Sophos: Linux machines hijacked for botnets
Linux machines play just as important a part in botnets as Windows machines, according to antivirus vendor Sophos. Many Linux installations are used as servers and, unlike most Windows PCs, run around the clock. This makes them a popular target for criminals who turn hijacked machines into servers that controll numerous infected Windows PCs. According to Sophos, infected Windows clients often go hand in hand with compromised Linux servers.
The Sophos blog entry states that attackers tend to exploit weak SSH passwords or security holes to break into systems. They then install their malware, which is often the Linux/Rst-B backdoor, says the report. Around 70 per cent of the malware uploaded by hackers to one of the honeypots operated by Sophos are said to contain the backdoor, which has been known for six years. RST-B infects ELF binaries and accepts instructions from outside via a network port.
According to Sophos, many operators do not know about the infection of their Linux servers. To enable users to find out whether their own server has been infected, the vendor has made a free stand-alone scanner available for download to identify the malware. After compiling the tool it is usually advisable to start with scanning the
/usr/sbin directories for infected files. The tool only identifies the RST backdoor and no other malware. Therefore, a negative result doesn't rule out the possibility that the server may be part of a botnet. Checking the system with a full scale scanner may be advisable to be abolutely sure. Free scanners for Linux are include:
- Avira: Avira AntiVir PersonalEdition Classic
- AVG Technologies (formerly Grisoft) AVG Anti-Virus Free Edition 7.5 for Linux
- Avast: avast! Linux Home Edition Download
- F-Prot: F-PROT Antivirus for Linux Workstations
- ClamAV: Clam AntiVirus
Some of the products are designed as GUI desktop scanners, but they should also function on servers with GUI.
- Botnets, a free tool and 6 years of Linux/Rst-B, blog entry by Sophos
- Botnet study: bots spread through old loopholes