Botnet of Zombie Linux Servers Distributes Malware

According to Denis Sinegubko (an independent security researcher based in Magnitogorsk, Russia), cyber criminals have compromised several Linux servers to distribute malware on Windows computers, as reported by TheRegister on September 14, 2009

Giving details of the finding, Sinegubko explains that all the hijacked systems scrutinized till now are fully or virtually dedicated servers. They have a genuine website running on them.

Sinegubko writers - the alleged attack involves several long-expected web servers that have been compromised to build a network of 'zombies.' This network of zombies is actually an amalgamation of contaminated web servers joined together and put under a common command-and-control system that issues instructions for malware distribution. He further adds that the attack is made more complicated after linking the 'network of zombies' to another bot-infected network containing contaminated household PCs, as reported by TheRegister on September 12, 2009.

Meanwhile, the discovery emphasizes the ongoing development of bot herders who actively search for more novel methods to send commands to their numerous zombies.

This novel bot-herding technique was uncovered when malicious links posted on the Chinese Internet were substituted with vibrant DNS (Domain Name System) names available from No-IP.com and DynDNS.com. The contaminated web-servers subsequently establish their registration with the vibrant DNS services utilizing specific host names containing their Internet Protocol address.

Continuing further, Sinegubko says in a different statement that the particular DNS services have removed over 100 host names that were listed on their databases. However, the botnet herders seem to be acting fast and registering hijacked web-servers under fresh labels, as reported by Honline on September 14, 2009.

While the process of servers' contamination isn't clear, Sinegubko assumes the infections are because of careless administrators who let unauthorized parties sniff their passwords. The web servers were hijacked with attacks which, after injecting rogue iframes into websites open on the servers, employed stolen FTP (File Transfer Protocol) passwords.

Finally, the researcher states that although No-IP.com and DynDNS.com have been behind the shutdown of domains so far, yet he reports of identifying roughly two fresh IPs every 60-mins, a suggestion that this phenomenon might not end here. Notably, Sinegubko has so far identified 77 IP addresses.

Related article: Botnet Misuses Google Analytics

» SPAMfighter News - 10/2/2009