If You Can’t Bring Users to You, Go to Where the Users Go

Internet connectionMany in the community are working through identifying and remediating Darkleech malware that might have infected as many as 20,000 Apache Web servers running Linux. Behind the stories, three themes emerge: servers matter, Linux matters and blacklisting doesn’t.

This type of malware isn’t new, but it does represent an increasing shift away from luring users to the point of attack to, instead, attacking them from where they already go. This approach is known as a watering hole attack (see this excellent summary by John Pierce at StealthWatch Labs). Watering hole attacks target the servers and sites that users and their software already trust, which eliminates the increasingly difficult challenge of getting users to visit sites that host malware. Servers matter; blacklisting doesn’t.

Conventional wisdom has it that Linux isn’t much of a target for a number of reasons—limited market share, little common malware, configured and used by experts, software from source or downloaded from trusted repos, powerful security features available (pick your favorite). Darkleech targets Linux on the way to the ultimate targets, which are largely Windows users. It drops and installs a new Apache module, and replaces the SSH daemon. Almost no Linux systems run antivirus software, but if they did, it wouldn’t help anyway. The futility of blacklisting against these types of attacks was made clear when the folks over at Securi ran the sshd binary through VirusTotal back in January, and it wasn’t flagged by any of the 46 scanners. A couple months later, it was flagged by 26 of the scanners. How many users would have been infected in the interim? Linux matters; blacklisting doesn’t.

Linux comes with a very powerful security module in SELinux and had it been used it almost certainly would have blocked the attack. But SELinux has a legitimate reputation for being difficult to administer. That’s one reason Bit9 is busy extending its security platform to cover popular distributions of Linux as well as Apple’s OS X (look for more about that later this quarter). It doesn’t matter what operating system is on your endpoints or servers. What matters is knowing what software is running and only allowing approved software to run. Bit9 does that because security matters.

Leverage the Power of Trust-based Security with Bit9’s Free Trial

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: