Linux botnet discovered
One of the stories going around the web is the discovery of a botnet that spreads on infected systems running the Linux operating system. The reason that this is a big deal is because historically, computers running Windows have been the most likely victims of being infected with viruses which are typically used to flip them into botnets. Indeed, Apple runs ads claiming (or at least implying) that the only computers out there that actually get viruses are PCs running Windows and that other OSes are pretty much safe. (Note: some will play games with semantics and claim that Apple is safe from viruses, not that they are not targeted… but the ads do imply that Macs have no viruses. The point is that it is assumed de facto knowledge that only PCs running Windows get infected).
Some quotes from the third article I posted by Richi Jennings:
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware. ... The infected machines ... serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080.
...
Malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver. ... With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are. All of the boxes examined so far have run the Apache webserver on various distributions of Linux.
So, as it turns out, applications running Linux are not immune to zombie hijacking. Many of the folks within Microsoft, no doubt, are enjoying a bit of schadenfreude when reading that article. After all, taking abuse for so many years about being insecure, responsible for viruses, etc, is a lot of abuse to take. So, does this imply that any OS out there could be hit? Or that Linux is as bad as Windows? Not everyone thinks so, taking another quote from the article above:
Ah, Windows fans everywhere, I hate to break this to you but compromised Linux servers have been used for ages to run Windows botnets. After all, if you had a couple of hundred of thousand Windows PCs at your beck and call would you use Windows to control them? Of course not!
Uh, why is that? You can use whatever software you like to control hundreds of thousands of Windows botnets, whether it runs on Linux or Windows. The claim “of course not” is a non-sequitur because it makes no attempt to justify why you wouldn’t use Windows to control them, as if it’s inherently obvious. It certainly isn’t to me. Continuing:
All that has happened is that someone, as many others have in the past, has busted into improperly secured Linux servers. ... The difference between the 100-node Linux machine cluster that Sinegubko found and real Windows botnets, which in 2006 averaged 20,000 PCs, is that Windows, which is insecure by design, can be made over into a bot by simply going to the wrong Web site or opening a corrupted e-mail. The Linux servers, on the other hand, simply have lousy ... "Fire the system administrator now," security.
I bolded the above statement to call attention to it, because it is incorrect. The research and development that Microsoft has done in this area has dramatically improved Windows’s security.
Operating System security isn’t my specialty, but having read and contributed to previous issues Microsoft’s Security and Intelligence Reports, specifically SIRv6 which was released in May 2009, and having been involved in the software security process, I feel qualified to comment on this topic. In my next post, I’ll go into a bit of detail about this and why I think that the bolded statement is wrong.