Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracked Linux Boxes Used to Wield Windows Botnets

Posted by ryuzaki0 on from the good-alliteration-but-scary-concept dept.

m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."

11 of 309 comments (clear)

  1. true by Anonymous Coward · · Score: 5, Insightful
    I work in security and this is consistent with my experience.

    A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.

  2. Remote ease-of-use by SnowZero · · Score: 4, Insightful

    This really doesn't suprise me. With tools like ssh and shells installed by default, Linux is just plain easier to use remotely. Linux machines would also tend to stay up and online, whereas (predominantly Windows) desktops are often shut off when not in use. So, Linux makes the best "control console" for a botnet. The "army" should still be made up of Windows desktop machines, due to their large numbers.

  3. Good News & Bad News by eldavojohn · · Score: 5, Insightful

    It's the double edged sword of software popularity.

    Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.

    I think this will be the true test for Linux to prove that it can beat Windows in all departments.

    I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now ... perhaps I should.

    --
    My work here is dung.
  4. Happens to sites that hosts others too... by Shivetya · · Score: 5, Insightful

    Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!

    and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.

    Just because its Linux does not make it secure, you actually have to use it correctly.

    --
    * Winners compare their achievements to their goals, losers compare theirs to that of others.
  5. Interesting to note by thegnu · · Score: 4, Insightful

    I think it's interesting to note that while we get submerged in a barrage of Windows trolls, that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked.

    Still looks bad for Windows. Plus, here's betting they're servers, and not home computers behind a plain old linksys router.
    -Nathan

    --
    Please stop stalking me, bro.
  6. The Money Quote by The+New+Andy · · Score: 5, Insightful

    eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University.
    I'm not denying that Linux boxes can be (and are) hacked, but the circumstances for this particular quote seem a little shady. It seems a little irresponsible (on the part of the submitter) to not mention the money trail. And it seems a little strange not to release the results... what are they afraid of?
  7. Re:Confirmed by AlXtreme · · Score: 3, Insightful

    I have noticed this as well.

    Linux, Apache and all the server-side scripting languages normally aren't the problem. Many hosts I have audited have old installations of (mostly) PHP-based software, and these automated attacks tend to target them leading to (sometimes multiple) botnet infections.

    Many administrators didn't even know what was running on their servers. It only takes a couple of minutes to install packages like *coughthesecurityholecalled* phpBB, however if you are doing this independently from your package management system you will lose track of the installs. Even worse, the installs won't be automatically upgraded, which is a major reason for sticking with stock Debian/RHEL/SuSE package repositories.

    If you choose to install software outside your distribution's package management system, subscribe to the announcement-lists of the software used. Document on which servers you installed what software. And if you leave the company, make sure your replacement can hop right in and will know what you know.

    Common sense, but far too often forgotten or ignored.

    --
    This sig is intentionally left blank
  8. Re:Brute Force Attacks by Anonymous Coward · · Score: 4, Insightful

    That's what I do. But everytime I ever mention it, some idiot goes "WAAAH! Security through obscurity!" They can't seem to wrap their brains around the fact that less automated attack attempts is a good thing.

    It's so annoying when people latch on to a stupid mantra like that without understanding it. Just like how nowadays you can't mention rape without someone reminding you that "Rape is about power, not sex." People just love catchphrases, I think.

  9. double standard by nomadic · · Score: 5, Insightful

    Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers

    So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?

  10. Hosted Environments by Evets · · Score: 3, Insightful

    One of the problems are dedicated server hosts. I picked up a dedicated box a while back and I was startled to find that I was put in a position to scramble to secure the box immediately upon receiving my ssh password.

    Of course, I could have paid extra to get a more secure box, but budget was an issue, and my plans were pretty simple for the machine.

    Another problem is that a lot of webmasters with dedicated boxes and virtual servers end up running older and insecure versions of software - from mail servers to web servers, etc. because the software is all wrapped as part of Plesk or something similar. When security patches come out, the turnaround time for updates from the software providers is far from instantaneous.

    A third problem is efficiency. If your system has been rooted, it's easy to not notice as long as the person who rooted you isn't abusing your system resources.

    Recovering a rooted system is a problem as well - sys admins in general could stand to take a lesson from rootkits to protect their own system. I've seen two instances myself where overwritten binaries like ps and ls could not be reverted without a great deal of effort.

    Further - people who get "Managed" servers expect that they have a secure system and that their system is being monitored for security issues regularly. From what I've seen, "Managed" means that vendor provided packages get updated automatically and uptime may be monitored, but that's a far cry from someone actually managing a system.

    Linux can be secure, but I think the vast majority of web servers out there are wide open targets, much like all those windows ME boxes attached directly to cable modems.

  11. Re:Speaking as a Bot... by rtb61 · · Score: 4, Insightful
    More likely the prefer Linux, because after going to all the time and effort of creating a botnet you don't want some other cracking asshat hijacking your botnet.

    With windows of course those poor hard working crackers and continually having to rebuild their botnet as other crackers pilfer their bots as readily as they orginally gained, 24/7 no rest for the wicked.

    So winbots while easy to gain are nearly impossible to keep because of course they are just so slutty, they are anybodies ;).

    --
    Chaos - everything, everywhere, everywhen