15 February 2008, 12:11

Sophos: Linux machines hijacked for botnets

Linux machines play just as important a part in botnets as Windows machines, according to antivirus vendor Sophos. Many Linux installations are used as servers and, unlike most Windows PCs, run around the clock. This makes them a popular target for criminals who turn hijacked machines into servers that controll numerous infected Windows PCs. According to Sophos, infected Windows clients often go hand in hand with compromised Linux servers.

The Sophos blog entry states that attackers tend to exploit weak SSH passwords or security holes to break into systems. They then install their malware, which is often the Linux/Rst-B backdoor, says the report. Around 70 per cent of the malware uploaded by hackers to one of the honeypots operated by Sophos are said to contain the backdoor, which has been known for six years. RST-B infects ELF binaries and accepts instructions from outside via a network port.

According to Sophos, many operators do not know about the infection of their Linux servers. To enable users to find out whether their own server has been infected, the vendor has made a free stand-alone scanner available for download to identify the malware. After compiling the tool it is usually advisable to start with scanning the /bin, /sbin, /usr/bin and /usr/sbin directories for infected files. The tool only identifies the RST backdoor and no other malware. Therefore, a negative result doesn't rule out the possibility that the server may be part of a botnet. Checking the system with a full scale scanner may be advisable to be abolutely sure. Free scanners for Linux are include: