On Jan 7, 2007, at 10:03 PM, kevhoy wrote:

> This weekend, I have seen several stories that say some version of
> the following.
>
> While some zombie computer crimes have been linked to computers
> running Linux or Macintosh operating systems, officials have warned
> that Windows systems are the most susceptible.
>
> http://www.upi.com/NewsTrack/view.php?StoryID=20070107-042614-5177r
>
>
>
> So far botnets have predominantly infected Windows-based computers,
> although there have been scattered reports of botnet-related
> attacks on computers running the Linux and Macintosh operating
> systems.
>
> http://www.nytimes.com/2007/01/07/technology/07net.html?
> _r=1&oref=slogin
>
>
>
> Is there any real true to these reports? I haven't seen this
> reported here or anywhere else. Are these just repeating the same
> story? Could some one please elaborate if this is truly happening?

Yes. Botnets can easily originate from UNIX-based systems, including
Linux and Mac OS X, and I will categorically guarantee you that they
are irc bots or bouncers (like psybnc) that have been installed via
either:

1.) user-level accounts with weak passwords, or

2.) vulnerable php-based web applications

Linux and Mac OS X/Mac OS X Server are just as vulnerable to these as
anything else, but they are NOT because of a deficiency in the
operating system proper, or because people are "targeting" Mac OS X
more (in fact, when these bots are installed, the automated process
run by some script kiddie somewhere probably doesn't know/care that
it's Mac OS X). They're because of poor account/password management
(brute force password guessing of simple passwords, or accounts like
"temp/temp", and you'd be surprised at how common these are), or
vulnerable php-based web applications, such as forums, blogs, photo
galleries, wikis, etc. I have seen some cases where people do go a
step further and install/run a generic rootkit, some of which are now
aware of Mac OS X/Darwin-specific vulnerabilities.

I've seen many instances of this type of thing on Mac OS X/Mac OS X
Server, and they've almost always been psybnc, and we've nearly
always been able to definitively (with logs or other direct evidence)
trace it back to a weak account password on a machine with ssh
enabled, or a vulnerable web app. Never has it been any typical
"user"-level issue, or anything on the level that typically happens
with Windows desktop-type issues. These boxes are always servers (or
being used in a server capacity), and the fact that they're Linux,
Mac OS X, Solaris, etc., is incidental, as these are cases where the
OS isn't what's targeted: it's a user account or a web app that
happens to be vulnerable, that happens to be running on some OS. Of
course, mainstream press coverage of this really isn't going to
understand that nuance, and I wouldn't expect it to.

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?,0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 

0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?Ù
xmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
070108165741Z0# *?H?÷

1]YpMGê~üå'3Cò5ü?0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷



?aiïgåíÅ¿cJ%fѳ¨¥R?Ðéf±<½:Sú?è?Ì;¦?sÆÈð-ø$Ûõ´ ñùXM?ÂIîþNn?[
ø?§C:?SM]}P?/ö´ä??ýÈOc(5à*j?O?ÓE3Â5?)?]l?¨ù»fß=???ßy@??áõ

[ reply ]