Over a decade of DDOS--any progress yet?

Thu Dec 9 18:53:48 UTC 2010

On Thu, Dec 9, 2010 at 3:45 AM, Rich Kulawiec <rsk at gsp.org> wrote:
> On Wed, Dec 08, 2010 at 07:43:52AM -0800, JC Dill wrote:
>> ISPs are not the source.  The source is Microsoft.  The source is
>> their buggy OS that is easily compromised to enable the computers to
>> be taken over as part of the botnet.
>
> I often disagree vehemently with JC, but not this time.
>
> I've been studying bot-generated spam for most of the last decade, and to
> about 6 nine's, it's all been from Windows boxes.  (The rest?  A smattering
> of "indeterminate" and various 'nix systems including MacOS.)
>
> The botnet problem is a Microsoft problem.

OK.  People took exception to my last message, as the data from
it was 2 years old.

Here's data from 2010, which shows that the problem isn't
the MSFT OS itself; it's the third-party apps that people
happily double click on and install willy-nilly:

http://blogs.computerworld.com/16575/security_firm_says_apple_has_more_security_holes_than_anyone

(yes, you have to read past some apple bashing at the
beginning; get past that, and you hit the real aspect, which is that
the major security vulnerabilities exist in third party applications,
rather than the OS itself.)

So, as much as I love Microsoft bashing as much as the next
person (and the folks here know there's definite reasons why
I'll usually be one of the first in line to bash them, when the
situation calls for it), in this case, putting the thumbscrews to
Microsoft isn't going to fix buggy Acrobat Reader software,
and all those other third party apps that people use to exploit
the platform.

> Now...whether the botnet problem will still be a Microsoft problem in 2015:
> can't say.  Clearly attackers have plenty of reasons to attack other systems
> and in some cases, they'll be successful.  But it appears that to date,
> the advantages they might accrue from owning a box running one of the
> superior operating systems are outweighed by the costs of the effort
> to do so.  (With a few rare exceptions, of course.)

The sheer volume of bots may still be Windows boxes, yes; but that
doesn't mean the initial vulnerability and exploit happened anywhere
in the Microsoft code base.

Look at how many vulnerabilities have been listed for Adobe Acrobat
Reader, for example:
https://secunia.com/advisories/product/19237/

159 vulnerabilities in Adobe Reader, vs 69 in Windows 7:
https://secunia.com/advisories/product/27467/

> But you don't have to take my word for this.  Turn on passive OS
> fingerprinting on your MX's and start recording data, including DNS
> and rDNS, putative sender, recipient, etc.  Accumulate a couple
> years' worth and analyze.
>
> This is why some rather effective defensive techniques (not just for
> spam) can be constructed by differentiating traffic based on the
> operating system of the host originating that traffic.

Sure, there's more windows boxes out there than any other OS.

But that doesn't mean the weakness and vulnerabilities being
exploited are *part of the native OS*.

If the OS is 100% bulletproof, but users are still installing
insecure third party apps that are riddled with holes, you're
still going to see more botnet machines with that OS fingerprint
than any other, simply based on their overall percentage
representation out of the total count of computers; but hammering
on the OS vendor isn't going to do *anything* to slow down the rate
of infection--there isn't anything more they can do.

So--as much as I dislike Microsoft, beating on them isn't
the answer here.  Tell people to stop installing buggy
software like Adobe Acrobat Reader, and you'll get
closer to stemming the tide of infections.

Matt