It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Linux webserver botnet pushes malware
Attack of the open source zombies
By Dan Goodin in San Francisco •
Posted in Security, 12th September 2009 00:32 GMT
Free whitepaper – Vulnerability management buyer's checklist
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.
Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware.
"What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution," Sinegubko wrote here. "To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s)."
The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.
The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver.
The links look something like this:
Originally posted by rogerstigers
Clever. Interesting that the iframe trick was highlighted. I mentioned that very trick in The Porno Deciet that could jail millions....
I also find it interesting to see that the botnets are evolving. I designed one about 6 years ago as a developer exercise that was similar in nature. Now they can be upgraded, modified, and even shut down from external ports on any machine. Very clever indeed.