[the only trolling here is being perpetrated by those sending people here to be outraged]
It took an attack on a Windows production server, not devotion to Apple, to put that provocative title on this entry.
On August 13 at 3:04 AM, a Windows server that I've been running for all of two weeks--it just replaced an Xserve G5--was attacked by a new strain of malware. This worm/trojan/backdoor/proxy/IRCbot/DDOS agent shared some characteristics with a known exploit, but it went well beyond what was described. I believed at the time of the infection, and even more strongly now, that this exploit's latent damage potential has been underestimated. I view the terse and vague update on the CERT site regarding the less tenacious strain of this beast with a sense of foreboding.
The attack I encountered occasioned a re-examination of a common question: Is Windows more vulnerable to malware than OS X? I've encountered no clearer or more definitive proof point than this attack. To set the stage, I'll describe the malware's methods. The only victim requirement is that a Windows system--client or server from 2000 and XP on up, 32 and 64-bit--be on an Internet-accessible IP address and listening for socket requests to the Windows Server service. The attacker connects to the Windows Server service, overflows a fixed-length buffer and tricks the service into executing code contained in a portion of the buffer. The attack edits the Registry to turn off the Windows firewall and packet filter, disables notifications that you're running with reduced security, and opens your system to anonymous access. It then uses the Registry to insert plant a pair of Windows services that run with SYSTEM privileges. Processes owned by that pseudo-user can literally do anything, unchecked, to the local machine. The malware services launch and announce your exploited system's presence via IRC and IM. After that, an IRC bot or (sub)human driver can make your system do whatever it wants, including making it a nest for more malware. In my case, it was so eager to scan the Internet for other systems to infect that it locked my server's CPUs at 100 percent and gave itself away.
To nail itself in place, two services watch for and regenerate each other even if their files are deleted. The malware adds an entry to Administrator's login script, and it watches for a privileged invocation of Windows Explorer (like Finder) and attaches a malicious thread to that.
I've been giving it great deal of thought, and I came up with a reasons pointing to the likelihood that Windows is at greater risk of catastrophic attacks. It's not easy reading, but it was either this dense packing or a book-length blog post.
• All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.
• By default, Windows launches all services with SYSTEM-level privileges.
• SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator (like UNIX's root) in privileges. SYSTEM cannot be used to log in, but it also has no password, no login script, no shell and no environment, therefore