back to article Malware coders adopt DevOps to target smut sites

Linux-served porn sites may offer devs more than they bargained for after villains behind one of 2014's nastiest malware campaigns changed tactics to hit adult sites with stealthier wares. The Windigo campaign was revealed in March 2014 to have over the previous two years infected 25,000 Unix and Linux servers, with some 10, …

  1. thames

    Don't Need an Exploit if You Have the Password

    This sounds like a further development of techniques used earlier. You don't need to find an exploit in a server if you have the admin passwords. Instead, you target the administrator's desktop PC in a watering hole attack with an off the shelf Windows virus, or use phishing, or social engineering to get the passwords. Or you just use a botnet to brute force the passwords and look for servers with weak passwords. In fact, it might be better if the server has no vulnerabilities, because then the admin probably won't spend as much time looking for suspicious activity.

    You don't have to crack any specific server. You just need to find *a* server where you can get in. So you just go around "rattling the doorknobs" looking for an easy target. The more people who have some sort of legitimate access to a server, the more likely it is that someone is going to slip up and let their passwords get loose.

  2. Anonymous Coward
    Anonymous Coward

    "You don't need to find an exploit in a server if you have the admin passwords. Instead"

    There have been no shortage of remote admin / elevation exploits in Linux in the past few years though if you don't have the password.

    1. channel extended
      Paris Hilton

      Please cite examples. Other than the bash problem, and PHP mess I would be interested in learning more.

      1. Michael Wojcik Silver badge

        Please cite examples. Other than the bash problem, and PHP mess I would be interested in learning more.

        http://lmgtfy.com/?q=site%3Asecurityfocus.com+bugtraq+linux+remote+elevation

        OK, I haven't bothered filtering for "the past few years". I'll leave that as an exercise for the reader.

        Actually, though, most of the ones reported in recent years are in third-party software running with privileges on Linux, such as HP Performance Insight or Adobe anything.

        There has been a steady trickle of Linux kernel escalation vulnerabilities (eg CVE-2013-2094 or CVE-2014-4014) over the years, but most of those are only known to be locally exploitable; to exploit them remotely you'd need a vulnerable server than can be tricked into activating the exploit, and then into running attacker-supplied code. That sort of thing is hardly unknown, but it's not always possible and it's generally not trivial.

        The short answer is that there certainly are Linux systems that are vulnerable to remote privilege elevation due to third-party software; there are Linux systems that are vulnerable to local privilege elevation due to kernel bugs; there may well be Linux systems where the latter can be adapted into the former. The AC you're responding to, though (probably one of the usual suspects), is likely talking out his ass and has no specific vulnerabilities in mind. It's just the usual chest-thumping.

  3. Robert Helpmann??
    Childcatcher

    Very Scary

    "We think they are interested in staying under the radar and making money, and not spreading too largely [because] law enforcement may be interested if there is a lot of victims," he said.

    What caught my attention was how very organized and effective these black hats seem to be. They don't come across as greedy enough to be conspicuous. They seem to have implemented the idea of continuous improvement and have a good QA approach. In fact, it sounds as though they have it together a lot more than many of my past employers. Alas.

    As far as the suggestion that prevention is just a matter of two-factor authentication, did the author not read the part about the targets being smaller porn sites? Not the most likely candidate for this sort of measure based on the size of the site and the reluctance of many of the customer base to leave digital tracks. This, I believe, is a good technical solution that will never be implemented in this case.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021