Where do you pick up those nasty bugs?

Linux webserver botnet pushes malware


Attack of the open source zombies

By Dan Goodin in San Francisco •

Posted in Security, 12th September 2009 00:32 GMT

Free whitepaper – Vulnerability management buyer's checklist

A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.

Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware.

"What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution," Sinegubko wrote here. "To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s)."

The finding highlights the continuing evolution of bot herders as they look for new ways to issue commands to the hundreds of thousands of infected zombies under their control. It came the same day anti-virus provider Symantec reported Google Groups was being used as a master control channel for a recently discovered trojan. Four weeks ago, a researcher from Arbor Networks made a similar discovery when he found several Twitter profiles being used to run a botnet.

The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver.

The links look something like this:

Clever. Interesting that the iframe trick was highlighted. I mentioned that very trick in The Porno Deciet that could jail millions....

I also find it interesting to see that the botnets are evolving. I designed one about 6 years ago as a developer exercise that was similar in nature. Now they can be upgraded, modified, and even shut down from external ports on any machine. Very clever indeed.

Originally posted by rogerstigers
Clever. Interesting that the iframe trick was highlighted. I mentioned that very trick in The Porno Deciet that could jail millions....

I also find it interesting to see that the botnets are evolving. I designed one about 6 years ago as a developer exercise that was similar in nature. Now they can be upgraded, modified, and even shut down from external ports on any machine. Very clever indeed.

Hi, TY for the reply, I really know very little about all this, but thought others might be interested.

Typically what people who make these botnets do is they watch security sites that post known security flaws in the operating system. In this case, Linux. Then someone writes a script that takes advantage of that hole and it just scans a whole range of IP addresses until it finds servers whose Administrators haven't gotten around to patching their systems yet. They can find a whole lot of servers this way. Then they have root access to the whole server, meaning that basically they own it, and they can install whatever software they please on it.

In many or most cases, the person who creates the botnet is not even the person wrote the hacking script. A lot of times one hacker will write the script and then just release it on the net for anyone who wants to use it.

[edit on 13-9-2009 by theyreadmymind]