[sf-lug] ebay security analysis: phishers targeting linux (fwd)

Rick Moen rick at linuxmafia.com
Fri Oct 5 14:06:44 PDT 2007

Quoting Asheesh Laroia (asheesh at asheesh.org):

>  "We see a lot of Linux machines used in phishing," said Alfred Huger, vice
>  president for Symantec Security Response. "We see them as part of the
>  command and control networks for botnets, but we rarely see them be the
>  actual bots. Botnets are almost uniformly Windows-based."
> Just the same old story: Linux on the server, Windows on the client.

Likewise same story:  No real data, and no information about the avenue of 
claimed root (or non-root, even) compromise.  (Arriving at that data
would be out of scope for this Microsoft-funded study, and I'm not
complaining:  I'm just saying that the claim is rather useless from a
functional perspective, without such details.)

To quote http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3 :

    Moen's Third Law of Security 

    "Malware is not a security problem; malware is a secondary
    after-effect of a security problem."  [...]

The _Computerworld NZ_ article goes on:

    "Rootkit software covers the tracks of the attackers and can be
    extremely difficult to detect. According to Cullinane, none of the
    Linux operators whose machines had been compromised were even aware
    they'd been infected.

    Although Linux has long been considered more secure than Windows,
    many of the programs that run on top of Linux have known security
    vulnerabilities, and if an attacker were to exploit an unpatched bug
    on a misconfigured system, he could seize control of the machine."

I don't expect the IT press to understand anything about security (sad
but true), but this grab-bag article inadvertantly commits more than the
usual amount of hooey.  First of all, it's not necessary for the abused
Linux box to get "infected":  It suffices for "command and control
networks for botnets" that the Bad Guy find a way to run a local process
of his choosing via whatever means, which process need not even be
privileged, which might occur because, e.g., any single grunt
(legitimate) user happened to SSH/scp/POP3/ftp into the box from a
compromised host elsewhere.  See:

Second, for those Bad Guy purposes, covering the activity with a rootkit
would be too much work and nearly pointless:  It would require cracking
root, and the botnet C&C service process would be lightweight and can be
made extremely unobtrusive.  Why bother with a rootkit (or with
searching out a privilege-escalation path at all), in those
circumstances?  It'd be overkill, and too much trouble to implement for
the small amount of gain.

More information about the sf-lug mailing list