Attackers are no longer bothering to attack average Linux systems, because there's so much more money to be made from invading Windows, according to security researchers.

The Honeynet Project, which sets up ordinary seeming Linux networks in order to observe attack activity, found that the life expectancy of such systems has dramatically increased from a year or two ago. Its 2004 findings, published recently, found an unpatched Linux system lasts, on average, three months before it is compromised, compared to about 72 hours for 2001-2002. Some of the project's systems were exposed to the Internet for nine months without a successful attack.

The project's "honeynets" - networks of two or more "honeypots" - are designed to detect random attacks on the Internet, carried out on targets detected through random searching, scanning and hacking systems such as worms and autorooters, rather than particular attacks focussed on specific, high-value targets. A honeypot is a system set up for the purpose of attracting random attack activity.

Since overall Internet attacks don't seem to be going down, the project's researchers theorised that the focus of hacking activity has shifted to Windows systems, simply because the platform is so widespread that it presents an irresistible target. "It's now easier to hack the end user than hacking the bank," Honeynet Project president Lance Spitzner told Techworld. "Banks are well protected, end users are not. Hack enough end users, and you can make as much, if not more, than hacking the bank."

While the project didn't carry out comparative research using Windows, Spitzner pointed out that research from security organisations such as Symantec and and the Internet Storm Center (ISC) has found no shortage of attacks on Windows honeypots. For example, an ISC project measuring the survival time for Windows systems, found here, measures survival time in minutes rather than hours.

The average survival time for the systems the ISC tests has declined from about 55 minutes in the autumn of 2003 to just under 20 minutes at the end of 2004, although the figures have been improving gradually from a low of 15 minutes in the spring of 2004. Microsoft says survival rates for Windows should decline as Windows XP Service Pack 2 becomes more widely used - the update is designed to make Windows' default configuration more secure.

The project deliberately focussed on average systems that didn't present any particular attraction to attackers - in the real world, the equivalent would be home networks or small and medium-sized businesses. The project deployed 12 honeynets in eight countries (the US, India, the UK, Pakistan, Greece, Portugal, Brazil and Germany), consisting of a total of 24 unpatched Unix and Unix-like honeypots. Nineteen of the systems were Linux, mostly Red Hat, including one Red Hat 7.2 system, five Red Hat 7.3, one 8.0, eight 9.0 and two Fedora Core 1 systems. Other deployments included one Suse 7.2, one Suse 6.3, two Solaris Sparc 8, two Solaris Sparc 9 and one Free-BSD 4.4

Services such as SSH, HTTPS, FTP, SMB were enabled, with inbound connections to these services allowed; some of the systems also used insecure or easily guessed passwords. The systems weren't registered in DNS or search engines, so they could only be found by automated means.

The situation for high-value Linux systems, such as company Web servers, CVS repositories or research networks is potentially very different, Spitzner said. "I'm sure these high-value Linux systems are prime targets and are attacked every day, if not every hour. If vulnerable, they would be hacked very soon," he said.

Older Linux systems were more likely to be successfully attacked than newer deployments, when left unpatched, probably because more vulnerabilities have been uncovered and attackers have had time to learn which exploits work, the project found. This also reflects the fact that default Linux installations are becoming more secure, the project said.

Once compromised, attackers used the systems mainly for IRC bouncing, bots and to host phishing scams, the project found. On at least one of the systems attackers attempted to set up a fake bank in order to harvest bank and credit card information.

The Honeynet Project is a non-profit research organisation supported by a number of security companies, including Foundstone, Counterpane, and SourceFire.