Linux and botnets: It's not Linux's fault!

Linux and botnets: It's not Linux's fault!

Summary: Linux is as secure as ever. The real security hole lies with some of Linux's administrators and users.


I couldn't blame you, if -- based on recent headlines such as "Linux worm Darlloz targets Intel architecture to mine digital currency" and "Botnet of thousands of Linux servers pumps Windows desktop malware onto web" -- you thought Linux was as full of holes as Windows XP. If you take a closer look, you'll find that Linux isn't the problem. No, the real security hole lies with some of Linux's administrators and users.

If you let someone get at your login ID and password, it doesn't matter what operating system you're running. It's like leaving your front door unlocked. The crooks will walk into your home.

First, let's put these "Linux" security problems into context. Symantec claims that the Internet of Things worm Darlloz has infected 31,000 devices. In the other story, security researchers at anti-virus firm ESET claim that the Operation Windigo botnet, which uses the Cdorked Web server attack kit to assault Apache and other popular open-source Web servers and the Ebury SSH [Secure Shell] rootkit, has had a total of 26,000 infections since May 2013. By comparison, ZeroAccess, the Windows-based botnet that was the largest in the world , had contaminated almost 2 million computers before it was cut down in December 2013.

Even after ZeroAccess was removed, Fortinet reported that attacks were quickly back up to normal. The top 10 botnets are based on unpatched Windows and Windows-based applications.

So, in the big scheme of spreading malware, Linux is small potatoes. But is it really Linux's fault it even has infections in the tens of thousands? No.

With Darlloz, which tends to attack devices such as small office/home office (SOHO) Internet routers, it's one way of infection is to try 13 combinations of the default user names and passwords on a device. If the gadget's owner has done the bare minimal of security: Change the blasted default user ID and/or password, they can't be infected. That's it!

Symantec also suggests that users mitigate the problem with such security 101 tactics as applying security patches, updating the firmware, and blocking incoming Internet traffic on port 23 (telnet) and 80 (Web server) from the outside world. Gosh! Really? You think?!

The real bottom line remains, however, that to perfectly protect your devices from this attack all you need do is change either the default login or password. You don't even have to do both! Mind you, you should, but this "hack" is such a wimp you don't even need to do that.

As for Operation Windigo, it's more serious, but as ESET points out, Windigo did not use any new vulnerability to exploit Linux or Unix systems. No, it relied solely on stolen credentials. Logins and passwords could be stolen in two ways. In the first, an end user successfully logs into an already infected server with SSH. With the second, a user on an already compromised system logs on to another uninfected system.

How do you stop this in the first place? Easy. You make your users change their passwords and protect your SSH passwords like they were gold. Password authentication to access servers must be hardened with tactics such as two-factor authentication.

You can find out if you have Ebury and Cdorked on your server quite easily. For Ebury, simply run the command:

  • ssh -G

from your shell. A clean server will print to stderr, your terminal, with a message such as:

  • ssh: illegal option – G

and then a listing of ssh's correct usage. An infected server will only print the usage message.

Finding out if you have Cdorked is only a little more complicated. In this case, you use the command

  • curl -i http://myserver/favicon.iso | grep "Location:"

from your shell. Cdorked redirects requests to /favicon.iso to Google so it will return

  • Location:

If your server is clean, it won't return anything or a different Location header.

ESET also details other ways to detect infections. If you do have a case, here's the bad news. You'll need to completely wipe your servers, rebuild them from scratch, and reset all user and administrator credentials from known clean machines. You'll also need to block users from resetting their passwords to their original ones.

Of course, if you'd been extra careful with your SSH logins and passwords in the first place, you wouldn't have to go through all this. For what it's worth, you're in good company if your machines fell prey to this. Both cPanel, the company behind the well-known Web hosting control panel program, in 2013 and the Linux Foundation in 2011 were successfully hit by ancestors of the current malware.

The moral of the story? If you hand the bad guys user ID and passwords, of course, you're going to get hacked. Linux, FreeBSD, Windows Server 2012 -- the operating system doesn't matter. If you leave your front door open, a crook will walk in. As security guru Bruce Schneier wisely said way back in 2000, "Security is a process, not a product."

Related Stories:

Topics: Security, Linux, Networking, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Linux Hacked; Context Needed!

    I love it when the likes of SVJN feel the need to breathlessly explain why for this specific security black-eye, "we need context"; when you look at all the facts you'll see it's not as simple as some might paint - "omg Linux is so insecure". And I don't necessarily disagree.

    Now image the same thing had happened to Windows instead of Linux; do you think the open-source guys would be so analytical about the whole thing?

    I think not. The double-standards is hilarious :)
    • Exactly

      Users running windows without limited accounts and clicking any and every link and opening every attachment is windows fault somehow.
      • Actually, a number programs always required to be admin

        or they wouldn't work.

        And until XP, Windows granted all privileges to the only user on the system... After XP, may applications were STILL given all privileges - for legacy support...

        And then there was crap like ActiveX... Even in the mid 90s that was well known to be stupid.
        • I suggest you refrain from commenting...

          ...on things you do not have a very good understanding.
          • Pot And Kettle

            "I suggest you refrain from commenting...
            ...on things you do not have a very good understanding."

            You do it all the time
            Alan Smithie
        • Except that ...

          This does not change the fact that in the case of all OS the most common culprit IS the nut behind the wheel. People mindlessly clicking on links, using admin privileges unnecessarily, visiting obviously shady websites, using default or idiot passwords like "1234", etc., etc. While some of the unique security problems of Windows are inexcusable, many of them are a calculated risk in that they are a product of attempting to balance usability with security. Many features that make a computer easier to use also open security holes in the process. People bitch about the security problems, but the same people often bitch about ease of use issues, so here again the whole things becomes a user/administrator problem. Shortcuts on the part of users and administrators also introduce security risks.
          George Mitchell
          • And

            100% of IE exploits in 2013 would have mitigated by not running as administrator.

            93% (96%?) of non-IE exploits in Windows would have been mitigated by not running as administrator.

            And as for the infection rates in the article, we are talking about approx. 0.167% of Windows PCs being infected by ZeroAccess and 0.07% of Linux PCs being infected by Windigo.
          • And and

            If you are using Windows Vista, Windows 7 or Windows 8 with system defaults you are not running as an administrator even if your account has administrator rights.
          • RE: Except that...

            No way, the problems in windows is the specific design. The software access could of been designed to limit access to software that is not from M$. They could of put up flags, Example red flag if it will write to core stuff and stop you from removing the software. The whole design is a mess. We need to have clear separations of software and how windows handles it. You should be able to recover from downloading rubbish every time.

            Simply put it like this. Windows lives in a specific directory and only windows can live in there. That simplify the problem.
            Then put the software not from M$ in another directory. If you delete this software. Windows should just recover normally like this software never existed. These kinds of ideas are not new. Though M$ did not do that to help there friends write software to correct these problems. It comes down to money. They want problems, so they can be solved .
            johny bizaro
        • And...

          How is bad programs Microsoft or Windows fault? And for the record, you don't need to run as admin to run any programs on Windows 8. Just use the MACT if you have a poorly coded apps and it will help you "shim" it to run in user mode.

          My family's Windows computers all run as user with no issues.
          Rann Xeroxx
        • But again...

          poor programming practices on third party software isn't Windows fault. It can be made secure, but the users and third party software providers have their part to play - the same as under Linux.
      • It would probably be better, though...

        ...if it took more than clicking through UAC to get elevated privileges.
        John L. Ries
        • Use a standard user account and...

          ...It works like UNIX. There's a reason Microsoft chose not to require a password. That reason is user feedback.
          • User Feedback !

            99% of beta testers told MS Metro was rubbish and what was Microsoft's response ?
            Fingers in ears and goes lalalala until they realise W8 were poor.

            As for the MS guest account on windows, you can happily download and run an exe.
            Alan Smithie
        • UAC is not just a prompt...

          It's also not a lot different from a home user with Linux getting a prompt from a program that says to run it with root privs, and the user just complying and following the instructions to do priv escalation. UAC allows other admins to log in, in the event that a user does not have admin rights, which is why it is different in Windows Vista vs. XP. XP would just throw up an "access denied" were the logged-in user not an admin. Also, UAC doesn't require a logged-in admin to re-enter their password to do privilege escalation. This is what makes Windows Vista different from Linux and OS X. If an admin is logged in, Vista would only prompt to notify the user that the program requires elevation, or likewise for system settings. However, Windows 7 is actually not as security-minded as Vista because the default UAC settings are now to allow an admin full rights to change system settings without prompting. This means that your mom can install all kinds of crap on her machine because some website tells her so, and Windows won't warn her that it requires administrative rights to do so, thus indicating that the software wants to make system-wise setting changes which can affect the performance of the machine. Windows 7/8 is designed this way because people b!tched about Windows Vista so much even though it had the better option for security. It was a courtesy that Microsoft provided to customers even though they didn't know any better.
          • My mom is smart enough that she does not install things willy-nilly

            And I am smart enough to scan using Malware-Bytes at LEAST once a week.
          • Good insights ...

            A lot of what MS does is consumer driven. Which is exactly the point here. There is simply no way to protect the user from themselves no matter what OS they are using. They do things they shouldn't do and they demand features that increase security risk. Linux is safer in some cases because it doesn't provide the sorts of intrinsically unsafe features that consumers demand AND is one of the reasons that so few people use Linux. But in this case we are talking about servers, and in the case of servers, the major problem is nearly always faulty administration rather than OS vulnerability.
            George Mitchell
        • Run as user

          Just add another account as user then run as that. When you need to elevate, it will prompt you for your admin account. Easy as pie.

          But doing things like the above is as easy as choosing not to open attachments but you can't cure ignorance.
          Rann Xeroxx
        • UAC click...

          On my machines, once UAC kicks in, I need to enter the administrator account name and its associated password. It makes you think twice about what you are doing.
          • UAC or user type?

            I think you mean you have a standard or power user. That is how I had my Win7 accounts set up, I never logged in with anything more than a standard user, then did RUN AS or RUN AS ADMINISTRATOR to elevate. Even with UAC at its highest setting, I would never recommend operating a desktop as an administrator - that is foolish.

            I now use Mint for my primary desktop. But, I also have complete confidence in my Win7 set up. In fact, I think that Windows 7 can be absolutely, rock solid secure. I never had a problem with Win7, but I did run AV. I used, for what its worth, Avast Pro, with the various options set to the highest settings. A pain in the neck at times, but again, no issues, ever.

            Kinda singing the Avast tune a bit, I liked the Sandbox option, that was very nice.

            While I'm pimping things, I also suggest for anonymity and security you use a VPN services or connect to TOR networks. The more you keep your direct connection to the Internet hidden, the better for you. I know TOR is better for obscuring some key factors, such as how long, and from where you connect. But if you don't care about that, just use a VPN service and change your IP from time to time.

            Block all inbound with a hardware solution (firewall, built in to most routers) - then it doesn't matter a lick if you have open ports (which Linux does not, by default) because the inbound connections are blocked. Properly set up, Win7 will be very secure, complete with all inbound traffic blocked. Uhm, that is until you set up your homegroup and start sharing printers. Require passwords and allow connections from specific other PCs. It takes some effort, sure.

            It is reeeeeeaaaaalllllly easy to not be a target, if you employ a bit of common sense. Stay off the porn sites, stop downloading illegal software (torrent kiddies), and take some responsibility when you connect your computer to a network (the Internet) that has billions of other devices connected to it as well.