<HTML dir=ltr><HEAD><TITLE>Re: [GLLUG] Ebay phishers use Linux botnets</TITLE> <META http-equiv=Content-Type content="text/html; charset=unicode"> <META content="MSHTML 6.00.6000.16525" name=GENERATOR></HEAD> <BODY> <DIV id=idOWAReplyText81548 dir=ltr> <DIV dir=ltr><FONT face=Arial color=#000000 size=2>I know what you are saying Karl, and you are right about IRC often being the control channel and other technical points, but I think we agree with the main point of the article - that Linux was used primarily for the "command and control" servers, and also that rooted UNIX boxes carried a higher premium with bot-wranglers.  Both of those seem pretty obvious and intuitive to me, hence I don't think its really FUD but probably simple truth.  </FONT></DIV> <DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial color=#000000 size=2>I'll stick with my previous statement than in general a rooted Windows box isn't all that much fun to play with.  I do plenty of vulnerability assessments and penetration tests in the average year and I can assure you that its much more useful to root a UNIX box than a Windows box simply due to what you can do with it.  </FONT></DIV> <DIV dir=ltr><FONT face=Arial size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial size=2>BTW, When back orifice (which isn't a rootkit IMO in that it doesn't hide itself at all - you can see it with netstat) first came out I had a great deal of fun demoing it with the "Butt Trumpet" sniffer plugin.  That was good fun.  I love a hacker with a sense of humor - what other excuse would I have for repeatedly using the word "Butt Sniffer" in a room full of suits  :)</FONT></DIV> <DIV dir=ltr><FONT face=Arial color=#000000 size=2></FONT> </DIV> <DIV dir=ltr><FONT face=Arial size=2>Its sad that we now have a (viable) economy that preys upon the ignorance and poor procedures of technology users. </FONT></DIV> <DIV dir=ltr> </DIV></DIV> <DIV id=idSignature26571 dir=ltr> <DIV><FONT face=Arial color=#000000 size=2><FONT face="Times New Roman"> <DIV><FONT size=2>Mark Lachniet<BR>Solutions Architect - Security<BR>Analysts International</FONT></DIV> <DIV><FONT size=2>3101 Technology Blvd. Suite A<BR>Lansing, MI 48910<BR>(517) 336-1004 (voice)<BR><A href="mailto:mlachniet@analysts.com">mailto:mlachniet@analysts.com</A><BR> </FONT> </DIV></FONT></FONT></DIV></DIV> <DIV dir=ltr><BR> <HR tabIndex=-1> <FONT face=Tahoma size=2><B>From:</B> linux-user-bounces@egr.msu.edu on behalf of Karl Schuttler<BR><B>Sent:</B> Thu 10/4/2007 10:10 PM<BR><B>To:</B> linux-user@egr.msu.edu<BR><B>Subject:</B> Re: [GLLUG] Ebay phishers use Linux botnets<BR></FONT><BR></DIV> <DIV> <P><FONT size=2>Just a little wink wink,<BR><BR>"With Windows you practically need to inject a VNC server process just to do<BR>anything useful.  Plus, the rootkits are a bit easier to install and use<BR>(easier to hide processes, network connections, etc.) in Linux I think,<BR>or at least more mature."<BR><BR>Botnets aren't controlled over VNC, they are typically controlled over<BR>an IRC server. If you were to botnet over VNC, you would have to do<BR>tasks individually with each computer. The whole advantage of<BR>botnetting is being able to use all the computers' power at the same<BR>time.<BR><BR>I definitely agree, however, that owning a linux box would be more<BR>satisfying than a windows box. But rootkits aren't that difficult to<BR>get owned by in windows, and certainly not easier to install than in<BR>windows; look at back oriface and the success it had. Installing in<BR>Windows would probably be easier, seeing that privilege escalation is<BR>much simpler in a windows environment. I don't know about the level of<BR>maturity that you mean, but a lot of these backdoor softwares are self<BR>propagating. Furthermore, a lot of the zombies in the bot nets aren't<BR>going to be used for server hosts themselves, but are more likely to<BR>be using mail clients to mail bomb spam to people in order to get them<BR>to visit the web server of the phishers.<BR><BR>Having a botnet and writing malware for exploiting flaws isn't<BR>something that just the hobby hacker is doing anymore, it is an<BR>industry that has great payoff, and with anonymity services like Tor,<BR>pretty simple to keep from getting caught. Keep in mind that people<BR>are being paid to professionally develop this malware.<BR><BR>And yes, of course they are going to use linux for some aspects,<BR>probably to develop in, host some of their services like the irc<BR>server, or the webservers they need to put up a phishing site. I think<BR>the difference is that most of the zombies probably aren't linux, but<BR>more of the upper management is.<BR><BR>Karl<BR><BR>On 10/4/07, Michael Rudas <audiotech50@gmail.com> wrote:<BR>> Mark Lachniet wrote:<BR>><BR>> > I'm not sure its FUD really.  The source seems credible, despite the<BR>> > venue of the statement (Microsoft's conference).  But, when you think of<BR>> > it, what would YOU rather hack.<BR>><BR>> But, again, the presentation is titled ("eBay phishers use Linux<BR>> botnets")-- and framed ("Phishers are getting more organized and tend<BR>> to exploit hacked Linux boxes more than Windows, according to eBay's<BR>> security chief.") as though the Linux boxen WERE some sort of<BR>> sooper-seekrit botnet in-and-of themselves.<BR>><BR>> Deliberate lies and distortion are being used to obscure the truth--<BR>> which is the very DEFINITION of FUD.<BR>> _______________________________________________<BR>> linux-user mailing list<BR>> linux-user@egr.msu.edu<BR>> <A href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</A><BR>><BR>_______________________________________________<BR>linux-user mailing list<BR>linux-user@egr.msu.edu<BR><A href="http://mailman.egr.msu.edu/mailman/listinfo/linux-user">http://mailman.egr.msu.edu/mailman/listinfo/linux-user</A><BR></FONT></P></DIV></BODY></HTML>