Slashdot Mirror
Cracked Linux Boxes Used to Wield Windows Botnets
m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."
speaking at a Microsoft-sponsored security symposium at Santa Clara University.
A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.
Windows might be an easier target due to uniformity and adoption in the home market, but linux is also a great target now due to its wide adoption in the server space. And most servers have fast processors, lots of ram, and plenty of bandwidth which to botnet owners makes them better objectives than home computers. Not to mention that although people tend to think linux is more "secure" than windows, it still has it's problems and is vulnerable to attack
This really doesn't suprise me. With tools like ssh and shells installed by default, Linux is just plain easier to use remotely. Linux machines would also tend to stay up and online, whereas (predominantly Windows) desktops are often shut off when not in use. So, Linux makes the best "control console" for a botnet. The "army" should still be made up of Windows desktop machines, due to their large numbers.
It's the double edged sword of software popularity.
... perhaps I should.
Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.
I think this will be the true test for Linux to prove that it can beat Windows in all departments.
I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now
My work here is dung.
Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!
and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.
Just because its Linux does not make it secure, you actually have to use it correctly.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
I think it's interesting to note that while we get submerged in a barrage of Windows trolls, that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked.
Still looks bad for Windows. Plus, here's betting they're servers, and not home computers behind a plain old linksys router.
-Nathan
Please stop stalking me, bro.
I have noticed this as well.
Linux, Apache and all the server-side scripting languages normally aren't the problem. Many hosts I have audited have old installations of (mostly) PHP-based software, and these automated attacks tend to target them leading to (sometimes multiple) botnet infections.
Many administrators didn't even know what was running on their servers. It only takes a couple of minutes to install packages like *coughthesecurityholecalled* phpBB, however if you are doing this independently from your package management system you will lose track of the installs. Even worse, the installs won't be automatically upgraded, which is a major reason for sticking with stock Debian/RHEL/SuSE package repositories.
If you choose to install software outside your distribution's package management system, subscribe to the announcement-lists of the software used. Document on which servers you installed what software. And if you leave the company, make sure your replacement can hop right in and will know what you know.
Common sense, but far too often forgotten or ignored.
This sig is intentionally left blank
Yes, the linux community will quickly find and provide patches for the vulnerabilities.
Unfortunately, the admins of the servers will get behind in their patching or just complacent.
Someone I travel to work with got called at 4am one morning by his co-lo with the message "You're box is trying to root all the other boxes in the cages, we're pulling the network cable indefinitely."
It was later determined that he got rooted through a 4 month old SSL vulnerability. The patch was available, he just assumed that a linux box in a well managed co-lo would be secure enough.
It is easier to build strong children than to repair broken men. -Frederick Douglass
That's what I do. But everytime I ever mention it, some idiot goes "WAAAH! Security through obscurity!" They can't seem to wrap their brains around the fact that less automated attack attempts is a good thing.
It's so annoying when people latch on to a stupid mantra like that without understanding it. Just like how nowadays you can't mention rape without someone reminding you that "Rape is about power, not sex." People just love catchphrases, I think.
All the patches in the world won't do any good with a badly operated server.
Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers
So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?
One of the problems are dedicated server hosts. I picked up a dedicated box a while back and I was startled to find that I was put in a position to scramble to secure the box immediately upon receiving my ssh password.
Of course, I could have paid extra to get a more secure box, but budget was an issue, and my plans were pretty simple for the machine.
Another problem is that a lot of webmasters with dedicated boxes and virtual servers end up running older and insecure versions of software - from mail servers to web servers, etc. because the software is all wrapped as part of Plesk or something similar. When security patches come out, the turnaround time for updates from the software providers is far from instantaneous.
A third problem is efficiency. If your system has been rooted, it's easy to not notice as long as the person who rooted you isn't abusing your system resources.
Recovering a rooted system is a problem as well - sys admins in general could stand to take a lesson from rootkits to protect their own system. I've seen two instances myself where overwritten binaries like ps and ls could not be reverted without a great deal of effort.
Further - people who get "Managed" servers expect that they have a secure system and that their system is being monitored for security issues regularly. From what I've seen, "Managed" means that vendor provided packages get updated automatically and uptime may be monitored, but that's a far cry from someone actually managing a system.
Linux can be secure, but I think the vast majority of web servers out there are wide open targets, much like all those windows ME boxes attached directly to cable modems.
"The truth is that us bots prefer Linux because of the GPL"
Being able to see the source code, isn't a bad thing, as you imply. If there's a hole in the code, I would sooner someone find it fast and then it gets fixed, rather than have closed code, which may have a hole in it, which no one knows about. Because given time, someone will find that hole, even if its close sourced (which is no long term protection). What open source gives is effectively better debugging of the code, as it allows people to dig out the faults in it. That's valuable extra testing, not just for that code, but for anything else developed in the future, which is based on that code. Therefore it leads to a more solid code base.
There are 10 kinds of people in the world... those who understand binary and those who don't.
I am going to have to call BS on you.
... Apple who gets a pass. Spyware and AV software is getting better, firewalls are being deployed for added security at the edge of networks and scan more than IPs, protocols and ports these days, with many that now actively scan the contents of packets coming in.
I as a consultant; I use Windows XP and 2003 on the MS side of the house and CentOS, RHEL, Fedora or SuSE on the Linux side. I know both systems for 10+ years,, more so I know both types of sys admins.
Windows admins after having had their balls busted in the past are using better methods to track patch management with things like SMS, WSUS or 3rd party tools. MS is also taking security far more seriously than others like say
While to be honest Unix admins have always been lazy, they tend not to have scheduled patch periods (most fly by the seat of their pants despite claiming otherwise), they tend not to track what is installed or running on systems as closely, and they tend to have this attitude that their OS and apps are superior and in the case of universities in many cases they are still using public IPs.
Windows Security being humbled in the past, has something to prove and that is why it is getting to be so good now.
Apple having never been seriously called out, continues to meander with slow responses and updates.
Linux while progressing on the security front with kernel and application updates as well as new methodologies like SELinux, may face challenges not because of the OS failings, but because of lazy admins who do not keep their systems or skills up to date or noobs who in the process of learning expose themselves (not that way).
In addition if you are charging somebody for software you write, the person paying has a right to complain if it has security problems, but if you are giving software away, nobody has a right to complain and if they do, you can say "fix it yourself freetard".
Linux is getting a taste of what MS had several years back, that being "with a bigger market share comes increased motivation to crack/hack". Finally, if a OSS project is abandoned that you are dependent on, and yes, they get abandoned and die more often then they success, you can get stuck relying on the related libraries, kernel or whatever. Application abandonment means 1). You could get stuck with an app that opens you to a security risk or 2). Requires you to run another app that opens you to a security risk.
Respect the Constitution
With windows of course those poor hard working crackers and continually having to rebuild their botnet as other crackers pilfer their bots as readily as they orginally gained, 24/7 no rest for the wicked.
So winbots while easy to gain are nearly impossible to keep because of course they are just so slutty, they are anybodies ;).
Chaos - everything, everywhere, everywhen
"Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows)."
... they're always on and connected to the Internet.
You forgot one other very important advantage to unix boxes (well, servers specifically)