Inside a Modern Malware Distribution System

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

industrial strength stuff

[jacquesm]

If only Microsoft would spend that much effort on windows update...

Re:industrial strength stuff

I'm sure Microsoft is not too far away of this...for the tracking, that is.

Re:industrial strength stuff

[RAMMS+EIN]

``If only Microsoft would spend that much effort on windows update...''

They do, but they spend their efforts on making sure it doesn't work for pirates, rather than on making sure it works better for customers.

Re:industrial strength stuff

[Lumpy]

and the funny part is they fail horribly at it. they dont make it not work for pirates. a Solid crackqfor WGA has been in the wild for over a year now. It even fools WMP11,Windows defender, and IE7. and even the last round of updates to WGA still have not disabled it or got around it's "crack".

Re:industrial strength stuff

I can assure you it works just fine for pirates, both in XP and in Vista, not to mention office 2003 and 2007.

Re:industrial strength stuff

[jacquesm]

afaik it does work fine for pirates but not for consumers that have paid for the product. A friend of mine made the linux switch solely because of being pissed off once to many while being told to re-register his machine after windows update literally crashed the box beyond recovery and they wouldn't activate him. He said, ok, fine don't activate me I'll get another OS. It's well past the point of being a nuisance, it's a real risk (having your machine taken down by an automatic update is *not* funny at all) and then to be insulted like that is really not the best way to deal with an already pissed off customer.

Re:industrial strength stuff

WGA cracks for XP aren't even necessary, just use one of the "corporate" ISOs and a VLK which passes WGA because MS are reluctant to blacklist it for some reason. HCQ9D-TVCWX ... aka the "Chinese" VLK has worked for years, I've also seen XP8BF-F8HPF ... recommended in recent releases which iirc was for a beta of some sort.

Of course such keys may eventually be blacklisted, probably by SP3 if they're going to do it, but if so you always have the option of applying a WGA crack.

Re:the fix

someone please mod this shit into oblivion...

Question about platform security

[Iphtashu+Fitz]

Call me a troll if you will but I have a serious question here.

Microsoft constantly claims that the main reason there are so many trojans & botnets like this is because Windows systems make up the vast majority of computer systems out there, not because Windows is any less secure than linux, OS-X, etc.

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

Re:Question about platform security

[m50d]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why?

Even if marketshare was the same, there are still other variables to consider: how useful is the OS, and what is the userbase like? My instinct would be to go for linux - it's (marginally, and in my experience) more stable, systems are more likely to be left running 24/7, and systems programming for it is easier - you don't have to e.g. jump through hoops to get raw sockets, and the open source might make things better - I don't know how good the documentation of windows/osx interals is. As against that there is the distribution fragmentation and the somewhat higher technical competence of average users.

Ultimately there's not much to choose between them - all three OSes have their vulnerabilities, all three can be programmed by anyone competent, and this kind of malware could easily be written for all three. In fact, it probably already has been.

Re:Question about platform security

[infonography]

point 1. FUD, Microsoft's argument is a compete load of horsesht. The reason it's most effected is because low level identification of processes is obscured. Even if it's just simple rot13 encoding in registry to mask info about installed programs. In the *NIX world its almost impossible to hide a running process.

point 2, Windows User basis = BOZOS also untrue. a lot can be done in the windoze world. its is just done with broken legs has the price of entry.

Malware will go away when windows goes open source and not just the source that the scriptkiddies are using. pretty much every other OS manufacture has open sourced their code. Apple is tied to their hardware much like SGI did, they just do a better job then SGI did.

Re:Question about platform security

[flyingfsck]

Actually, there are vastly more Linux systems out there than Windows systems. Each year about 300 million Linux devices are produced - most cell phones and routers. These devices have a life span of 5 years or more, meaning that there should be about 2 billion Linux devices out there. In contrast, there are only about 600 million Windows devices. Also, note that there are more Linux servers on the internet, than Windows servers. The simple fact that these Linux devices and servers are mostly secure, while the Windows machines are mostly insecure, therefore has nothing to do with numbers.

Re:Question about platform security

[onepoint]

good reply, but let me add something.

Most apps in *nix are system specific, so when they do find something wrong, it's an easy fix, but when we get to windows, there are 100's of apps, these apps make all system admins crazy ( just had a new program installed and it was calling home via a port that I had never seen used ( in the 52000 range ).

I truly think deep in my heart that windows coders just don't give a shit about really doing quality code, all they do is put the crap out then fix and patch. all comes down to the money.

if I had a software shop, I would really be a big prick about quality coding, I would demand no memory leaks, no wacky run-a-way array's after that, fix all the bugs from small to big, and then optimize the code to get it running fast ( I see my 6502 coding rules coming out in this rant )

Re:Question about platform security

[mrderm]

Which environment would the botnet writer target if he had a free hand?

No doubt, linux.

Written in python.

Source in git.

If you need to ask why, you'll never understand.

Re:Question about platform security

[QuoteMstr]

Gah, I should have listened to my technobabble detector. The link above points to one of those stupid grow-my-city things.

It'd be nice if slashdot followed all 301 redirects for a page, then used the resulting URL in the comment.

Re:Question about platform security

[IamTheRealMike]

That reasoning is invalid. There are tens of millions of XBoxes in the world, all of which run a customized version of Windows, yet I'm not aware of any viruses for the XBox. I guess Windows must be entirely secure!

Or maybe desktop security and arbitrary-consumer-electronic-device security are different problems with different solutions.

The other poster is correct. There is no difference in Windows vs Linux desktop security. It's beyond trivial to phish or intercept the users root password, if you want it, which you might not bother with because there are plenty of other ways to hide in a modern operating system (google "user mode rootkit").

Re:Question about platform security

[99BottlesOfBeerInMyF]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why? Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

This is an interesting question, but it lacks some details that may make a large difference. First, was it a single Linux distribution or a mixture of the ones currently available. Second, are we talking Windows Vista, or are we talking about the current mix of Windows versions deployed today?

Potential reasons why it is easier to target Windows:

• Malware authors are familiar with Windows and Windows development tools and often are not experienced in coding for other platforms.
• Even with an even distribution of OS's, MS still dominates certain application segments on Windows, with MS Office, Outlook, and IE. Other platforms have more varied application sets by comparison, making it harder to make a virus work via an exploit for a particular application.
• Windows in general runs with more network services listening by default than either OS X or Linux and each one is a potential hole.
• Windows fails to operate using standard protocols, so assuming most networks in the future are mixed, for full functionality Windows servers often have to run two services for a given function, versus one when using Linux or OS X. (For example, a Windows box might be listening to the local network using UPnP SSDP to discover network services, as well as ZeroConf, which is implemented by various applications on Windows, whereas OS X and Linux use only the standard ZeroConf.)
• Windows has a different user base from the other OS's and it is often a less security conscious one overall. That could change, however if market share does.

On the other hand, Windows has a few advantages as well:

• More anti-virus tools and services are available for Windows
• Windows makes better use of sandboxes in some instances than the vast majority of Linux distros.

The question is pretty academic though. Market share is not going to shift drastically overnight, nor distribute evenly. Market share has an enormous affect on the products themselves. Right now Linux and OS X have appropriate levels of security so that it is not a big issue for their users. If security threats increased for either platform, security improvements would also increase because the developers are motivated to not lose money.MS is currently a monopoly so the fact that Windows does not have sufficient security to deal with the malware ecosystem does not cost them much money at all, so they are nt motivated to fix it. If Windows had 30% of the market, they would no longer have a monopoly and they would fix their security problems or go out of business.

Having a diverse computing market makes things hard for botnet operators, because it lessens the effect of any vulnerability and because it motivates better security through competition between the players in that market. The theoretical you propose would change things in many, many ways. In some ways, Linux and OS X would become bigger targets and have to adapt their security to deal with it, but we'll never know what would hold up as the "best" six months or two years afterwards.

Re:Question about platform security

[Torvaun]

Yes, and by the time you finished any sizable app, one that was "good enough" would already have been released, and gobbled up marketshare. The problem with chasing perfection is that it takes forever, and even if you find it, most people don't need it.

Re:Question about platform security

[SanityInAnarchy]

Assume a completely even playing field where each of the three main consumer OS's, Windows, linux, and OS-X each has 33.3% of the market. Which environment would a trojan/botnet writer target and why?

I'd say Linux and OS X at that point, because both are Unix. Much easier to port things between Linux and OS X than it is to port things between either and Windows.

Put another way, how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

The relative security of the OS has nothing to do with the intricacy of the virus. If you could write ANY kind of malware for Linux, you could easily write one this intricate.

And so, the question you're asking is exactly the same one that's been asked time and time again, and has absolutely nothing to do with this story. It's a question of whether malware could target Linux and OS X. I can't really say, but I think it would be somewhat harder -- and I figure Linux has a much better shot, unless you mean 33.3% Ubuntu, simply because of distro diversity.

Re:Question about platform security

[cheater512]

The fact that they cannot easily execute themselves stops a lot.
A executable in a email attachment or web download cannot be executed by a idiot. It needs to be chmodded.

Also the root password box appears significantly less than the Windows equivelants.
Your average user will never have to enter it in.
Helps reduce false negatives but it can still occur.

Re:Question about platform security

[onepoint]

how true :( after reading your post, I realized that I did a web site, quick and dirty, worked real well and left it alone. Now I am going to clean it up and make sure that I reduce the code by 25%.

Re:Question about platform security

[Mantaar]

I truly think deep in my heart that windows coders just don't give a shit about really doing quality code, all they do is put the crap out then fix and patch. all comes down to the money. You might be right with that. I just witnessed a discussion on IRC about web-design. One guy doing that stuff for money, the other for OSS-projects. The guy doing that for money had his customers: companies, that want sites coded - for their customers, who most likely won't give a damn if that page they're trying to buy things from is valid XHTML or not - so the companies don't give a damn themselves. And at the end of the day, the guy has to code that sites to appeal to the customers - who will most likely use IE in one version or another, since that's the most used browser in the world.

Now, the OSS-guy had valid points, like vicious circle and that - you work around MS's bugs, MS doesn't give a damn -> more bugs, more to work around -> SNAFU.
But when all you wanna do is make a living? How can you give a damn about clean code when that deadline is approaching and you have to show results? In the end, you'll have to accept dirty compromises with yourself. That doesn't necessarily make you a bad coder. Just one that's under too much pressure.

You know, MS are a rich company. It's not like they couldn't afford to hire good programmers. They do. But their management seems to be just exchangeable with any other management of, say, a farming company. They don't seem to understand what they manage, or at least, how it works.

Re:Question about platform security

[cheater512]

Its harder to get the root password because its used for very few things from a user's point of view.
Yes there will be some idiots who will type it in no matter what but the chances are lower than clicking 'Allow' with UAC.

Re:Question about platform security

[WGR]

On most Windows systems, the user is running as Administrator, so you do not even have to ask the user to install software. That is the main problem.
Vista changes this (at last), but until Vista (or an updated XP) is the norm, then Windows is easier to Trojan.

Mac OS-X is almost as easy since the .dmg files are so common for so many things from document updates to kernel installs that users are almost sure to type in password for installation.

Linux requires more work because most Linux users have a separate root and user account with different passwords and sudo is thereby more restricted.

Re:Question about platform security

[IamTheRealMike]

how difficult would it be to develop a similarly intricate for linux or OS-X if a malware author decided to target those platforms?

Here's how you could make a somewhat modern piece of malware for Linux. I'll leave out the stuff that's the same between operating systems ... the control networks, etc, and just look at controlling/hiding in the system.

1. First question - how to get in? All the usual techniques will work. Browser exploits are still common, even after years of hardening the IE and Firefox codebases. Plugin exploits (quicktime, acrobat, etc) even more so. Emailing out virus mails that appear to come from friends is still a very effective technique - we spent years training people to not trust emails from random people, only to have that advice subverted by having the emails come from friends. There are no restrictions on sending mail on Linux, nor reading from the users address book assuming they use client-side mail. If they use webmail the same techniques will work as on Windows.

   Some people might say, but Mike, it's hard to make a binary that works on all forms of Linux! In reality, it's not that hard. The basic loading/linking code and core libraries are the same across distributions. It's hard once you try to build real, interesting apps that provide GUIs and so on, but if you're willing to put in some testing (and modern malware is a professional operation, so why not) you can make the same binary work just fine on dozens of distros.

   Other people might say that it's complicated to run binaries on Linux, because you have to set the +x bit. I'll ignore the fact that I think Linux isn't ever going to get 33% market share with the current way of distributing software ... suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.

2. Once you're in, you want to do a few things. You want to download the rest of the trojan ... no problem with that ... maybe start sending mail ... again no problem ... what else? Maybe you want to drain the users bank account. The easiest way to do that is to install a browser extension that waits for the user to log in, and then scripts the web app. This has already been done on Windows/IE and isn't technically difficult - although it does require testing on the banks you want to target.

   What else? Stealing cookies is popular. Yep, we can do that. Maybe popping up "unkillable ads". Yes, X will let you do this.

3. Next, you want to hide, to make yourself hard to get rid of. This is the part where people tend to assume Linux is more robust than Windows. Is it really? Well, firstly, you can do a decent job of hiding without root. To start with, try injecting yourself into a system process ... or start several copies of the same program, all of which watch each other and restart new copies if others are killed or paused. It exploits the fact that you can't send signals to groups of processes atomically. Adjust the users path in their startup scripts to let you override any binary you wish, and then use a user-mode rootkit technique to hide the fact that the file was modified. Or set yourself to startup in the KDE/GNOME config systems somehow (eg, as an invisible panel app).

   What if you want to store stuff on disk, and hide those files? Doing it with a kernel rootkit is easy enough, but what about without having access to kernel space? One way to do it is ptrace every process that might be used to explore the filesystem - like shells. You can intercept the syscalls of these programs before they reach the kernel in that way, and thus make files "disappear" from the command line, from Nautilus/Konqueror, or whatever other programs you want to do. If you're worried about the ptrace

Re:Question about platform security

[RAMMS+EIN]

``In the *NIX world its almost impossible to hide a running process.''

Ah, yeah? I don't think so. Given that you've already compromised the host, that is. And if you can't hide your process, you can always try to masquerade as a process that should be running.

Re:Question about platform security

[LiquidCoooled]

The only problem with releasing trojans in Linux is that the damned things have to be GPL.
Having to leave the contact details for people wanting the source also makes it a bit tricky.

Re:Question about platform security

[h4rm0ny]

A minor point, but Ubuntu has done its best to get rid of the root password. Yes - you can change the way it's set up, but for the vast majority of users it is just a case of typing their normal password in a second time for confirmation. It's just another thing that makes it seem that much less of a deal to allow a piece of software to run with root priveleges.

Re:Question about platform security

[99BottlesOfBeerInMyF]

...suffice it to say, that once you convince a user that you're legitimate and that they want your eCard (that's how this malware spreads), you can just give them a command to copy/paste into the "Run Program" dialog box.

Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots. While there are more types of trojans out there, each compromises a fairly small number of boxes. Most boxes by number are still compromised by automated worms that have no user interaction component to them.

I think you're right that Linux is no more secure against trojans than Windows, maybe less so even, but you have to keep in mind that even if that is the case, that's still less than half of the exploits happening. You need to address the question of exposed services and ease of using a user application with a malicious payload to insert a useful bot.

Re:Question about platform security

[david_thornley]

Social engineering works on the user, not on the operating system, and is likely to be about equally effective on any platform. The exception is when the social engineering relies on confusing the user. In this case, I'd see an advantage to MacOSX and Linux, which ask for permission a whole lot less than Windows (particularly Vista). A user who is used to clicking OK boxes is more vulnerable than one who is occasionally is asked to type a password for specific reasons.

In cases where social engineering won't work, we already have good results. While Linux lags behind quite far on the desktop, there are a whole lot of Linux servers out there, and they don't seem to get hit as hard as Windows servers.

Once the malware has gotten the user to do something moderately bad, the malware might have the privileges of the user. In the case of MacOSX and Linux, those are limited. However, a lot of people run Windows as administrator. For some reason, the idea of the user account being separate from one with administrative rights didn't seem to catch on in the Windows world, whereas all the Unix-based places I've been at have separate user and root accounts. (Yes, malware can play with somebody's data, which is usually the important thing in the system. However, it likely won't bother just trashing it, and if the OS itself hasn't been compromised it's a stable base for recovery.)

Microsoft has historically been unconcerned with security. While Microsoft is paying a lot more attention to it now, there's still a lot of decisions that Microsoft can't simply unmake, and a lot of habits that will be hard to break. One biggie is the lack of compartmentalization. A word processor on Linux usually is limited in what it can do, while Microsoft Word, running on Windows, can run arbitrary code quite easily. (Unfortunately, web browsers can't be made really secure on this basis, Javascript being essential for so many pages.) Last I looked, Windows was still shipped with more vulnerabilities open by default, but that may well have changed by now.

Re:Question about platform security

[0123456]

"I think you're right that Linux is no more secure against trojans than Windows"

Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files.

Re:Question about platform security

[timeOday]

I don't see why a botnet client would even need to run as root. So long as the user in question can run 'at' or cron, it can still install itself. I'll grant, a rootkit could conceal itself better with root access, but I doubt very many people would notice an extra process running anyways. (I think I'd call my trojan "bash").

Re:Question about platform security

[Warbothong]

From a non-technical point of view, I know someone who found all sorts of vulnerabilities in Windows. He couldn't patch them. He hates Microsoft's business tactics. He wrote viruses to exploit those vulnerabilities (the viruses usually did something like DDOS various Microsoft websites, print out "Microsoft is crap, stop using Windows" once a month, etc.). It's not just the installbase or the security of the system to take into account, it's also a) users' opinions of the system/creators (many Windows users are forced to use it for certain applications, testing, etc. whereas most (desktop) Linux or OSX users specifically chose that system by preference) and b) show off (showing off some successful malware isn't that great, since getting credit for it would also mean getting punishment for it. Showing off a patch to fix the vulnerability, however, is certainly going to get someone their geekpoints, and it may be a lot harder to do than making malware too, so more geekpoints are gained, thus making it a more attractive opportunity).

Re:Question about platform security

[paving-slab]

but a lot of distros like Ubuntu don't have root - you just sudo with the user's own password

Well, if I may nitpick as well...

Ubuntu does have root, but it's configured so you can't log in to root. Not quite the same thing.

Re:Question about platform security

[MikeBabcock]

SELinux (enabled by default on Fedora and others) greatly decreases the possibilities of something stupid like this happening. Now if only we didn't continually tell users to "make, sudo make install" everything and actually used signed packages. Why? How trivial is it to get a user to do a "sudo make install" on a Makefile that embeds a rootkit?

Re:Question about platform security

[ozmanjusri]

The only real deterrent for Linux right now is the low number of machines and having to get their password so they can set the init scripts

No, the real deterrent for Linux is that any significant malware attack will be patched by the community MUCH faster than with Windows.

There's a significant cost to developing the type of malware that would be capable of building a Linux botnet, and that investment would be lost when the community reacted. The cost/benefit for developing malware on Linux is a long way different than on Windows, where you can be confident that you'll have plenty of time to recoup your investment.

Re:Question about platform security

[99BottlesOfBeerInMyF]

Most Windows users (at least on XP) run as root. Most linux users don't run as root. That's a heck of a lot more secure, at least in terms of losing control over your computer rather than just losing your files

I was thinking of Vista, but assuming we're talking about WinXP, then in either case the bot has plenty of permission as the user to be malicious and send spam, participate in a DDoS, or steal user data. The one thing it can't do that it might want to is disable anti-virus. That is slightly harder on Linux or Vista than on WinXP, but once you're in it is just a matter of breaching one more layer with a local escalation, and those are not really uncommon on Linux (and absurdly common on Vista right now). On could make the argument that in some cases Vista is more secure though in that some of the common things a bot wants to do are sandboxed, whereas while they could be in Linux with SELinux or something, they are not that way by default on any common distribution.

Re:Question about platform security

[bigstrat2003]

The total number of devices is irrelevant. Cell phones, routers, and other embedded devices are set up once, and then mass-produced, so someone is easily able to make painstaking efforts to ensure security. On servers, this is also true, to a much lesser extent. On the desktop, it's almost never true (you and I care about making sure our machines are secure, but we're the vast minority of desktop users). The desktop area is where people care the least, and so it's the most attacked. Windows' dominance is in the same area, so it actually does have to do with numbers.

I have always maintained that if Linux, Mac OS, or any other operating system were to gain the huge majority Windows currently has, that OS would be plagued with malware problems too. There are some depressingly stupid users out there, and there's no way to patch the end user. I know people who would be willing to give a web site the root password to their Linux box (well, if they had one), as long as the web site said that it was necessary for something.

Re:Question about platform security

[Butisol]

It would come down to the demographics then I'd wager. If the Windows users were still primarily the "duh duh, oh greetingcard.exe, sounds like fun" users, then those would be the boxes to hit.

Re:Question about platform security

[spootle]

although sudo su will give you a root prompt

Re:Question about platform security

On the other hand, Windows has a few advantages as well:
More anti-virus tools and services are available for Windows

To me, this is like saying, it's nice living in a crime-ridden neighborhood because there are a lot of cops around.

Personally, I'd rather just live somewhere where I'm much less likely to get mugged regardless of police presence.

Re:Question about platform security

[sowth]

... systems programming for it is easier - you don't have to e.g. jump through hoops to get raw sockets ...

You don't have to jump through hoops to get raw sockets on Linux, you just have to become root....ummm yeah. On any reasonably configured Linux system, getting root is usually a difficult hoop to jump through, assuming there is no social engineering of someone who has the root account. Then again, with things like Nvidia's (an other mfgrs) buggy drivers and Ubuntu's let's just make people use sudu instead of a real root account, I suppose that hoop has become easier to jump through...

Re:Question about platform security

[Deathanatos]

Your counter argument is flawed, if you ask me.

First, even if you include the tens of millions of XBoxs, using the grandparent's post, you still have less Windows boxes than Linux boxes. Also, is not the software on a XBox much different from that of a standard Windows PC?

Finally, yes, XBoxes - except the XBox is a relatively sandboxed environment. How easy is it to develop for, how many people do develop for it, and how many XBox users are going to go get homegrown XBox software and run it? (And furthermore, how do you reach those users, and will the not be tech-savvy enough to avoid it?)

Basically, the PC (as opposed to XBox) encounters much more user generated content each day, and between all the software that interprets that data, and more of a chance to screw it up.

Re:Question about platform security

[prshaw]

It would actually be much harder to successfully target an OS with less than probably 50% of the market, you might even need more then that to be worthwhile.

But of the 3, if they had equal market share I think OS-X would loose out the most, and get targeted the most. Linux users tend to be a more technical group and Windows users are used to dealing with viruses. So those two groups for different reasons don't get infected as much. But OS-X users tend to feel as secure as Linux, but don't always have the skills/knowledge to reconize a problem.

I think today the trojans/viruses are targeted towards market share and user technical level. If I can infect 1% of the dumb users, then where are the most dumb users? Linux has both a smaller market share and a smaller percentage of potential targets. But I think OS-X has the percentage of potential targets, just not the market share (yet).

It would not be any harder to write the malware for one OS over any other. Today the difficulty is more in avoiding all the different virus/malware scanners.

Re:Question about platform security

[coryking]

The fact that they cannot easily execute themselves stops a lot. It also stops the adoption of linux too. People like "double click to run".

Even still you can "double click to install RPM", and that is just as good as an executable...

Re:Question about platform security

[QuietObserver]

If you use Firefox, try doing what I do:

1. Install Ad Block Plus (very small download, even with a 56k connection), and No Script (which is just a little bit bigger; yes, it's three or four times the size of Ad Block, yes, but that's only about a hundred kilobytes or so).

2. Go into the Preferences for Ad Block Plus.

3. Add filters for myminicity.*, dwarfurl.*, and anything else that redirects you to myminicity.

The pages still load, but they do so very quickly, and No Script then prevents them from running their Java applets.

And by the way, HiggsBison is totally correct about his point regarding the term kernel; it's not only a key indicator of a junk argument, but it's also been hideously misused and misspelled. Kernel refers only to the core of an operating system, the part that sets the standard for hardware/software communication, manages memory, initiates applications, and performs a (preferably small) number of other critically vital system services (things that keep the computer running).

Re:Question about platform security

[Mathinker]

> the real deterrent for Linux is that any significant malware attack will be patched by the community

Have you been reading the other comments? How can you patch the stupidity of your users?

After a clueless user has been owned properly, there is probably no effective way for the community to help him; that would require a full reinstall from scratch. This is not dependent on the operating system, as far as I can see.

Re:Question about platform security

[Keruo]

> Given that you've already compromised the host,

Why masquerade?
You replace the binaries which show running processes with section of code hiding your-malware-process.
Since the host is compromised, it's highly unlikely running tripwire or some such anyways which might reveal process replacing.

Re:Question about platform security

[cheater512]

If the trojan spreads as a RPM, it still needs to be executed before it can take control.
It cant automatically run its self.

Re:Question about platform security

[cheater512]

If its not running as root then it will only run when that user is logged in.
Once they log out it dies.

Thats why root is highly desirable.

Re:Question about platform security

but it will by no means stop malware installation if Linux is a highly targeted desktop.

There is a very simple way to guarantee that you do not get malware on a Linux system. It is so simple that even Joe User can understand. It has just two simple rules:

1. ONLY INSTALL SOFTWARE USING SYNAPTIC.

2. DO NOT ENTER YOUR ROOT PASSWORD ANYWHERE ELSE OTHER THAN SYNAPTIC.

There you go. Guaranteed infection free. That policy will, by all means, utterly stop malware installation.

It isn't like you are limited by this policy ... Synaptic offers 20,000+ packages for a Debian/Ubuntu system.

Re:Question about platform security

So long as the user in question can run 'at' or cron, it can still install itself.

No it can't install itself. To install something, and set execute permissions, requires manual input of a password from the keyboard.

Neither at nor cron can operate a keyboard, and neither one of them knows any passwords.

People can, and do, regularly look at the source code of utilities such as at and cron to makes sure that this is so.

If any actual live malware actually found a way around the code in at or cron then both a malware remover and a security patch for at or cron would be available in just days ... or quicker.

Re:Question about platform security

"Malware authors are familiar with Windows and Windows development tools and often are not experienced in coding for other platforms" The article states that the code is doing many things in a UNIX style (getting the system directory name, etc.) and is written by someone with experience on non-windows systems.

Re:Question about platform security

[ozmanjusri]

Have you been reading the other comments? How can you patch the stupidity of your users?

Yeah, I've read them. That's just the usual FUD that's been debunked many times.

The reason social-engineering attacks are so successful on Microsoft platforms, especially Microsoft Outlook, is that the kind of thing you need to trick the user into doing is very simple---typically a single mouse-click. True, many installations pop up warning dialogs for "potentially dangerous" actions, but novice users are used to many such dialogs, and probably just dismiss them as a matter of course.

Re:Question about platform security

[yanyan]

I think the reason why we don't hear about viruses for the XBox is that it's a pretty locked-down system; functionality is limited to little more than inserting the game media and then installing and running it. I'm probably wrong, but people don't use their XBoxes to browse web sites, download and read email, run p2p applications, etc., all of which pose security risks. I would also assume that network connectivity is only restricted to the Xbox live service, but i realize that it probably isn't hard to write exploits for that service.

Re:Question about platform security

[budgenator]

well that's one of the problems is the playing field isn't level and here's some of my thoughts on it;

1. Linux is server orientated, all processes are treated equal unless nice'd, that means that as my Linux 'puter gets loaded with malware processes I'd notice it lagging sooner or later; vs. Windows that is desktop orientated, my Vista machine can have SETI@home running both core at 100% and I don't notice it. Other Vista machines that are under-spec'd feel sluggish and lag at 100% idle; because all emphasis goes into user-experience it shields the user from seat-of-the-pants knowledge of what the machine is doing.

2. Windows allows each process to have more knowledge of other processes, the wife's XP machine gets laggy, and I open Task Manager, nothing happens for a second or two then, everything starts running free and easy, then task manager open; seems like something naughty is trying to hide; in Linux there are multiple ways to find out what processes are running.

3. in Linux, if I want to I can get creative and play around with different portioning schemes and permissions and run a computer that's 99% read-only, how's malware going to get into that, or even run off a live-boot CD.

4. the open-source culture helps Linux, In Windows if my virus scanner finds an infected system file, the only fix is to reload the whole system and risk data lose; in OSS I can FTP the package that contains the corrupted file and copy it in over the infected one if I want. I use Arch Linux and I've had the whole system upgrade transparently just because glibc got updated; where is it same for a virus to hide under conditions like that?

Malware writers are going to consider how easy it is to infect a computer, how hard it is to keep the computer infected, and how much the infected computer can do for them; then factor in a little platform inertia and they seem to pick windows overwhelmingly. A few target Linux or OSX, but that's mostly for street-cred and bragging rights.

Re:Question about platform security

[baboo_jackal]

I'm not sure which is worse: links to the stupid minicity thing, or the stories about eating poop.

I think that if they managed to make a miniature city where everyone was into eating poop, and the more clicks, the more poop was eaten, then maybe *that* would be the worst slashdot trollspam ever.

Re:Question about platform security

[Lord+of+Hyphens]

I was wondering (off and on, never really tried it) how to do that. Maybe it's finally time to install an Ubuntu virtual image.

Slackware will forgive me, won't it?

Re:Question about platform security

[milsoRgen]

I think an important point to address, in regards to your post would be the level of expertise an 'average' user has with a given operating system. Myself for example, I happily tramp along with my xp pro (i like games damnit!) and I can remember the one and only time I have ever had a virus... I believe it was my 486DX running windows 95 that had something in the boot sector... That was 10 years or so ago... When I was in Junior High... With my first computer... So to sum things up. I don't think that windows is inherently less secure then other operating systems provided the user has enough knowledge. ...also I guess you could point out I might have been infected and never realized it. Very true I suppose.

Re:Question about platform security

[guruevi]

There are two reasons for that:

Windows on XBox is not the same Windows as Windows XP or Windows Vista. It's a very much trimmed down version of Windows 2000. It has parts of the kernel but has none of the shenanigans that are called Internet Explorer, the Explorer shell or ActiveX. Also, you can't surf the internet or send/receive e-mails on an XBox nor can you run executables that have not been sanctioned by Microsoft (it's what we call DRM).

Now if we had a Windows that was trimmed down to the bones, didn't come with Internet Explorer or ActiveX or other stuff that's easily exploitable so that the browser can be sandboxed or at least modularized, if the user couldn't run anything on the system except for specific programs (well, WE wouldn't like that now would we so forget that) and if we block all HTML e-mail then we would at least be safer and Microsoft would have a good track record regarding security. The problem with their Windows suite is that everything is included and all made by the same company. One exploit in a single component (eg. a media exploit) can be exploited in all programs of the same company since they all share the same code to do the same things (IE, WMP and OE for example). If it was made by a different company that does not trust the external component, it could have been sandboxed and the exploit wouldn't work.

Re:Question about platform security

[Tim+C]

Your post seems predicated upon the assumption that the means of compromise is a trojan. Right now, that is not the common case, especially for bots.

Well, I can't say that I have any hard facts to back up my opinion, but I've always assumed the exact opposite. I don't see *anything* in my router/firewall logs. Either the attacks aren't happening, or they're stopped by my ISP; either way, they're not compromising any PCs (and I'd expect the ISP to advertise the extra protection if they were doing it)

In contrast, I receive viruses attached to spam mails *every single day*. I use p2p and occasionally download a file that my av software software flags up as being a virus or trojan. Hell, I even get viruses mailed to me in password-protected zip files; people must be opening up these unexpected files, typing in the password and infecting themselves.

even if that is the case, that's still less than half of the exploits happening

Assuming that's true, then you'll wipe out roughly half the exploits by switching to Linux. So malware authors will adapt; worms will die out and social-engineering attacks and trojans will increase. You'll buy a temporary respite as the authors react and amp up production of new attacks. Big deal. User education is key, but we've known that for a decade and the situation doesn't seem to be improving.

Re:Question about platform security

[phillips321]

I don't think it has much at all to do with what OS is being used but purely the user.

The mass majority of people using *nix are clued up about virus, malware etc... thus there is alot less chance of them installing the crap.

There are a much higher proportion of people using windows that don't know what they're doing, the majority of people know this so target the weak majority.
Any windows lovers out there please dont think im slagging windows off, im just simply stating the well known fact that there are more clueless users out there that happen to be using windows.

Re:Question about platform security

[jonadab]

> Which environment would a trojan/botnet writer target and why?

They would (and do) target all of them.

That doesn't imply that they all are (or would be) equally insecure, however.

Re:Question about platform security

[99BottlesOfBeerInMyF]

The article states that the code is doing many things in a UNIX style (getting the system directory name, etc.) and is written by someone with experience on non-windows systems.

Allow me to clarify. You're correct that some malware developers have *NIX experience. Many control networks run on compromised Linux machines and all the Web front ends I've seen used to rent botnets out are running on Apache. That said, I think this control system and those Web front ends are made by a much rarer breed than the average botnet herder. The average herder I've met (online) has a skill level a bit above the normal script kiddie. They rely heavily on code and tools they purchase or steal and adapt slightly themselves. The one thing they do that requires many hands is go through security mailings and fuzz Windows programs looking for new exploitable vulnerabilities. I think it would take a while for the malware community to adapt for other OS's. The motivation is already there for OS X. It is a juicy target no one is competing for, with a better selection of mineable financial info, but no one has managed to really tap it yet. There have been exploitable vulnerabilities, public and waiting for a worm, but they just haven't done it.

Re:Question about platform security

[jonadab]

> I'll grant, a rootkit could conceal itself better with root access, but I doubt very many people
> would notice an extra process running anyways. (I think I'd call my trojan "bash").

I'll go you one better: the installer can just check the current process table at install time, make a list of anything the user's running multiple copies of, pick one of them at random, and name the trojan executable that. So if the user's got three copies of Emacs running at the time the thing installs, the trojan could end up being named emacs, but on a vi user's system it would be named something else. Similarly, it could be named bash on a bash user's system, but if the user had changed his default shell to tcsh or whatnot, then the trojan would not be named bash. This tactic should help the thing blend in better on process lists and escape casual, accidental detection most of the time.

The user could potentially still discover it, e.g. by finding the cronjob (or the line in .bash_profile, or the gnome-session entry, or whatever) that sets the thing running each session. But if 80% of users don't find it for over three months and 50% don't find it for over a year, the malware could build up a pretty sizeable installed base (especially in the proposed fantasy world where *nix systems (counting OS X) are 67% of the world's desktops).

Of course, that's in the absense of anti-malware software making a concerted effort to detect such things. Unix-like systems on the whole don't need traditional anti-virus software (in the sense of protecting against file viruses) because system permissions (assuming the user doesn't normally run as root) effectively thwart that kind of malware anyway. But trojans and other social-engineering attacks are altogether another thing. There are intrusion detection systems, of course, in just about every major distro, but I think most users of the distros in question don't really know how to use them, as they currently stand. (I only recently studied up on how to use chkrootkit and rkhunter myself, and I think there are other types of IDS that I still haven't studied up on. I first started using Linux systems in 1998...)

Re:Question about platform security

If its not running as root then it will only run when that user is logged in.

A regular user can use nohup, at or cron.

Re:Question about platform security

[coryking]

In theory, you are correct. However, a fair number of evil software in the wild gets into your computers blood stream by you voluntarily running it. You know there are trojans that imitate common spyware removal programs? What about some "download accelerator" or "Pimp my Firefox Toolbar v3.423"?

It cant automatically run its self. Sure it can. Find me a box running PHP and some one year old web application written on top of it and I'll execute it for you! :-)

Re:Question about platform security

[Melkman]

What have you been smoking ? For an eye opener try the following: open a terminal and do "ping &". Close the terminal and log out. Log in as a different user and open a terminal. Do "ps ax|grep ping". Look at the result in astonishment. Things started in the background will happily continue to run if the controlling user is logged out. And as the previous poster said, if the user has access to cron or at processes can be started at predetermined times and dates. Root is only highly desirable because it will let you manipulate ALL files in a system, not just the files of one user. This gives the attacker much better possibilities of hiding his malware and make it harder to remove it.

Re:Question about platform security

[cheater512]

You can never help idiots who will always type in their root password.
However far fewer people will be stupid enough to enter their root pass than click 'Yes' to UAC.

Nothing is impossible especially when it comes to computers.
When defending against malware you want to make it as improbable as possible though and Linux does this better than Windows.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Counter attack is required

I really do think it is time to fight fire with fire. If these things report to a server then make that IP public and then blast it off the internet.

After all I am entitled to use reasonable force to protect my person. Why can't I use the electronic equivalent with these scum bags.

Sure it is a moving target but the key to smashing spam is to push up the marginal cost to the spammer.

Re:Counter attack is required

[SoupIsGoodFood_42]

Because then people like you end up blasting legit people off the internet by mistake and ignore the problem as collateral damage?

Re:Counter attack is required

[nurb432]

Or worse, you get some large company 'joe jobbed' out of existence for a few days and lose millions in sales.

Hmm good blackmail tactic tho.

Re:Counter attack is required

[darkpixel2k]

I really do think it is time to fight fire with fire. If these things report to a server then make that IP public and then blast it off the internet.

Unfortunately the spammer/malware author usually doesn't use their own servers, pipes, routing equipment, etc...
It's usually hosted at some facility and your retaliation would more than likely harm other customers.

Same with home PCs. If you tried to take down my 8/1 Mb Comcast connection you might succeed if you have a faster connection. Or alternatively, if you and a bunch of others gang up, you may succeed too well and take my neighborhood off the net.

What I think may be needed is an easier system for tracking down infected systems and being able to get in touch with the admins for those systems. In my previous example, it should be much easier to identify my offending IP, and look up information to get in touch with a Comcast network geek who will take care of it right away. Probably by blocking my IP until I call in and resolve the issue.

Re:Counter attack is required

[The+MAZZTer]

I think we're not allowed to do that for the same reason lynching isn't allowed...

Re:Counter attack is required

[Shade+of+Pyrrhus]

What about the machines that these IP addresses resolve to? Trojans would be very easy to defeat if all of them pointed to the one address that is the perpetrator. However, a lot of times these addresses are other "innocent" machines, like yours, that are infected and are just another go-between. It may just be that you never would see the perpetrator's IP address, and they're simply using backdoors on other networks.

Now, given the other machines are infected, you would indeed be a criminal yourself, as the victim of YOUR attacks would be wondering why the heck you're attacking them - a vicious cycle if they take the same route you do. However, finding these IPs and informing the administrators of a possible security breach might be more effective.

Re:Counter attack is required

[jmauro]

Most of them use things like IRC or other peer-to-peer systems to communicate so knocking the main controller off the internet would only temporary disable the control of the system. The writers have learned through repeated attempts to do what you suggest to find a way around the issues of being temporary knocked offline.

Scary...

[gmuslera]

thats the 1st that comes to my mind when i see how sophisticated and commercial had become the bad guys. There have been a lot of stories regarding this kind of subject in the last months/years, and internet is becoming more and more like a minefield.

I know that this one is pretty dependant on Windows (not only is the easy target, because users, numbers and the "security" of the system/browser present there), but i bet that some in that development can be translated to unix/mac systems (as is the user the one that mainly installs it, think in i.e. when was corrupted the SquirrelMail repository, if someone send spams away to make people to download it before it gets catched, and that installs in fact a trojan with that functionality).

Re:Scary...

[99BottlesOfBeerInMyF]

...but i bet that some in that development can be translated to unix/mac systems (as is the user the one that mainly installs it, think in i.e. when was corrupted the SquirrelMail repository, if someone send spams away to make people to download it before it gets catched, and that installs in fact a trojan with that functionality).

Just to clarify, while there are lots of different trojans including those for Mac/Linux and they are in the wild, trojans are still not he biggest threat. While there are more trojans than worms, worms still compromise more machines than trojans and worms that exploit network services or applications, with no user interaction, are still the most common cause of a compromise; especially for zombies in a botnet.

Re:Scary...

[prshaw]

Are you sure that worms are a bigger threat than trojans?

I have not heard of a worm causing serious problems in a while (some are still there, but not causing any real damage anymore). (Note, Storm Worm is NOT a worm, it is a trojan).

Trojans, click happy users, and some good social engineering seem to be the main way these botnets are keeping their sizes.

What worms have you heard of that are in the wild now causing problems?

Re:Scary...

[99BottlesOfBeerInMyF]

Are you sure that worms are a bigger threat than trojans?

The numbers aren't in for 2007 yet. We'll probably see them mid-january. For 2006, however, most exploits were the result of worms with no user interaction by a significant margin. Maybe this is changing, but I doubt that has happened yet. A lot of security people tend to focus a lot on threats that might affect them, like their network of WinXP SP2 systems, and forget that there is still a large ecosystem of older Windows systems out there that make up the lion's share of boxes being compromised.

What worms have you heard of that are in the wild now causing problems?

Over the last two weeks, a variation of the Slammer worm has been making the rounds and compromising a lot of machines. More generally Web services worms have been big, doing drive-by bot installations all year.

I'm not seeing the "easy" part there.

[khasim]

Download some malware, pop-up a fake window when the user does something to get the password, sudo with the password, install whatever else you want and setup init scripts, done!

Okay, that first part "Download some malware". How?

With Windows it is easy to explain. ActiveX.

With Linux/Apple, it's not so easy.

With old versions of Windows/Outlook, you could just mass mail the exploit and hope that enough people hadn't patched Outlook NOT to auto-run some executables.

Or that they hadn't configured their security zones correctly.

Microsoft is getting better. But they're still focused on adding layers of "security" instead of taking the simple option and just not installing so many services that the user will probably never use. So if there's any flaw in the various layers, you can still be cracked.

Re:I'm not seeing the "easy" part there.

[SanityInAnarchy]

Most malware now is either by drive by download using whatever plugin/browser exploit is new, or by having them download the exe from P2P or somewhere.

How many of these go through Firefox, though?

Most of their vulns have been plugin related it seems though - but I don't see why it would be different if Linux were targeted as much as windows is.

Depends on the plugin. I imagine the plugins have to behave fairly differently on other OSes.

Re:I'm not seeing the "easy" part there.

[IamTheRealMike]

ActiveX has been "defanged" for several years. You can't install random software without asking the user anymore in IE and that's been true for a long time.

The Storm botnet has been spread by emailing out binaries that people then run, because they believe it to be something it's not. That's a hard problem to solve. It hasn't really been solved by any system yet - perhaps it can't be solved.

Any computer where you can easily add new software (and a desktop OS that doesn't let you do that is one which isn't going anywhere fast), will have this problem.

Re:I'm not seeing the "easy" part there.

[WeirdJohn]

The trick is to (Step One) get the User to visit an Evil Website: "Naked Lesbian Twins with Machine Guns" should do it.

(Step Two) Tell the User that a new "Video Codec" must be installed on their Ubuntu|Redhat|Suse System, which requires SuperUser privilege.

(Step Three) popup a standard webbrowser password dialog, asking for the root password

(Step Four) Start to download the "Codec Installer" that plays funny games with gcc, expect and python to sudo and install the malware when run.

(Step Five) Tell user to run 'bash GirlsWithGunsCodecInstaller'

Your logic error was in assuming that if GNU/Linux had 33% of the desktop then all those extra users were as clued as you. An easy mistake to make, I've done it myself many times. And it's amazing how peoples judgment fails when they have the chance to see naked lesbian twins with guns.

Re:I'm not seeing the "easy" part there.

Zomg, Naked Lesbian Twins with Machine Guns?? Torrent of movie /w codec, please!

Re:I'm not seeing the "easy" part there.

[daeg]

Unfortunately, users are still largely stupid in terms of agreeing to ActiveX installs. Even Microsoft Update requires it. You'd think that by now Microsoft would somehow add Windows Update to an internal/default exemptions list, right? Or build it outside of the IE engine.

Re:I'm not seeing the "easy" part there.

[m50d]

This thread is worthless without pics

Re:I'm not seeing the "easy" part there.

Okay, that first part "Download some malware". How?

"Hi. Please click the following link to download my latest game..."
or
"Hi. Please click the following link to download my latest porn..."

Re:I'm not seeing the "easy" part there.

[jmauro]

In Vista is appears to be outside of the engine finally. I still think it uses IE for connecting to the Windows Update web services, but its now a stand alone program in the OS instead of a program run from a web page. I was quite happy to see that the old Windows Update is now dead.

Re:I'm not seeing the "easy" part there.

[prshaw]

>> Okay, that first part "Download some malware". How?

Read up on how Storm-Worm got started. It sent an email asking people to go to a site and download something. Guess what, they did what they were told to do.

Now it may have only have been 1 out of a 1000 people who actually did it, but that number is high enough to get a good start. And then all that those individual computers needed to be able to do was connect to a website and send email. Something pretty much any computer on the internet can do (even Linux boxes running as a user can connect to a website and send email).

All you need is enough targets to make that 1 out of 1000 (or 1 out of 1000000) to make it work. You don't need some magical hole in the OS, or root privileges, or anything special. You just need enough dumb users that will do what you ask them to do.

Re:I'm not seeing the "easy" part there.

Funny thing..ActiveX enabled leaves you vulnerable. Yet you can't use the windows update site without activeX enabled..And every time I get an update for InternetExploder I have to re disable activeX. What is needed is to enable active X on a site by site basis, with it default off.

I can do the same thing with javascript content with seamonkey/firefox and the noscript plugin. (http://noscript.net/)

Re:I'm not seeing the "easy" part there.

Any computer where you can easily add new software (and a desktop OS that doesn't let you do that is one which isn't going anywhere fast), will have this problem.

Au contraire, I can easily add new software on my Linux by using Synaptic. Yet if I keep to a simple policy of **ONLY** using Synaptic to install software, I am guaranteed to get no malware infections.

If someone somehow manages to place an unsolicited file onto my system, under Linux I am required to manually give it execute permissions before it can run. In order to give a file permission to execute, I must manually supply a password ... clicking "OK" will not do. Answering "y" to a fake quetion will not do. I must enter a valid password, manually. In order to give a file permission root permission to execute, likewise I must manually supply the root password.

Under Windows systems, Windows Update can, and has in the past, install unsolicited and unwanted software with root permissions without even so much as mentioning it to any local user on that system.

Re:I'm not seeing the "easy" part there.

[Terri416]

I wish it were that easy.
I work in a small law firm in Blighty, and the new laws require us to use web services for searches, HIPS and the like. The damn things use activeX.
In the last few weeks, a training CD arrived in the post from some gov.uk agency. Guess what - it uses activeX. On a freaking CD!
ActiveX in the UK is like an infestation of cockroaches. It's not going away any time soon; if anything, it's getting worse.

Re:I'm not seeing the "easy" part there.

Heh. Posting AC for this one...
I work at a security company here in the US. We were about to use another company's product in conjunction with our software that required active-x to run (it was admin software through the browser). luckily, we ditched them (but for unrelated things), but I was literally wincing during a meeting just at the thought of a security company requiring active-x for their product to work... sigh.

Re:I'm not seeing the "easy" part there.

Quoth the parent "Okay, that first part "Download some malware". How?

With Windows it is easy to explain. ActiveX.

With Linux/Apple, it's not so easy."

It's called Javascript. That's why it's off in my browser.

Stupid new-fangled Web2.0 thingie. Get off my lawn.

Re:I'm not seeing the "easy" part there.

[budgenator]

With Linux/Apple, it's not so easy.
The last one I understood went like this

1. user intstal PHP script that executes shell commands
2. hacker tell script to download virus using wget program
3. downloaded program is store in /tmp that is wiped clean every reboot
4. downloaded program get chmod +x by hacker
5. new executed program is ran as user:group nobody:nobody
6. worm program that can't really do anything else, tries to infect other servers

then SU see executable belonging to nobody in /tmp, kills process removes executable and touches w/ empty file belonging to root and does a search and destroy on the bad PHP script.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Welcome our new malware overlords!

[s1d]

Welcome our new malware overlords!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:the fix

[QuoteMstr]

Just replace the destination URL with the one you get after following 301 redirects. That shouldn't break anything (301s are meant to be cached, and legitimate URL compression services should be using 301s anyway.)

21st century war

[brit74]

This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload.

I can't help but think a lot of malware creators will get rich in the 21st century when governments pay them to attack countries they are at war with - either destroying their computer infrastructure, or acting as spies.

Re:21st century war

[zopf]

More frightening, I think, is that a botnet operator could simulate an attack from a foreign country, and thus manipulate the geopolitical climate. Imagine that the USA and Russia were on shaky terms after some kind of conflict... a malicious botnet operator could summon computers known to be within certain regions of Russia (or even select for those behind military/state IPs) and then target them on US defense networks. The US might then be forced to step into military action, assuming that they were under some kind of Russian electronic attack, when in reality they were being manipulated by rogue hackers.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:the fix

[noctrl]

gha, moderated wrong, undoing..

There are getting more of them,
Its a good question :-)

Command and Control Server

[phantomcircuit]

My question is simple, How can the command and control servers for botnets stay up?

Wouldn't their hosting provider and/or IP block owner not want to end up on blacklists and thus kick them off, thus cutting off all infected systems from further contact.

Re:Command and Control Server

[KillerBob]

IRC... have a master channel, and configure the virus so it's able to connect to a slave channel and receive commands, or connect to the master channel and relay commands to its slave channel. Program the bot/virus so that it connects to a non-persistent "slave" channel. If it's automatically given moderator status, then it's the first bot in the channel, so it connects to the master channel and functions as a command/control herder. If it doesn't automatically get mod rights, then it functions as a slave and actually does the dirty work.

And by using a wide open IRC server, of which there's plenty, it's virtually impossible to shut down the network. All the main controller has to do is connect to his "master" control channel periodically to send out commands, and the rest of the herding gets done by his deputies.

Re:Command and Control Server

The bigger ones these days (like Storm) are peer-to-peer, so there is no central command and control, the herder just sends a digitally signed command to any infected host and it relays it into the botnet to all the other slaves.

Re:Command and Control Server

[phantomcircuit]

Well that sounds great but what happens when all of the IRC servers shut them out?

Now all of the clients are cut off from the master and have no way of connecting back.

Re:Command and Control Server

[KillerBob]

Well that sounds great but what happens when all of the IRC servers shut them out?

You're right... when the IRC servers shut them out, you're safe. But they can't exactly IP ban every client that's infected with the virus.... there's far too many. The servers could block the channels, but how would they know they've got all of them? Granted, all they have to do is block the main control channel, but that would require actually watching the traffic... you have any idea how many logs they'd have to go through to find out which channel is actually the control channel? And if the owner of the network is smart, he's going to connect from internet cafes, or better yet, throwaway dialup connections. And what if there's multiple control channels and multiple IRC networks? How about setting up the network so that *any* of the channels can function as a control channel.

Worse still, the network could lay dormant for months before any commands start being issued, making it very hard to track down which channels to shut down. If your default command on the virus (for when it has no commands) is to spread itself using a maximum of 5% of available bandwidth, then it could go for a very long time before it gets noticed by its victims.

Re:Command and Control Server

[Doctor+O]

That one's easy. Enter Fast Flux.

Re:Command and Control Server

[RzUpAnmsCwrds]

I'll do one better - use P2P and cryptography. The botnet administrator has a private key and embeds his public key into the malware. Then he signs his commands with his private key and distributes them to an infected host. The infected hosts keep track of other infected hosts (such as those that they infected) and distribute the message to those hosts.

Better yet, add a timecode to the signature to prevent replay attacks. And write the malware to screw your system over if you try to change the clock.

Re:Command and Control Server

[phantomcircuit]

Fast Flux is just a very fast round robin. The purchase of domain names is still necessary. Anyways why would they let someone have thousands of A name records and change them every few seconds?

Re:the fix

I have NoScript extension on and when I click on these minicity links, i get this:

This site needs JavaScript.
Please wait a few moments...


and then nothing happens. In HTML source i can see that it redirects to himself. How you guys can have Javascript on for every site?!

Technobabble detector

[HiggsBison]

"kernal" should have been a red flag.

Talk about your anecdotes . . .

Precisely how many XBoxes are there in comparison to Windows boxes? Do they outnumber Linux devices? What proof do you have XBoxes are not infected?

Re:Talk about your anecdotes . . .

Precisely how many XBoxes are there in comparison to Windows boxes? Do they outnumber Linux devices? What proof do you have XBoxes are not infected? Well why don't you answer the same questions about Linux devices? Can you prove they're not infected?

What you would name your malware.

[sowth]

I think I'd call mine super_pr0n_queen with the arguements "--enhance-pr0n --doublestuff ~/superpr0n.mp4" and the installer would put a very "interesting" movie in ~/superpr0n.mp4. A sure-fire guarantee to never be deleted!

Re:the fix

[Debug0x2a]

Or just disallow links to tinyurl or dwarfurl entirely. I think the detriment would be far outweighed by the benefit.

One question:

[hummassa]

So long as the user in question can run 'at' or cron, it can still install itself.

No it can't install itself. To install something, and set execute permissions, requires manual input of a password from the keyboard. is your /home in a separate, noexec partition? because if it isn't (and many -- almost all -- of them aren't) then your trojan can set exec bit for something hidden in your ~/.kde or something without any keyboard access. and it can keep running after you log out, too.

Re:One question:

is your /home in a separate, noexec partition? because if it isn't (and many -- almost all -- of them aren't) then your trojan can set exec bit for something hidden in your ~/.kde or something without any keyboard access. and it can keep running after you log out, too.

I do keep /home in a separate partition ... because that practice allows me to re-install or upgrade the OS without any loss of user data.

A trojan cannot set any execute bits because it does not have execute permission itself ... unless a local user provides a password.

If you know of any mechanism where no input is required from a local user in order to get an unsolicited file saved on and then executed on a Linux system, then please report this mechanism to the bug reporting facility of the distribution ... because that is a bug. There will be hoards of programmers wanting to get the kudos for stopping a potential virus entry point such as that, so it should be stoppered within days of your reporting it.

In comparison, Windows Update ... which can install unsolicited stuff on to Windows Systems without even reporting that to any local user let alone requiring permission ... that is a "feature". It is a Microsoft-mandated feature known colloquially as a "backdoor".

Re:the fix

[linhux]

Except that most redirect services, including the one in the original post, uses HTTP status 302, which indicates a temporary redirect which should not be cached.

$ telnet dwarfurl.com 80
Trying 216.14.80.118...
Connected to dwarfurl.com.
Escape character is '^]'.
GET /ae9b3 HTTP/1.0

HTTP/1.1 302 Found
Date: Mon, 24 Dec 2007 14:08:57 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.0 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.0
Set-Cookie: PHPSESSID=a04bd3724433315ff37b8b497d2bb91d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://h1.ripway.com/slashdot1000/index.php
Connection: close
Content-Type: text/html

Connection closed by foreign host.

Hey isn't that a book?

[master_p]

The inside of a modern malware system.

Re:the fix

[QuoteMstr]

Dammit. They really should be using 301s.