Personal tools
You are here: Home The old "because it's the most popular" myth
Who is Tracy Reed?

I am a Linux enthusiast, a multi-engine instrument-rated pilot, and a traveller. I am interested in all aspects of computing and technology in general, especially Linux and Free Software. As an avid pilot I can be found somewhere over the skies of the southwestern US most weekends.  As a traveller I have been to many interesting places. Check out my photo gallery. Want to get me something cool? Check out my wish list!



The old "because it's the most popular" myth

by Tracy R Reed — last modified Apr 02, 2010 10:47 PM
Filed Under:

The ever-popular misconception that "Windows only attracts worms/viruses/botnets because it is the most popular" came up again today. Fortunately, this is readily disproven by counter-example.

Linux is a very tempting target for spammers and botnet owners. And there are millions of Linux boxes out there by now. But so far the only way they are really being compromised is through PHP web apps and poorly chosen passwords. Linux machines are being constantly bombarded with ssh brute force attacks and funny url requests. And as I manage my ssh access well and don't run publically accessible PHP apps I don't have problems. Between the MySQL on Windows worm a few years ago:

and the Linux on MIPS router exploit from last year:

and the Apache on FreeBSD worm:

and the recent Linux router based botnet:

they are clearly trying anything that is exploitable including the very obscure software platforms. I just don't buy the idea that they only go after Windows because it is the most common. That is just where the low hanging fruit is and has the most exploits.

Software design has got to have something to do with it and being forced to maintain decades of backwards compatibility and poor design decisions as part of holding onto their monopoly has got to complicate things for Microsoft.

I actually like reading about Linux based appliances with poor security defaults being attacked. It really shoots down the whole idea that only Windows is targeted and that this is because it is the most popular. Notice that the primary way in which Linux systems are being attacked is misconfiguration or poor choice of password. Both are easily remedied issues. Actual exploitable implementation flaws are more rare than in Windows and actual design flaws rarer still.

Document Actions


Posted by Anonymous User at Apr 10, 2010 08:28 AM
Where's the science in that? Just because you can point out a handful of viruses or botnets that have existed for other targets doesn't mean you're correct. Hakcers do target windows the most, and it is because it's the most popular. However, many of them use *Nix based OSs themselves, so what would stop them from putting out a virus or a botnet if they stumbled across a bug? Nothing. Also, Apple is where the low hanging fruit is. Safari 4, webkit, pdfkit, QUICKTIME?! Yeah, that's the low hanging fruit, and their implementation of ASLR is laughable as well.


Posted by Tracy R Reed at Apr 13, 2010 03:45 PM
As I said, proof by counter-example.


Posted by Tracy R Reed at May 23, 2010 06:43 PM
I was browing my rss feed on my iphone over lunch and ran across sqlninja:

This is an interesting tool but it strikes me as funny:

1. MySQL is out there on many more Internet accessable servers than
SQL Server. It's free and all of the popular blog software out there
uses it. They aren't targeting the most popular but the weakest. Makes
one wonder about the malware situation.

2. sqlninja runs on Linux, FreeBSD, MacOS X. Not Windows.

SCADA systems

Posted by Tracy R Reed at Jul 25, 2010 12:55 PM[…]/iran-was-prime-target-of-scada-worm.html

A worm specifically targeting systems running the Siemens WinCC SCADA software. Surely part of some industrial espionage effort, possibly against Iran and their nuclear program. Would not at all surprise me if the US Govt was behind this via a proxy country.

Iranian WinCC SCADA systems? And that is being attacked because it is just the most popular? No way. Again, further proof that popularity is not nearly as important as mere vulnerability. People are going after anything they can.


Posted by Tracy R Reed at Aug 23, 2010 03:20 PM
Just found a stupidly configured F12 box (no iptables enabled) most likely rooted through hpiod (should not have been running). It was safer out of the box! Funny that hpiod apparently wasn't confined by selinux.


Posted by Tracy R Reed at Sep 22, 2010 04:47 PM
Correction: It wasn't hpiod at all. It was a guessed root password. Word to the wise: Do not allow remote root login! Block remote root or at least require ssh keys (with passwords). And do not think that just because your root password is a word in a non-english language that nobody will guess it. They will. They did.

Once more data point suggesting that Linux has better security by design and that easily avoidable silly misconfiguration is the most likely way someone is going to be able to get in.


Posted by Tracy R Reed at Aug 31, 2011 05:34 PM
A couple more targeting Linux:[…]/[…]/

Phalanx relies on getting access to someone's ssh keys and propagates by further ssh key access. Again, relying on user errors and not direct OS vulnerabilities to get it, although it does try to find local root escalations.