News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


IT Blogwatch's picture
IT Blogwatch

A Daily Digest of IT Blogs from Richi Jennings

More posts | Read bio

September 14, 2009 - 3:27 A.M.

No more Linux security bragging: botnet discovery worry

26 comments

Bad guys have created a botnet of Linux Web servers. In a way, that's even more frightening than regular botnets of compromised Windows PCs. In IT Blogwatch, bloggers ask if this is the end for Linux's claim to be more secure than Windows; or is it just a load of old hokum?

By Richi Jennings. September 14, 2009.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention another classic Photoshop disaster...

Dan Goodin warns of a "Linux botnet":

A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware. ... The infected machines ... serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080.
...
Malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver. ... With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are. All of the boxes examined so far have run the Apache webserver on various distributions of Linux.more


StopBadware's Maxim Weinstein has more:

Over at the Unmask Parasites blog, periodic BadwareBusters.org contributor Denis reports on a botweb (a term coined by our own Oliver Day) that he’s been investigating. ... The blog post contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers.
 
Meanwhile, we’ve reached out to Denis to see if we can assist in notifying providers that are hosting compromised servers.more


Denis Sinegubko is the horse with the mouth:

It began when I started to notice a new pattern in domains of hidden iframes. ... I realized that all those domains were registered with free dynamic DNS hosting providers: DynDNS.com and No-IP.com. These sites allow anyone to register any third-level domain for free and point it to any static or dynamic IP-address. ... most of the third-level domains point to different IP addresses. Currently active domains from my list point to 77 unique IPs all over the world. ... It’s time to check if have an unauthorized web server working on port 8080.
...
Each server works as a load balancer for other malicious servers used in this attack. When you try to load any iframe URL, you get redirected to a random server. ... What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. ... Who knows what else can those infected web server do? They may be involved in SPAM distribution, in DDOS attacks, etc. They can do just everything normal zombie computers do, but more effectively thanks to better Internet connection.more


A Linux botnet? Steven J. Vaughan-Nichols says, "Nah."

Ah, Windows fans everywhere, I hate to break this to you but compromised Linux servers have been used for ages to run Windows botnets. After all, if you had a couple of hundred of thousand Windows PCs at your beck and call would you use Windows to control them? Of course not!
...
All that has happened is that someone, as many others have in the past, has busted into improperly secured Linux servers. ... The difference between the 100-node Linux machine cluster that Sinegubko found and real Windows botnets, which in 2006 averaged 20,000 PCs, is that Windows, which is insecure by design, can be made over into a bot by simply going to the wrong Web site or opening a corrupted e-mail. The Linux servers, on the other hand, simply have lousy ... "Fire the system administrator now," security.more


burnin1965 disagrees with SJVN, but says Linux botwebs are nothing new:

There is a continuous flood of SSH brute force attacks on any *nix machine connected to the internet. ... After watching the attacks for awhile I set up a box to see what they were doing and created a user name test with the password test. ... It wasn't long before the system was "compromised".
...
Using another system I connected to the IRC network. ... Sure enough there were two individuals chatting it up in the channel and sending commands to hundreds of compromised systems. While reviewing the various compromised systems I noted that they were all *nix machines of one type or another. This was a few years back so ... this is nothing new. What would have been new is if a botnet like this was discovered to be from a real hack and not some lame password login scan.more


But easyTree figures this makes for an easy troll:

It's nice to see Lo0niX has advanced to the point where it can now successfully run botnet software. I'll bet there's no gui though. I'm not up on linux commands so don't laugh but I'll wager it's something like:
  * apt get b0tnet -s -x9 -secret -warez -pr0n -infectWindows=1 -p
 
Rather than the point-and-click convenience you'd expect on windows..more


So what's your take?
Get involved: leave a comment.


Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.

What People Are Saying

Add new comment

What are the criteria to be

Submitted by Luke on November 20, 2009 - 6:34 A.M.

What are the criteria to be considered for selecting the LINUX OS to install?

Thanks,
SEO

Reply | Report this comment

rating

Submitted by Anonymous on November 3, 2009 - 5:15 A.M.

burnin1965 writes about things how they are and more importantly he has a deeper knowledge to tell you in detail what's happening. On the other hand, easyTree is an idiot, who knows nothing about anything. easyTree is a lameass point-and-click script-kiddie.

Reply | Report this comment

Low cost holydays

Submitted by Travel on October 16, 2009 - 12:56 A.M.

I found this article quite interesting. I didn't realize the percentages were so high with customers experiencing online transaction problems. This article is a useful tool for companies to realize their problems, because people are talking about it and what improvements they can make to make their online transactions more user friendly.
low cost holidays voucher codes

Reply | Report this comment

Guess what. The internet

Submitted by Dann on September 15, 2009 - 1:35 P.M.

Guess what. The internet basically runs off Linux. If it's as insecure as M$ shills are implying, it would have been compromised long ago.

The problem isn't GNU/Linux, it's users. They will always be the weakest link in any secure system.

Reply | Report this comment

Where are the "famous" Linux-viruses?

Submitted by Antero on September 16, 2009 - 4:33 A.M.

There isn't Linux-viruses infected Linux-computers. That's the fact. Not a single Linux-computer in whole big world, while there are tens of millions of Windows-computers in awful conditions. These computers are threatening internet, even Linux-servers if their security is not updated and in good contidion.

Internet would be much, much safer if there ain't those millions of sick windows-computers, IE-browsers, Active X's etc... Windows is the problem. Not Linux.

Reply | Report this comment

Just another FUD by MS-bandwagoners

Submitted by Matias on September 14, 2009 - 11:59 P.M.

http://blogs.zdnet.com/hardware/?p=5457

by Adrian Kingsley-Hughes

"But alas, this story doesn’t have anything to do with Linux hacks, but instead comes down to basic security, or the lack of it. It seems that the hack comes down to bad passwords. Hackers regularly sweep the web looking for vulnerable systems, which is why good passwords are vital. If your passwords are weak then the system can, and eventually will, be compromised. It doesn’t matter if it’s Windows-based or Linux-based.

Normal “Linux is more secure than Windows” bragging can resume …"

YES INDEED. "LINUX IS MORE SECURE THAN WINDOWS" BRAGGING CAN RESUME.

We Linux-users have won this war long time ago, coz Windows was never ever made for network condition. Windows is just stand-alone-operation system.

So why this bubble? The main reason: Windows 7 is coming next month.

Reply | Report this comment

Baffled

Submitted by SecuritySniper on September 14, 2009 - 2:22 P.M.

I'm shocked. Linux botnets (example, Kaiten's, etc) have been around since the early 2000's. Why is this news?

Alternatively, if such a botnet of CRAY machines were to exist, that would be news worthy.

*nix and Windows based botnets are not new.

Reply | Report this comment

Why, exactly, is this news?

Submitted by Bruce on September 14, 2009 - 2:04 P.M.

The issue isn't that Linux can finally be compromised, it is that the gateways are well controlled in a UNIX environment. Consequently, the holes are much harder to find. In this case, it sounds like there are admins out there that do not follow best practices.

Reply | Report this comment

This is very disturbing

Submitted by Anonymoose on September 14, 2009 - 11:12 A.M.

This is very disturbing news. I do not feel safe using Linux any longer. I persisted using Linux despite the lack of available software and the extremely difficult learning curve because it was claimed that it is a secure operating system, but I can see the claims of security were false.

I will be switching to Windows 7 as soon as it is made available. At least Microsoft patches security flaws promptly.

Reply | Report this comment

So you have no idea what

Submitted by Anonymous on September 14, 2009 - 1:59 P.M.

So you have no idea what happened do you? These servers are compromised because of poor security by the system administrators not because of a security bug in the software. No operating system can over come poor administrator security. Go to windows if you like(not that I believe for one second that you use linux anyways)that will not make you safer.

"At least Microsoft patches security flaws promptly." yeah right

Reply | Report this comment

Related Posts

Linux's dirty little secret: Uninstall
The best desktop OS is...
Spam Judo: ultimate solution or academic reinvention?
The best Linux file system of all?

Editor's Picks

Mitch Wagner: Google Buzz buzzkill

Court to review standards for cell phone data requests

Researchers warn of likely attacks against Windows, PowerPoint

New Russian botnet tries to kill rival

Panasonic takes swing at rugged rivals, launches latest Toughbook tablet

Chinese artist-dissident lauds Google plan to stop censoring

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.