How vulnerable have Linux machines been to being conscripted into a botnet? Is botnet conscription a major problem for Linux (as it is for Windows) or does it happen only rarely?

One observation: for the folks who worry about botnets at the highest level, it's important to consider that the machines most open to conscription are those belonging to naive and unsophisticated users, like pre-teens uninterested in anything technical. For that reason, any universal anti-botnet measure can't rely on active intervention from the user. Perhaps the best focal point for detecting botnet activity would be the ISPs, who also suffer from the traffic deluge. The remedy would have to be something that won't provoke the response "Oh, I can't be bothered with that.".

Not really that frequent, what is more common are botnets on applications running on the PHP-APACHE plattform, if the permissions have not been set correctly, and also if automatic registration is not either blocked or controlled by a hard to read CAPTCHA.

It's not a big problem in linux due to a smaller installed base of generally more technically inclined users. Removal is typically easier also imo (having done both windows and linux Trojan removal.) It can and does happen, but not nearly with the frequency you see in the windows world.

I've read that CAPTCHA-cracking shops are now proliferating in China. They hire a bunch of low-paid peons to look at the things and solve them. It's hard to see any way of defeating that strategy.

It's certainly true that Linux users tend to be technically adept. But there are two caveats to that. First, the Linux world has been actively trying to recruit users from among the great unwashed, and to the extent that effort succeeds, we can expect all the ills that affect naive users except for those that are blocked automatically by the system. Second, Linux machines are often high-value targets, worthwhile for the bad guys to spend some energy in breaking into with targeted attacks. A friend of mine who's no slouch when it comes to Linux and Linux security had his system rootkitted.

I disagree with both of these statements. This forum is full of requests for assistance in cleaning compromised systems and a good percentage of them comprise trojaned machines. Looking at my Linux machine's weblogs, I can certainly see compromised machines attempting to compromise my own server. When looking up the IPs (sometimes using Netcraft), a majority of those systems are determined to be more than likely Linux-based.

One could argue that these compromises happen because of application-based vectors of attack, but that's not what the OP asked. He asked if it is possible for Linux machines to be conscripted to participate in botnet activity. It is certainly possible and it happens all the time. In fact, one of our clients participated (unknowingly) in a DDOS. Their DNS server responded to some spoofed queries because it wasn't locked down...that certainly could be considered botnet participation. One has to be careful how one defines an attack and how vulnerable a machine is to an attack...applications should certainly be considered when determining susceptibility. Bottom line: most people don't care if the attack was because of a misconfigured software package or the OS itself, because no matter what it was, the compromise still happened.

I know of hardcore linux users who think they poop gold bricks that still can't be convinced to lock down applications in a proper manner. Politics plays a lot in most corporate environments.

I didn't say it wasn't *a problem* it's not *a big problem*. Cleaning off comprimised machines and determining the attack vector used is part of my daily job, it happens in Linux, Windows, Unix, and Mac land. Comparatively, I see exponentially more windows systems compromised than I do linux systems. Part of this is just number of systems out there and part of it is also that the windows security model is flawed somewhat screwed up as far as defaults go. If you have strong passwords, keep up to date your updates, it's a minimal problem in linux. Most of the linux systems I see compromised are running Debian 3.1, Redhat 9, SUSE 9, etc... as often as not the windows systems I see compromised are running 2003 with automatic updates turned on... although to be fair in both cases you're often looking at user error in some form or another.

I really hope it doesn't shock you that trojan'd linux machines are looking for other linux machines to exploit instead of windows machine. The windows machines botnets are scanning for vulnerabilities linux doesn't have so they move on quickly. The linux trojans aren't looking for windows hots primarily so you get scanned more often and more throughly. It's simple survival of the fittest in the virus world. There aren't many cross platform botnets.

You are right though, security often takes backseat to corporate politics... but that's just another form of user error and often times nothing you can do can fix it.

Ditto. I work for a very large managed security services provider.

I have to disagree on this. I see TONS of Linux based machines that are compromised, while we typically don't see so many Windows-based machines being compromised in the same manner. I would say that this is not Windows- or Linux-specific. It is application- and permissions-specific.

A lot of these types of compromise have nothing to do with passwords or updates, as things such as SQL-injection doesn't always happen because of some vulnerability inherent in password methods or software stagnation. It has more to do with how the SQL server was deployed and how promiscuous the application is to outsider attacks.


I don't see a distro-based pattern when analyzing Linux-specific data, but then again, it usually isn't because of a particular software package or version. Any machine that is attacked, no matter the vector, has the potential to become a bot in a botnet, whether a password was bruteforced or someone clicked on a malicious link in their e-mail. A compromise is a compromise, no matter the method.

I've been doing this long enough to understand that Windows machines CAN attack Linux-based machines. The reverse applies also. I've seen dumb script kids using Linux exploits against IIS servers, also...it's obviously not going to work. Most of that was apparent to me long ago. My point was that this isn't OS-specific. isc.sans.org reported awhile back that a huge number of SSH systems were exploited and were participating in botnet activity. By default, SSH software come installed on most Linux distros. On Windows machines, it has to be manually installed. Sure, this was an issue with admins using easy to guess usernames and passwords, but as I said before, a compromise is a compromise.

Malware is so plug-n-play now that is trivial to change attack methods. I've seen malware attacks adapt Linux-based attacks to Windows-based, on the fly. I've also seen PHP scripts that attempt to determine the OS and version that is running on the target system...this is designed to give the botnet owner an idea of what flavor of attack to utilize against the target. It isn't as trivial as you are making this out to be.

I disagree for reasons I've already stated, your experience and mine have obviously been vastly different if you see more compromised Linux hosts than windows hosts... and vastly different than most every security researcher I know, every report I've ever seen, and pretty much the experience of everyone in security that I know of.

I didn't state there was a distro specific pattern, however, you might want to note the version numbers... those are just examples that came to mind because I've seen them in the last couple weeks.

Yes there are exceptions to the rule-- but the vast majority of the bot nets aim at low hanging fruit. It's counter productive to spend large amounts of time when there is *so much low hanging fruit*. You claim I'm making it sound to trivial, you make it sound far to pervasive and common.

It is way more pervasive and common than people here typically make it out to be on these forums, but that's usually what happens within centric forums. I've run Windows almost since it existed and far too many people stated blatantly that Windows is full of holes and you are almost guaranteed to catch a worm and always be infected. I beg to differ. A competent admin can lock down a Windows system and not be infected. I've been infected twice in almost 20 years of Windows usage. I'm not some certed MS geek either. I'm the type of person that will speak his mind when his experiences exceed the norm, no matter the negative feedback. Sure, I've no proof to present regarding this thread's argument, but I've tons of experience and have been working for years as a security consultant. Some people like to play with numbers but all I'm saying is that if you read without any particular bias, you're absolutely going to be surprised at the amount of exploits out there that successfully target Linux. It is no secret that there are millions of Linux-based webservers in the world. Every computer product that needs to be administrated has the possibility (actually, a high possibility) of being administered by someone who doesn't know how to lock down a machine. Even if the percentage were low, what is 10% of, lets say, 10 million? Yeah, that 10% will still represent a LARGE number.

There's absolutely nothing wrong in suggesting that there are large amounts of Linux-based machines that are compromised in the wild wild web. All that means to me is that there are incompetent administrators in control of those machines. That's usually what happens when a product's user-base becomes very large. It's the same with cars and car accidents, pools and pool accidents, and homes and homes catching fire.

I ran a public server for 3 years before enabling IPTables, as an exercise in determining if firewalls were ever needed. Sure, the server was colo'd and there was the provider firewall to consider, but the thing was attacked multiple times a day for those 3 years, with some of the attacks being absolutely massive in proportion. Still, I got not a single compromise. Most people thought I was asking for trouble, but I knew how to lock down a system at the host level and without using a host firewall. What I didn't know, I learned. Most people don't do that because they don't have time (and sometimes, time is money) or are lazy and will cut corners. Sounds like the MS mentality, but then again, I apply the same diligence to my MS products. Just like when nurturing kids, if you spend time with something you care about, the payoff is HUGE. Unfortunately, time and education is a rare resource in internet security, it seems....and with moms and pops now getting fiber straight to their homes, they are now seriously ripe targets of opportunity...it will get worse as we apply technology in the home environment.

Sorry, I'm not picking on you. I just think that the "Linux is secure because it isn't used as much as Windoze" or the "Linux code is open-source...there's no way the code can ever contain a hole" arguments are dangerous arguments to make, considering all that I mentioned above. It leads to people being or becoming complacent. Even 3 years ago, there were Linux-based exploits and attacks going on that the public kinda blew off (all because of unsecure and unpatched applications, not the kernel itself) that were extremely damaging. As I said earlier, this forum is full of examples of people needing help because their Linux boxen were cracked wide open. Yeah, I know we see a lot of it because this forum is labeled "Linux Security", but still, there are other forums to glean similar info from (the typical major public security content portals, for one). All this info is already out on the web...you just have to search for it, and the search is pretty easy.

Differing opinions don't mean you're picking on someone, I disagree with you, but shrug.

I've never used that argument and wouldn't, that's a fools game, security through obscurity does not work. That being said, Linux (and Unix vis-a-vis) has a better default security model than Windows. It's not that windows can't be locked down, in fact it has some tools that I wish were available in Linux when dealing with desktops in particular. If you take a competent linux admin and competent windows admin and give them respective machines and let them go to town... neither are ever going to have problems in all likelihood. By default install though, you see less general security problems in Linux than in Windows... that goes for servers installed by people who aren't qualified to admin them also.

I personally see Linux and Windows servers exploited on a weekly and sometimes daily basis. I've seen everything from running servers on unpatched xp without a firewall to running servers on linux with 30-40 unused services running and x running or passwords on either system that consist of 5 letter dictionary words.

There is no way to protect people from themselves, but pound for pound, based on my experience there are a lot more compromised Windows systems (especially when ignoring the disparity between installed bases) than Linux systems. I've also seen a lot more Linux systems compromised at a user (frequently web hosts) level but not system level than Windows systems... I don't recall many times I've had windows compromises that didn't consist of full control being granted.

Shrug, YMMV. Like I said, I think you're making it seem more pervasive than it is, you think I make it look trivial. A difference of opinion on our parts, but I never thought you were picking on me