On Thu, Dec 9, 2010 at 3:45 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
ISPs are not the source. The source is Microsoft. The source is their buggy OS that is easily compromised to enable the computers to be taken over as part of the botnet.
I often disagree vehemently with JC, but not this time.
I've been studying bot-generated spam for most of the last decade, and to about 6 nine's, it's all been from Windows boxes. (The rest? A smattering of "indeterminate" and various 'nix systems including MacOS.)
The botnet problem is a Microsoft problem.
OK. People took exception to my last message, as the data from it was 2 years old. Here's data from 2010, which shows that the problem isn't the MSFT OS itself; it's the third-party apps that people happily double click on and install willy-nilly: http://blogs.computerworld.com/16575/security_firm_says_apple_has_more_secur... (yes, you have to read past some apple bashing at the beginning; get past that, and you hit the real aspect, which is that the major security vulnerabilities exist in third party applications, rather than the OS itself.) So, as much as I love Microsoft bashing as much as the next person (and the folks here know there's definite reasons why I'll usually be one of the first in line to bash them, when the situation calls for it), in this case, putting the thumbscrews to Microsoft isn't going to fix buggy Acrobat Reader software, and all those other third party apps that people use to exploit the platform.
Now...whether the botnet problem will still be a Microsoft problem in 2015: can't say. Clearly attackers have plenty of reasons to attack other systems and in some cases, they'll be successful. But it appears that to date, the advantages they might accrue from owning a box running one of the superior operating systems are outweighed by the costs of the effort to do so. (With a few rare exceptions, of course.)
The sheer volume of bots may still be Windows boxes, yes; but that doesn't mean the initial vulnerability and exploit happened anywhere in the Microsoft code base. Look at how many vulnerabilities have been listed for Adobe Acrobat Reader, for example: https://secunia.com/advisories/product/19237/ 159 vulnerabilities in Adobe Reader, vs 69 in Windows 7: https://secunia.com/advisories/product/27467/
But you don't have to take my word for this. Turn on passive OS fingerprinting on your MX's and start recording data, including DNS and rDNS, putative sender, recipient, etc. Accumulate a couple years' worth and analyze.
This is why some rather effective defensive techniques (not just for spam) can be constructed by differentiating traffic based on the operating system of the host originating that traffic.
Sure, there's more windows boxes out there than any other OS. But that doesn't mean the weakness and vulnerabilities being exploited are *part of the native OS*. If the OS is 100% bulletproof, but users are still installing insecure third party apps that are riddled with holes, you're still going to see more botnet machines with that OS fingerprint than any other, simply based on their overall percentage representation out of the total count of computers; but hammering on the OS vendor isn't going to do *anything* to slow down the rate of infection--there isn't anything more they can do. So--as much as I dislike Microsoft, beating on them isn't the answer here. Tell people to stop installing buggy software like Adobe Acrobat Reader, and you'll get closer to stemming the tide of infections. Matt