Adam Katz wrote:
There are several academic viruses for non-Windows systems out there,
plus maybe a few actual ones. The rest are all just exploits and
root-kits that typically don't fall into the "virus" category.
Non-Windows-based worms are almost exclusive to Apache (and within
that category, heavily favoring PHP exploits).
This isn't because it's easier to make Windows virii.
Your OK up to this conclusion, which is basically wrong.
Malware writing today is virtually 100% what you would
call a "business" decision.
Malware writers target Windows because of the results of
a decision matrix, which uses the following variables:
1) Size of potential pool of hosts to infect
2) Ease of infection of each host
(note that this is a simplification of the actual
variable list, which is much longer)
In short, it's a business decision.
The problem is that these variables are not static, some
of them are changing. Every new version of Windows is
getting a bit more difficult to infect, every year the
non-Windows systems are getting easier to infect (due
to hubris on their owners) and every year there's more
non-Windows systems out there.
Think of it this way. Spammers purchase networks of
distributed compromised systems from the malware writers.
The spammer knows they can only get off 200 spams per
machine before the machine is blocked, so for a run
of a million spams they need to buy an assembled spambot
network of 5,000 systems.
The Malware writer knows he can get, let's say, $30,000
for each spambot network of 5,000 systems they can
assemble. If he doesn't make his 5,000 systems, he gets
paid nothing.
The Malware writer knows the percentage of infection
success - for example let's say for every 1000 Windows
systems he attempts to infect, he succeeds with 1.
That's an infection success rate of .1% To get his
5000 machines, he needs a pool of 50 million Windows
machines on the Internet.
Now, let's take a look at our decision variables in light
of what I said.
If the Malware writer manages to create a MacOS X virus that
has an infection success rate of, say, 80%, then all he
needs is a pool of 6,300 machines.
The Malware writer doesn't give a rat's ass whether
the infected systems are windows, linux, Mac, or
refrigerators, for that matter. All he needs is
5000 of them for the spammer to pay him.
This is why it is incorrect to make the
claim that you did, which is that the ease of infecting
a Windows system has nothing to do with the number of
Windows viruses out there. It is a central variable
in the decision to write a bot.
As for the ease of WRITING a bot, that is a red herring.
If a difficult-to-write bot had a much higher infection
success rate than an easy to write bot, the malware writers would
be writing them because the mathematics of this would allow
them to crank out far more networks of 5,000 infected systems,
so they would get paid a lot more money. This is true
independent of the operating system.
Windows still
accounts for the overwhelming majority of non-tech-savvy users'
systems, and that's what malware writers want to target.
Absolutely wrong. All the malware writers want is to assemble
and sell networks of compromised systems. They don't care what
the platform the systems are. And the people buying these
compromised networks aren't stupid enough to use these networks
in a way that destroys the network.
If I spend good money buying a compromised network of 5000
machines, the dumbest thing I could do with it is things that
would draw the attention of the owners of these 5000 systems
that they have a bot on their system. Like, stealing their
identities. I want them ignorant and happy so they don't start
wondering if they should scan their systems for bots, I want to use
their 5000 machines to attack 200,000 other "non-tech-savvy users" who
WILL figure out that they were hacked when I use their stolen identities
to do my credit card fraud.
Ted
That said, there is a growing volume of browser-based malware these
days, and the popularity of Flash and Javascript over ActiveX (thanks
in part to Firefox) means that most of it will work on any operating
system. Since Windows is pretty much the only system that runs things
permissively, damage is limited (but still quite real) on non-Windows
systems. (Plus, anything trying to lodge itself in Windows paths like
C:\Windows or the Windows registry or via a binary or
Windows-dependent script will fail right off the bat.)
Aside from Javascript issues, I've never heard of a non-Windows piece
of malware that spread through email.
I don't know of any email
clients that support Javascript any more, and any sane webmail server
will defang in that regard as well.
That largely limits non-Windows malware to "click here" items, for
which we have the URI blocklists.
In summary: don't run things as root, keep up with your distro's
security updates, don't serve CGI outside of localhost on your
non-server, and be careful where you point your web browser. For
Linux, I also recommend fail2ban, http://www.fail2ban.org/
