Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Think Linux is safe from malware? Think again.


  • Please log in to reply
10 replies to this topic

#1 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:08:21 PM

Posted 14 September 2009 - 01:46 PM

Sloppy admin work will render any OS vulnerable, Windows or not.

A network of hijacked Linux servers is apparently being used to distribute malicious software to Windows PCs. According to an analysis by web developer Denis Sinegubko, the comprised systems all have one thing in common: the light weight web server nginx is running and serving content through port 8080. Otherwise, these systems are inconspicuous and appear to operate quite normally.

Rest of the article: http://www.h-online.com/security/Botnet-di...s--/news/114225

Thanks to Mikko Hypponen @ F-Secure for the link.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

BC AdBot (Login to Remove)

 


#2 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:09:21 PM

Posted 16 September 2009 - 12:49 AM

That's just a super dumb admin on linux, not a linux vulnerability or a malware for linux.

These linux servers were normal web servers running Apache at port 80. The admin of such web servers should be extra cautious. Bu here the hackers stole the root password(because it was saved it on hard disk), downloaded nginx source code, compiled and installed it. Then download no-ip client source, compiled and installed it. And the admin never noticed! What more, Apache was listening on port 80 so hackers made nginx listen on port 8080. This may require port forwarding in router!

Analaysis : http://blog.unmaskparasites.com/2009/09/11...ie-web-servers/
Its not a botnet : http://www.itworld.com/security/77499/first-linux-botnet

#3 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:21 PM

Posted 16 September 2009 - 01:50 AM

PEBKAC Alert! PEBKAC Alert! PEBKAC Alert! PEBKAC Alert!

Bug #0000001:
  • Description: Meatware components tend to weaken all other system and security components.
  • Status: There exists no software or hardware solution to the ongoing meatware problem. This bug cannot be patched.


#4 Galadriel

Galadriel

    Bleepin Elf

  • Topic Starter

  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:08:21 PM

Posted 16 September 2009 - 03:08 PM

Admin error or not is not the point. Most Windows malware is also caused by admin error or oversight (i.e. not patching, or running unsecure versions of plugins and software; not having a decent firewall, etc). People tend to forget that security is never 100% unless you know what you're doing. There is no cure all, simply running Linux will not protect you from vulnerabilities if you do not secure your OS.

The point of my posting this here was to make sure that fact was known. No matter if you choose to use OS X, Windows or any of the different flavours of Linux, you still have to be proactive about security. In this case, the admins were careless, the result is evident.

Not a botnet? I beg to differ. It's a collection of Linux servers that fell in to the control of someone else (which is part of the definition of a bot); there were many discovered, thus a network of bots. Whether they use it to DDoS or to host malicious files and infect other computers, has no bearing on that fact. Whether it's used to spread malware aimed at Windows machines as opposed to *nix ones, the result stands.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#5 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:21 PM

Posted 16 September 2009 - 04:06 PM

Indeed it is/was a botnet, by definition.

Gal is right: there is no such thing as a totally secure program or operating system. It does not exist. A Linux box with a careless or stupid administrator is more vulnerable than a well-run, patched, and locked down system running Windows XP. My Windows XP system, for example, hasn't had an infection (that I'm aware of) since 2004. But that's only because I'm proactive in my defensive measures (fully updated and running antivirus, software firewall, anti-spyware, hosts file blacklists, etc.), careful of my downloads, have disabled unneeded programs and services, and I lock my browser down like Fort Knox on red alert.

#6 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:09:21 PM

Posted 16 September 2009 - 08:37 PM

Well, a botnet must have a bot-agent running. Where was the bot-agent on Linux computers?
And thats what contradicts in your Post's title : Think Linux is safe from malware? But where is malware? nginx is a safe server, its no malware.

As I understand, a botnet is a collection of computers on which a a particular type of bot agent (malware) is running. These bot agents may be of different types but all of them are controlled by same cyber crimininal individual or organisation using a common command - and - control (CnC) infrastructure. The bot agents provide many capablities to the cyber criminals controlling them. So far we have seen nothing like this on the said Linux machines.

Hacking and manually taking over a computer or network : hacked network
An collection of online computers scattered all over world infected by bot-agents (malware) : botnet

#7 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:21 PM

Posted 16 September 2009 - 09:13 PM

The distinction is merely semantic. The result is the same. The point is that merely running a more secure OS like Linux doesn't absolve one of running it properly.

#8 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:09:21 PM

Posted 17 September 2009 - 05:25 AM

I am sorry Amazing Andrew and Galadriel, you are both right. I drank too much beer last night :thumbsup:

Beer = 1 / Intelligence

#9 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,259 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:21 PM

Posted 17 September 2009 - 12:54 PM

I am sorry Amazing Andrew and Galadriel, you are both right. I drank too much beer last night :flowers:

Beer = 1 / Intelligence



Beer. The rootkit of the brain :thumbsup: Posted Image

Edited by Amazing Andrew, 17 September 2009 - 12:55 PM.


#10 Galadriel

Galadriel

    Bleepin Elf

  • Topic Starter

  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:08:21 PM

Posted 17 September 2009 - 01:40 PM

:flowers: @Andrew.

Romeo, you had valid questions though and I have to admit that my title was a little 'sensationalist' which probably drew that line of thought. So I'll take the criticism of it as a sign that someone paid attention. :thumbsup: I do realize and understand that *nix users, in general, have safer computing habits, but the OS isn't the one making the system stronger necessarily, only the person at the commands. Sure it has better default security settings, sure it has a lot more control over who can do what, but all in all, a careless admin will still be at risk.
The title was merely a way to get attention to the underlying message I was bringing forth. No matter the OS you choose, it won't save you from careless security practices. Too many people think that Macs and *nix systems are immune to threats, when that is far from being the case.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#11 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:09:21 PM

Posted 03 October 2009 - 07:51 AM

Thanks for you first post Galadriel. It brought out the big boys. After rearing your posts and Amazing Andrew and Romeo29 posts I have learned a lot but most of all it's how one keeps on top of there systems security. A sloppy administer = a less secure system. Thanks to all, a good read.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users