. A patch has already been released by the OpenSSL crew (...).
The Slapper worm exploited vulnerable Apache servers back in 2002.
3. A bigger picture
A first conclusion could be that human attacks are more or less continuous, and reach figures around 100000 yearly, but automated exploits have by far outweighed them, sometimes in days or hours (see examples above). Another key point is that nothing in this 'bigger picture' is testifying a lesser security of Linux operating systems in respect to their Windows counterparts.
This article is not aimed to denigrate Windows or praise Linux OSes, the aim of this paper is to put 'en garde' journalists and end users from the dangers of simplification. If in the desktop arena Windows is by far the most targeted platform (tens of thousands of viruses exist according to some estimations), and countless papers have tried to explain it as a result of poor design or simply of market dominance, in the server arena, where the host can't be 'hidden' completely from attackers, no operating system can be considered 'less targeted', because very skilled humans can penetrate almost any security measure. And if humans don't bother you, automated attacks are always waiting for unpatched software vulnerabilities.
As a final consideration, may we strongly suggest to nonexpert system administrators NOT to run their own webservers (on whatever platform) and let instead run their websites by a good Service Provider? Assistance and disaster recovery are better done by professionals...if, instead, you belong to the Elected Uberadministrators, you sure don't need our advice.
This article is not intended to denigrate/damage any of the quoted websites (may we agree with them or not) or to steal their intellectual property. All sources are properly quoted and the information used for educational purpose only.
21th of July, 2003
In November I contacted the Administrator of Zone-h with the following mail:
Here is the answer of the Admin:
Simone, I got hold on your mail and I went to read your article.
Regards, SyS64738 www.zone-h.org admin.
Later on, encouraged by the kindness and competence of Admin, I wrote back to him :
(first name of Sys64738)
(NOTE: I've reason to think Admin is Italian, so I'm telling him in Italian I'd like to publish these letters in an article.)
(getting back to English) if you agree with the publication of this letter,
I'd like to ask you an opinion about malware in Windows and Linux server
Doing a bit of research on the Net it's easy to discover how the first http worms were born and spread on Unix platforms. Nevertheless in the recent past the worst Unix worms (ie. Slapper) spread in a rather confined way, in respect to lightnings as Slammer (curious name resemblance) or Code Red or also Nimda. And this all in spite of the Apache/Linux/BSD http server panorama dominance...
per l'attenzione, non mancare di avvertirmi se neghi il consenso alla
(NOTE:I'm asking him in Italian to deny explicitly his allowance to publish if he doesn't want me to. I'm also praising Tmag ;-))
As soon as I'll receive a follow-up I'll publish it.
Meanwhile, if Sys64738 did not receive the e-mail or was unable to comment for whatever reason (btw. I switched mail provider in this period, though leaving pointers to reach me safely), please send mail to email@example.com . I'm always available (within reasonable time, after which Tmag articles go out-of-maintenance) for further updates to this page.
3rd of December, 2003
Simone BianchiUpdated: February 2008 (mail address)