Botnets of *NIX Web Servers
In the last several years malware writers have clearly understood that getting access to web servers can bring more benefits than infecting users’ PCs. Nowadays there are millions of completely unprotected web-sites and web servers with different kinds of vulnerabilities, so it is easy for attackers to upload web shells and even get access to these web servers with root privileges. All these circumstances certainly made botnets of infected servers and web sites a modern trand in malware development. Why is this so relevant? We think that there are some clear reasons for that:
- Web server botnets offer a unique model of monetizaton through traffic-redirection, drive-by download attacks, black SEO etc.
- Web servers have a good uptime, network channel and are more powerful than ordinary personal computers.
- In the *nix world autoupdate technologies aren’t widely used, especially in comparison to desktops and smartphones. The vast majority of webmasters and system administrators have to update their software manually and test that their infrastructure works correctly. For ordinary web sites serious maintenance is quite expensive and often webmasters doesn’t have an opportunity to do it. This allows hackers to find vulnerable web servers easily and to use such web servers in their botnets.
- In the *nix world the use of antivirus technologies isn’t widespread. A lot of vendors don’t offer any proactive defense and process memory checking modules. In addition, an ordinary webmaster usually doesn’t want to spend time reading the manuals of such software and solving possible performance issues that might occur.
We researched and disclosed the following malware families:
- Ebury and Cdorked
- Mindupper shells
In this presentation we are going to describe some distinguishing features of the botnets and some approaches to research such kinds of threats.