Linux generals command Windows grunts in botnet battlefield

Computerworld Australia - Linux servers infected with a mutating virus are commanding huge Windows botnets six years after the malware was discovered, according to security researchers.

The Linux.RST.B virus infects the working directory/bin and its ELF (executable and linkable format) executable files. It can also create a back door by opening a socket and listening for a packet containing the attacker's origin and the command to be executed.

SophosLabs U.K. research director Billy McCourt said Linux boxes are valuable targets as botnet controllers because they are typically remain online as servers.

"Linux computers are very valuable to hackers. A bot army, similar to real armies, needs a general and infantry, [and] Linux boxes are often used as servers, which means they have a high uptime, essential for a central control point," McCourt said.

"A Windows computer, on the other hand, is found at home or as a desktop machine in an office, and these computers are regularly switched off, [which] makes them less attractive as controllers, but ideal for infantry, or zombies," he said.

"We run various honeypots," McCourt said. "As you might also expect, our Windows honeypots are attacked more frequently than our Linux ones, but Linux malware is far more interesting."

McCourt said the virus, discovered in February 2002, is unique among Linux malware because it can replicate across current distributions.

The veteran virus was trapped in an updated Linux server running a modified SSH (Secure Shell) daemon with a weak username and password to give the hacker easy access. New anti-malware signatures are developed by accessing logs that record the hackers'activities and downloaded files.

The virus usually infects servers by integrating into malware used by hackers in the attack. The attack is nothing new, according to McCourt, who said Windows hacking tools are often vectors for the W32.Parite-B virus.

Hackers typically favor Internet Relay Chat bots, SSH and File Transfer Protocol scanners, and User Datagram Protocol flooders, according to McCourt, and they occasionally attempt root access via various exploits.

Sophos senior security consultant Carole Theriault said Linux users can be lulled into thinking that their systems are bulletproof because malware rarely targets open-source systems.

"The number of malware in existence is around 350,000, and while only a teeny number of these target Linux, it seems as though hackers are taking advantage of this false sense of security," Theriault said.

"It was very surprising to see that a 6-year-old virus seems to be responsible for a large proportion of the malware collating in our Linux honeypot," she said.

Symantec Corp. recommend that affected users reinstall their Linux operating systems because it is impossible to ascertain the level of secondary threat exposure.

"The author of [Linux.RST.B] may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system," Symantec stated on its security response site.

Sophos offers a free Linux.RST.B removal tool that it claims will purge the virus in systems free of other types of malware.