[GLLUG] Ebay phishers use Linux botnets

Lachniet, Mark mlachniet at analysts.com
Fri Oct 5 08:03:06 EDT 2007 

I know what you are saying Karl, and you are right about IRC often being the control channel and other technical points, but I think we agree with the main point of the article - that Linux was used primarily for the "command and control" servers, and also that rooted UNIX boxes carried a higher premium with bot-wranglers.  Both of those seem pretty obvious and intuitive to me, hence I don't think its really FUD but probably simple truth.  
 
I'll stick with my previous statement than in general a rooted Windows box isn't all that much fun to play with.  I do plenty of vulnerability assessments and penetration tests in the average year and I can assure you that its much more useful to root a UNIX box than a Windows box simply due to what you can do with it.  
 
BTW, When back orifice (which isn't a rootkit IMO in that it doesn't hide itself at all - you can see it with netstat) first came out I had a great deal of fun demoing it with the "Butt Trumpet" sniffer plugin.  That was good fun.  I love a hacker with a sense of humor - what other excuse would I have for repeatedly using the word "Butt Sniffer" in a room full of suits  :)
 
Its sad that we now have a (viable) economy that preys upon the ignorance and poor procedures of technology users. 
 
Mark Lachniet
Solutions Architect - Security
Analysts International
3101 Technology Blvd. Suite A
Lansing, MI 48910
(517) 336-1004 (voice)
mailto:mlachniet at analysts.com
  

________________________________

From: linux-user-bounces at egr.msu.edu on behalf of Karl Schuttler
Sent: Thu 10/4/2007 10:10 PM
To: linux-user at egr.msu.edu
Subject: Re: [GLLUG] Ebay phishers use Linux botnets



Just a little wink wink,

"With Windows you practically need to inject a VNC server process just to do
anything useful.  Plus, the rootkits are a bit easier to install and use
(easier to hide processes, network connections, etc.) in Linux I think,
or at least more mature."

Botnets aren't controlled over VNC, they are typically controlled over
an IRC server. If you were to botnet over VNC, you would have to do
tasks individually with each computer. The whole advantage of
botnetting is being able to use all the computers' power at the same
time.

I definitely agree, however, that owning a linux box would be more
satisfying than a windows box. But rootkits aren't that difficult to
get owned by in windows, and certainly not easier to install than in
windows; look at back oriface and the success it had. Installing in
Windows would probably be easier, seeing that privilege escalation is
much simpler in a windows environment. I don't know about the level of
maturity that you mean, but a lot of these backdoor softwares are self
propagating. Furthermore, a lot of the zombies in the bot nets aren't
going to be used for server hosts themselves, but are more likely to
be using mail clients to mail bomb spam to people in order to get them
to visit the web server of the phishers.

Having a botnet and writing malware for exploiting flaws isn't
something that just the hobby hacker is doing anymore, it is an
industry that has great payoff, and with anonymity services like Tor,
pretty simple to keep from getting caught. Keep in mind that people
are being paid to professionally develop this malware.

And yes, of course they are going to use linux for some aspects,
probably to develop in, host some of their services like the irc
server, or the webservers they need to put up a phishing site. I think
the difference is that most of the zombies probably aren't linux, but
more of the upper management is.

Karl

On 10/4/07, Michael Rudas <audiotech50 at gmail.com> wrote:
> Mark Lachniet wrote:
>
> > I'm not sure its FUD really.  The source seems credible, despite the
> > venue of the statement (Microsoft's conference).  But, when you think of
> > it, what would YOU rather hack.
>
> But, again, the presentation is titled ("eBay phishers use Linux
> botnets")-- and framed ("Phishers are getting more organized and tend
> to exploit hacked Linux boxes more than Windows, according to eBay's
> security chief.") as though the Linux boxen WERE some sort of
> sooper-seekrit botnet in-and-of themselves.
>
> Deliberate lies and distortion are being used to obscure the truth--
> which is the very DEFINITION of FUD.
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>
_______________________________________________
linux-user mailing list
linux-user at egr.msu.edu
http://mailman.egr.msu.edu/mailman/listinfo/linux-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.egr.msu.edu/mailman/public/linux-user/attachments/20071005/80d9ef29/attachment.html

More information about the linux-user mailing list