Re: [MBZ] Linux webserver botnet pushes malware
The infected machines/vm's were probably behind on software updates. Linux still has that fatal flaw called the user, if the user doesn't update when a bug is found and patched, then the system stays vulnerable. In all, what probably happened was a service on the servers was vulnerable in some way, the attacker rooted the box, and then installed nginx(which is not a virus, it's a legit web server) on a non-standard port, and Bob's your uncle, you got a place to serve whatever ya want. Just my 2 cents. On Mon, Sep 14, 2009 at 12:01 AM, Loren Faeth lfa...@leadingchange.com wrote: Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS THIS REALLY? (Noah) At 03:23 PM 9/12/2009, you wrote: Attack of the open source zombies ... A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware. What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution, Sinegubko wrote here. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s). The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.snip http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com Loren Faeth ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
Re: [MBZ] Linux webserver botnet pushes malware
My point exactly. Every OS is vulnerable in some way. (Many ways) You tried to worm out by saying the malware was not a virus. THen you went on to say they probably installed a rootkit. It is malware, and malware is malware, whether some piece of it is legit or not. Linux is vulnerable to malware. Those who claim otherwise are fools. Whether the malware is technically a virus or not is immaterial. At 04:49 AM 9/14/2009, you wrote: The infected machines/vm's were probably behind on software updates. Linux still has that fatal flaw called the user, if the user doesn't update when a bug is found and patched, then the system stays vulnerable. In all, what probably happened was a service on the servers was vulnerable in some way, the attacker rooted the box, and then installed nginx(which is not a virus, it's a legit web server) on a non-standard port, and Bob's your uncle, you got a place to serve whatever ya want. Just my 2 cents. On Mon, Sep 14, 2009 at 12:01 AM, Loren Faeth lfa...@leadingchange.com wrote: Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS THIS REALLY? (Noah) At 03:23 PM 9/12/2009, you wrote: Attack of the open source zombies ... A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware. What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution, Sinegubko wrote here. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s). The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.snip http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com Loren Faeth ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com Loren Faeth ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
Re: [MBZ] Linux webserver botnet pushes malware
I didn't try to worm-out of it, I was just correcting the article's mistake in saying that the webserver that was installed was mallware. It was just the means of putting the malware on the net. When I said they rooted the box, I was referring to gaining access to the root account, analogous to the admin account on windows, which is usually done through an escalation of privileges that is brought around by a buffer overflow or some other vulnerability in a piece of software that is running on the machine. My apologies for not clarifying that in the original message. It would be like someone doing the reboot to safe-mode admin account workaround on XP home edition, creating a new administrator account, logging into that account, and then enabling remote desktop and sharing a folder on your computer that was filled with malware. In that case, there was no root kit installed, no malware installed, and yet there still was a security breach. It's not technically a virus, or malware that got them in, it was a clever exploitation of a vulnerability, that may or may not have been there because of a lack of upkeep and maintenance. I agree, every system is vulnerable in some way, some systems are just more hardened than others, and Linux/Unix/Mac are currently more secure, on average, than windows.(at least XP through 3.1, vista made some small leaps with UAC, and I can't speak for windows 7) But again, in the end, it comes down to the user/sysadmin keeping the system up to date and patched. For the record I am a Linux user, and therefore am slightly biased, but I try to keep my opinions out of matters and deal with the facts. I hope nothing I've said comes across as arrogant or leaves the wrong impression. On 9/14/09, Loren Faeth lfa...@leadingchange.com wrote: My point exactly. Every OS is vulnerable in some way. (Many ways) You tried to worm out by saying the malware was not a virus. THen you went on to say they probably installed a rootkit. It is malware, and malware is malware, whether some piece of it is legit or not. Linux is vulnerable to malware. Those who claim otherwise are fools. Whether the malware is technically a virus or not is immaterial. At 04:49 AM 9/14/2009, you wrote: The infected machines/vm's were probably behind on software updates. Linux still has that fatal flaw called the user, if the user doesn't update when a bug is found and patched, then the system stays vulnerable. In all, what probably happened was a service on the servers was vulnerable in some way, the attacker rooted the box, and then installed nginx(which is not a virus, it's a legit web server) on a non-standard port, and Bob's your uncle, you got a place to serve whatever ya want. Just my 2 cents. On Mon, Sep 14, 2009 at 12:01 AM, Loren Faeth lfa...@leadingchange.com wrote: Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS THIS REALLY? (Noah) At 03:23 PM 9/12/2009, you wrote: Attack of the open source zombies ... A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware. What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution, Sinegubko wrote here. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s). The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.snip http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com Loren Faeth ___ http://www.okiebenz.com
Re: [MBZ] Linux webserver botnet pushes malware
You are technically right. But for most of us the distinction between malware and software used to install malware is a distinction without a meaningful difference. Nice explanation. I bestow on you one of my highly coveted detail awards otherwise known as the anal retentive award. It is the highest honor I bestow in the IT world. I have not given one out for years! One guy earned one with such high distinction that no awards have been given since. He became the reigning king, and the monthly awards were ceased, because all contestants concurred that nobody could beat him. Congratulations. (That is serious and sincere.) You seriously and sincerely gave a great explanation! I apologize for using the shortcut. I tend to group malware of any form and the distribution of such all under the term malware. In my outlook, legit software used for malicious purpose is still malware. Technically, you are correct. From the perspective of the result, it really doesn't matter if legit software is used for malicious purpose or if it was malicious software, the result is still a malicious attack. That is my shortcut. Probably you are right about not updated, but then there are all the things that some updates break, and that leaves most of us jaded and reluctant to install updates, particularly on the winders platform. I have advocated on Windows to not install a SP until the next SP is out. By then , the patches may be patched enough to not cause big problems. It is scary out there. Using a Non-M$ platform is one defense, but that defense is not infallible as many have claimed. Using a non-M$ browser is another defense, but there are still lots of vulnerabilities and attacks not addressed by those two strategies. At 12:38 PM 9/14/2009, you wrote: I didn't try to worm-out of it, I was just correcting the article's mistake in saying that the webserver that was installed was mallware. It was just the means of putting the malware on the net. When I said they rooted the box, I was referring to gaining access to the root account, analogous to the admin account on windows, which is usually done through an escalation of privileges that is brought around by a buffer overflow or some other vulnerability in a piece of software that is running on the machine. My apologies for not clarifying that in the original message. It would be like someone doing the reboot to safe-mode admin account workaround on XP home edition, creating a new administrator account, logging into that account, and then enabling remote desktop and sharing a folder on your computer that was filled with malware. In that case, there was no root kit installed, no malware installed, and yet there still was a security breach. It's not technically a virus, or malware that got them in, it was a clever exploitation of a vulnerability, that may or may not have been there because of a lack of upkeep and maintenance. I agree, every system is vulnerable in some way, some systems are just more hardened than others, and Linux/Unix/Mac are currently more secure, on average, than windows.(at least XP through 3.1, vista made some small leaps with UAC, and I can't speak for windows 7) But again, in the end, it comes down to the user/sysadmin keeping the system up to date and patched. For the record I am a Linux user, and therefore am slightly biased, but I try to keep my opinions out of matters and deal with the facts. I hope nothing I've said comes across as arrogant or leaves the wrong impression. On 9/14/09, Loren Faeth lfa...@leadingchange.com wrote: My point exactly. Every OS is vulnerable in some way. (Many ways) You tried to worm out by saying the malware was not a virus. THen you went on to say they probably installed a rootkit. It is malware, and malware is malware, whether some piece of it is legit or not. Linux is vulnerable to malware. Those who claim otherwise are fools. Whether the malware is technically a virus or not is immaterial. At 04:49 AM 9/14/2009, you wrote: The infected machines/vm's were probably behind on software updates. Linux still has that fatal flaw called the user, if the user doesn't update when a bug is found and patched, then the system stays vulnerable. In all, what probably happened was a service on the servers was vulnerable in some way, the attacker rooted the box, and then installed nginx(which is not a virus, it's a legit web server) on a non-standard port, and Bob's your uncle, you got a place to serve whatever ya want. Just my 2 cents. On Mon, Sep 14, 2009 at 12:01 AM, Loren Faeth lfa...@leadingchange.com wrote: Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS THIS REALLY? (Noah) At 03:23 PM 9/12/2009, you wrote: Attack of the open source zombies ... A security researcher has discovered a cluster of infected
Re: [MBZ] Linux webserver botnet pushes malware
As Scott McNealy once said at a large gathering of Lotus folks 10 or 11 years ago, There is no privacy any more. Get over it. So, I got over it and no longer worry about it. --R Loren Faeth wrote: You are technically right. But for most of us the distinction between malware and software used to install malware is a distinction without a meaningful difference. Nice explanation. I bestow on you one of my highly coveted detail awards otherwise known as the anal retentive award. It is the highest honor I bestow in the IT world. I have not given one out for years! One guy earned one with such high distinction that no awards have been given since. He became the reigning king, and the monthly awards were ceased, because all contestants concurred that nobody could beat him. Congratulations. (That is serious and sincere.) You seriously and sincerely gave a great explanation! I apologize for using the shortcut. I tend to group malware of any form and the distribution of such all under the term malware. In my outlook, legit software used for malicious purpose is still malware. Technically, you are correct. From the perspective of the result, it really doesn't matter if legit software is used for malicious purpose or if it was malicious software, the result is still a malicious attack. That is my shortcut. Probably you are right about not updated, but then there are all the things that some updates break, and that leaves most of us jaded and reluctant to install updates, particularly on the winders platform. I have advocated on Windows to not install a SP until the next SP is out. By then , the patches may be patched enough to not cause big problems. It is scary out there. Using a Non-M$ platform is one defense, but that defense is not infallible as many have claimed. Using a non-M$ browser is another defense, but there are still lots of vulnerabilities and attacks not addressed by those two strategies. At 12:38 PM 9/14/2009, you wrote: I didn't try to worm-out of it, I was just correcting the article's mistake in saying that the webserver that was installed was mallware. It was just the means of putting the malware on the net. When I said they rooted the box, I was referring to gaining access to the root account, analogous to the admin account on windows, which is usually done through an escalation of privileges that is brought around by a buffer overflow or some other vulnerability in a piece of software that is running on the machine. My apologies for not clarifying that in the original message. It would be like someone doing the reboot to safe-mode admin account workaround on XP home edition, creating a new administrator account, logging into that account, and then enabling remote desktop and sharing a folder on your computer that was filled with malware. In that case, there was no root kit installed, no malware installed, and yet there still was a security breach. It's not technically a virus, or malware that got them in, it was a clever exploitation of a vulnerability, that may or may not have been there because of a lack of upkeep and maintenance. I agree, every system is vulnerable in some way, some systems are just more hardened than others, and Linux/Unix/Mac are currently more secure, on average, than windows.(at least XP through 3.1, vista made some small leaps with UAC, and I can't speak for windows 7) But again, in the end, it comes down to the user/sysadmin keeping the system up to date and patched. For the record I am a Linux user, and therefore am slightly biased, but I try to keep my opinions out of matters and deal with the facts. I hope nothing I've said comes across as arrogant or leaves the wrong impression. On 9/14/09, Loren Faeth lfa...@leadingchange.com wrote: My point exactly. Every OS is vulnerable in some way. (Many ways) You tried to worm out by saying the malware was not a virus. THen you went on to say they probably installed a rootkit. It is malware, and malware is malware, whether some piece of it is legit or not. Linux is vulnerable to malware. Those who claim otherwise are fools. Whether the malware is technically a virus or not is immaterial. At 04:49 AM 9/14/2009, you wrote: The infected machines/vm's were probably behind on software updates. Linux still has that fatal flaw called the user, if the user doesn't update when a bug is found and patched, then the system stays vulnerable. In all, what probably happened was a service on the servers was vulnerable in some way, the attacker rooted the box, and then installed nginx(which is not a virus, it's a legit web server) on a non-standard port, and Bob's your uncle, you got a place to serve whatever ya want. Just my 2 cents. On Mon, Sep 14, 2009 at 12:01 AM, Loren Faeth lfa...@leadingchange.com wrote: Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS
Re: [MBZ] Linux webserver botnet pushes malware
Uh, Wonko, what was that about no virus on linux. We all know it is invincible because it is open source... RIGHT! WHO IS THIS REALLY? (Noah) At 03:23 PM 9/12/2009, you wrote: Attack of the open source zombies ... A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware. What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution, Sinegubko wrote here. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s). The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.snip http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com Loren Faeth ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
[MBZ] Linux webserver botnet pushes malware
Attack of the open source zombies ... A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web. Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware. What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution, Sinegubko wrote here. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s). The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.snip http://www.theregister.co.uk/2009/09/12/linux_zombies_push_malware/ ___ http://www.okiebenz.com For new and used parts go to www.okiebenz.com To search list archives http://www.okiebenz.com/archive/ To Unsubscribe or change delivery options go to: http://okiebenz.com/mailman/listinfo/mercedes_okiebenz.com
