In a recent thread is was suggested that Linux was as vulnerable as Windows is and as proof a list of exploits were given that were published on almost the same day as the discussion. Here is the list that was given:
So, what's a Linux newbie to think? "OMG! Greygeek says only about 12 exploits in 15 years and here is a listing which shows 9 posted in one day! Linux must be as vulnerable as Windows!"
The next day an article on a security news site was cited: http://www.h-online.com/open/news/it...e-1034618.html in further support of the belief that Linux is as vulnerable as Windows.
A couple days ago I decided to look deeper into that "threat", that proof that Linux was as vulnerable as Windows.
Ubuntu security announced the PATCH to PAM_MOTD on July 7th. Notice the date and time of the post.
https://lists.ubuntu.com/archives/ub...ly/001117.html
The Twitter post which the H-Online article referred to is at:
https://twitter.com/jonoberheide/status/18009527979
The dates are the same, but notice the time on that twitt. Dr Oberheide is in Michigan and is on EDST time.
The Ubuntu announcement was made on BST time which is 5 hours ahead of EDST. 11:42PM is also 23:42.
Subtracting 5 hours from the BST time gives 18:38 EDST. It was 18:38 in Michigan when Ubuntu posted the security announcement.The twitt by Dr. Oberheide was posted at 23:42, 5 HOURS AFTER the Ubuntu security announcement was posted. Dr. Oberheide had obviously read the security announcement before he posted his tweet. He is Co-Founder of Scio Security (http://www.sciosecurity.com),
More important, the exploit was for a hole which had already been announced. But, was it patched?
Let's look at the time stamps on the code was merged to the launchpad repository.
The baazar launchpad changelog reports:
The "pam_motd.c" file had a date of:
The launchpad posting was 11:55 and changlog contents were dated one hour before, at 10:55AM, one hour before (to the second.. ), and 12 hours before the security announcement.
So, the patch had been merged into the code base at 11:55AM on the 7th, at 2010-07-07 11:55:09AM BST.
Also, the security urgency was marked "low", probably because it is a LOCAL exploit.
The merge announcement lists the patched packages as Ubuntu 10.04 LTS: libpam-modules 1.1.1-2ubuntu5. Out of curiosity I examined my /var/cache/apt/archives and found my libpam-modules and related files WERE ALREADY PATCHED and had a time stamp of 07-07-10 10:05:06 PM, which about 12 hours after the code was merged into the code base, 6 hours after the announcement, and Dr. Oberheide's tweet was only a couple of hours before my box was patched!. See the attached graphic. So, the PAM_MOTD security hole was patched AND ROLLED OUT BEFORE the forum discussion and well before the inj3ct0r website published their "exploit" on the 8th. A code can't be called an exploit if there is no hole to exploit.
It didn't take long to find where the list of Linux "vulnerabilities" was located: http://inj3ct0r.com/shellcode/linux/x86
Other hacker websites have similar lists but the inj3ct0r list was already in the format in which was posted as the "proof".
Nine exploits were listed to counter my claim that there have been only about a dozen Linux exploits found in the wild in 15 years (I should add "effective"), and to bolster the claim that Linux is as vulnerable as Windows, or at least more vulnerable than I think it is. Besides the PAM exploit eight more were listed, and I suspect they were cut and pasted from the "Linux /x86 Shellcode" section of inj3ct0r.com. Here is a complete listing with all the information.
As you can see, all but one of those programs were published by "gunslinger_", who has a blog at word.press, and they were all published on the 5th of July. It is important to remember that the PAM_MOTD "exploit" was published on July 8th, not the 5th. It is also important to note that these exploits are "shellcode" exploits, which means that they are LOCAL, not REMOTE, exploits. No one can use these to gain access to a Linux box through ports which don't handshake. A person MUST have PHYSICAL access to the computer AND be logged onto an account on it in order to use the exploit.
On the http://www.ubuntu.com/usn/usn-959-1 site, which references the exploit about which the Ubuntu security announcement was made includes the following:
The announcement was ALSO on July 7th. The patch was merged that day at 11:05AM, BST.
So, a "hak0r" did NOT find the PAM_MOTD hole. Denis Excoffier is not a hak0r. He is a professional coder working for airbus in France who contributes to FOSS regularly. He was the first to inform Ubuntu of the PAM MOTD (Message of the Day daemon) LOCAL exploit.
Most Linux desktops have only one user account. Additional users on these home or family computers are family members. Their concerns are not LOCAL exploits but REMOTE exploits. So, let's look at the Linux remote exploits listed at inj3ct0r for ALL of this year AND Last:
Short list, isn't it, for covering a year and a half.
There are less than 200 remote exploits listed since Nov 16, 2000. That amounts to about one exploit per month. Hardly the dozen or more per month claimed. One can't claim that there are more because other hak0r sites have more listings. These sites make a point of sharing their exploits with each other, and hak0rs post their work on as many sites as they can all of them.
Also, just because an exploit is listed doesn't mean that it ever was or is still a threat, as we found out with the PAM_MPTD "exploit". The real question is how many viruses are wondering around IN THE WILD automatically infecting Linux boxes without assistance from the user? I (and you can too) search the Internet for news of a few of these exploits appearing in the wild. I couldn't find any. I found LOTS of other hak0r sites listing the exploit code, but no news of the exploit IN THE WILD.
You may want to browse around Symantec's list of Linux viruses. http://searchg.symantec.com/search?q...S&proxycustom=
With the exception of the known dozen or so Linux threats which infected more than a handful of machines, most Linux malware listed are like theLinux.Phalax, from 2008. Note that the number of known infections was less than 50, and it was found on fewer than 3 sites. It was also easy to contain and remove.
Or, Linux.Psybot, which appeared in March, 2009, and quickly disappeared.
It has the same coverage and effect as Linux.Phalax ... essentially NONE.
For purposes of comparison here is the information on the Slapper.Worm.
http://www.symantec.com/security_res...091311-5851-99
SO MANY "infective" agents are found on so few sites in such few numbers that one suspects that the ONLY site they have been found on are the research computers of the AV houses. There is too much of a coincidence for such statistics to be by chance. I suspect that AV houses were looking for attempting to create Linux infective agents which could be released into the wild to "salt the mines" of their AV Sales.
The slapper worm was the only malware in the last 10 years that had more than 50 infections and was found at more than 2 sites, mostly on boxes where the user was running as root. Even then it was easy to contain and remove. I've also noticed that the database has viruses which are windows viruses with "linux" added to their names. Windows jpeg "cross platform" viruses are treated this way. Also, while only the first 100 infective agents are listed you can continue to click the "next" button and it will continue to show you several hundred agents.
Despite all their marketing, claims of Linux vulnerability, and puffing up possible Linux infections (i.e., "exploits") the AV houses have not been able to generate a market within the Linux user base because the need remains un-demonstrated. Linux users, if they run AV software at all, do so to avoid passing on Windows viruses to their Windows using friends. Other Linux users take no such precautions, claiming it is not their responsibility to help Windows users keep their machines from getting infected. That what Microsoft was paid to do.
So, while you are regularly treated to yet another news story of a virus or Trojan infecting large numbers of Windows boxes even without the cooperation of the user, one RARELY even hears of a break-in on a Linux computer, let alone a bot farm. A year ago it took hackers about 180 days to create a farm containing 770 bots. Let that fact soak in. IF there was an easier way to gain control of a large collection of Linux boxes do you really think professional thieves would use difficult manual break-ins? This large expenditure of personal labor to capture such a small number of Linux boxes also demonstrates what HIGH VALUE professional thieves place on Linux. After they gain control of it they do what the user should have done, secured it against further remote exploits. They want to protect their investment. Another fact that this event brings out is that most Linux boxes, either because of built-in security measures during install, like Ubuntu or Kubuntu, or because of diligent users, are too secure for professional thieves to break into to. If that were not the case these thieves would have captured many, many more than 770 boxes. Or, they wouldn't have bothered to waste their investment in the box if another thief could so easily capture it.
If you see two guys running around a track and one keeps stumbling countless times and the other only rarely, it's hard to claim that both are equally clumsy.
2010-07-08 Ubuntu PAM MOTD File Tampering (Privilege Escalation)
2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes
2010-07-05 linux/x86 bind sh@64533 97 bytes
2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes
2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes
2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes
2010-07-05 linux/x86 bind port to 6678 XOR encoded polymorphic shellcode 125 bytes
2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes
2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes
2010-07-05 linux/x86 bind sh@64533 97 bytes
2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes
2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes
2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes
2010-07-05 linux/x86 bind port to 6678 XOR encoded polymorphic shellcode 125 bytes
2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes
The next day an article on a security news site was cited: http://www.h-online.com/open/news/it...e-1034618.html in further support of the belief that Linux is as vulnerable as Windows.
A couple days ago I decided to look deeper into that "threat", that proof that Linux was as vulnerable as Windows.
Ubuntu security announced the PATCH to PAM_MOTD on July 7th. Notice the date and time of the post.
https://lists.ubuntu.com/archives/ub...ly/001117.html
Kees Cook kees at ubuntu.com
Wed Jul 7 23:38:25 BST 2010
Wed Jul 7 23:38:25 BST 2010
The Twitter post which the H-Online article referred to is at:
https://twitter.com/jonoberheide/status/18009527979
rm -rf ~/.cache;
ln -s /etc/shadow ~/.cache;
ssh localhost (trigger pam_motd by re-logging in and you'll own /etc/shadow)
#tweetsploits 11:42 PM Jul 7th via web
jonoberheide
Jon Oberheide
ln -s /etc/shadow ~/.cache;
ssh localhost (trigger pam_motd by re-logging in and you'll own /etc/shadow)
#tweetsploits 11:42 PM Jul 7th via web
jonoberheide
Jon Oberheide
The Ubuntu announcement was made on BST time which is 5 hours ahead of EDST. 11:42PM is also 23:42.
Subtracting 5 hours from the BST time gives 18:38 EDST. It was 18:38 in Michigan when Ubuntu posted the security announcement.The twitt by Dr. Oberheide was posted at 23:42, 5 HOURS AFTER the Ubuntu security announcement was posted. Dr. Oberheide had obviously read the security announcement before he posted his tweet. He is Co-Founder of Scio Security (http://www.sciosecurity.com),
More important, the exploit was for a hole which had already been announced. But, was it patched?
Let's look at the time stamps on the code was merged to the launchpad repository.
The baazar launchpad changelog reports:
Kees Cook 2010-07-07 11:55:09
(3.2.5 squeeze)
Revision ID: james.westby@ubuntu.com-20100707105509-0g9nwq37at7yvfwj
Tags: 1.1.0-2ubuntu1.1
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
pam (1.1.0-2ubuntu1.1) karmic-security; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <kees@ubuntu.com> Wed, 07 Jul 2010 10:55:09 -0700
(3.2.5 squeeze)
Revision ID: james.westby@ubuntu.com-20100707105509-0g9nwq37at7yvfwj
Tags: 1.1.0-2ubuntu1.1
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
pam (1.1.0-2ubuntu1.1) karmic-security; urgency=low
* SECURITY UPDATE: root privilege escalation via symlink following.
- debian/patches-applied/pam_motd-legal-notice: drop privs for work.
- CVE-2010-0832
-- Kees Cook <kees@ubuntu.com> Wed, 07 Jul 2010 10:55:09 -0700
+++ pam-1.1.0/modules/pam_motd/pam_motd.c 2010-07-07 11:47:35.296210838 -0700
So, the patch had been merged into the code base at 11:55AM on the 7th, at 2010-07-07 11:55:09AM BST.
Also, the security urgency was marked "low", probably because it is a LOCAL exploit.
The merge announcement lists the patched packages as Ubuntu 10.04 LTS: libpam-modules 1.1.1-2ubuntu5. Out of curiosity I examined my /var/cache/apt/archives and found my libpam-modules and related files WERE ALREADY PATCHED and had a time stamp of 07-07-10 10:05:06 PM, which about 12 hours after the code was merged into the code base, 6 hours after the announcement, and Dr. Oberheide's tweet was only a couple of hours before my box was patched!. See the attached graphic. So, the PAM_MOTD security hole was patched AND ROLLED OUT BEFORE the forum discussion and well before the inj3ct0r website published their "exploit" on the 8th. A code can't be called an exploit if there is no hole to exploit.
It didn't take long to find where the list of Linux "vulnerabilities" was located: http://inj3ct0r.com/shellcode/linux/x86
Other hacker websites have similar lists but the inj3ct0r list was already in the format in which was posted as the "proof".
Nine exploits were listed to counter my claim that there have been only about a dozen Linux exploits found in the wild in 15 years (I should add "effective"), and to bolster the claim that Linux is as vulnerable as Windows, or at least more vulnerable than I think it is. Besides the PAM exploit eight more were listed, and I suspect they were cut and pasted from the "Linux /x86 Shellcode" section of inj3ct0r.com. Here is a complete listing with all the information.
2010-07-05 linux/x86 bind port to 6678 XOR encoded polymorphic shellcode 125 bytes linux/x86 200 S D gunslinger_
2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes linux/x86 183 S D gunslinger_
2010-07-05 linux/x86 send "visit inj3ct0r.com" to all konsole XOR encoded 99 bytes linux/x86 308 S D gunslinger_
2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes linux/x86 173 S D gunslinger_
2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes linux/x86 202 S D gunslinger_
2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes linux/x86 270 S D gunslinger_
2010-07-05 linux/x86 bind sh@64533 97 bytes linux/x86 175 S D Magnefikko
2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes linux/x86 224 S D gunslinger_
2010-07-05 linux/x86 nc -lp 31337 -e /bin/sh polymorphic shellcode 91 bytes linux/x86 183 S D gunslinger_
2010-07-05 linux/x86 send "visit inj3ct0r.com" to all konsole XOR encoded 99 bytes linux/x86 308 S D gunslinger_
2010-07-05 linux/x86 /proc/sys/kernel/randomize_va_space SUB encoded 111 bytes linux/x86 173 S D gunslinger_
2010-07-05 linux/x86 setreuid(0,0) execve("/bin/sh",NULL,NULL) encoded 62 bytes linux/x86 202 S D gunslinger_
2010-07-05 linux/x86 lynx polymorphic shellcode 84 bytes linux/x86 270 S D gunslinger_
2010-07-05 linux/x86 bind sh@64533 97 bytes linux/x86 175 S D Magnefikko
2010-07-05 linux/x86 polymorphic Drop suid shell root /tmp/.hiddenshell 161 bytes linux/x86 224 S D gunslinger_
On the http://www.ubuntu.com/usn/usn-959-1 site, which references the exploit about which the Ubuntu security announcement was made includes the following:
Details follow:
Denis Excoffier discovered that the PAM MOTD module in Ubuntu did not correctly handle path permissions when creating user file stamps. A local attacker could exploit this to gain root privilieges.
Denis Excoffier discovered that the PAM MOTD module in Ubuntu did not correctly handle path permissions when creating user file stamps. A local attacker could exploit this to gain root privilieges.
So, a "hak0r" did NOT find the PAM_MOTD hole. Denis Excoffier is not a hak0r. He is a professional coder working for airbus in France who contributes to FOSS regularly. He was the first to inform Ubuntu of the PAM MOTD (Message of the Day daemon) LOCAL exploit.
Most Linux desktops have only one user account. Additional users on these home or family computers are family members. Their concerns are not LOCAL exploits but REMOTE exploits. So, let's look at the Linux remote exploits listed at inj3ct0r for ALL of this year AND Last:
2010-07-18 AIX5l with FTP-Server Remote Root Hash Disclosure Exploit linux 425 S D Kingcope
2010-06-13 Unreal IRCD 3.2.8.1 Remote Downloader/Execute Trojan linux 1382 S D anonymous
2010-05-13 WFTPD Server 3.30 Multiple remote vulnerabilities (0day) linux 939 S D n/a
2010-04-03 Sun Microsystems Sun Java System Web Server file disclosure exploit linux 352 S D Kingcope
2010-04-03 Sun Microsystems Sun Java System Web Server remote exploit linux 568 S D Kingcope
2010-03-31 OpenDcHub 0.8.1 Remote Code Execution Exploit linux 436 S D Pierre Nogues
2009-07-14 Virtualmin < 3.703 Multiple Local/Remote Vulnerabilities linux 160 S D Filip Palian
2009-06-04 Kloxo 5.75 (24 Issues) Multiple Remote Vulnerabilities linux 157 S D Inj3ct0r
2009-04-29 Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit linux 124 S D Arr1val
2009-04-29 Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit linux 123 S D Arr1val
2009-04-28 Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit linux 294 S D sgrakkyu
2009-04-09 net2ftp <= 0.97 Cross-Site Scripting/Request Forgery Vulnerabilities linux 106 S D cicatriz
2009-01-08 Samba < 3.0.20 Remote Heap Overflow Exploit (oldie but goodie) linux 212 S D zuc
2010-06-13 Unreal IRCD 3.2.8.1 Remote Downloader/Execute Trojan linux 1382 S D anonymous
2010-05-13 WFTPD Server 3.30 Multiple remote vulnerabilities (0day) linux 939 S D n/a
2010-04-03 Sun Microsystems Sun Java System Web Server file disclosure exploit linux 352 S D Kingcope
2010-04-03 Sun Microsystems Sun Java System Web Server remote exploit linux 568 S D Kingcope
2010-03-31 OpenDcHub 0.8.1 Remote Code Execution Exploit linux 436 S D Pierre Nogues
2009-07-14 Virtualmin < 3.703 Multiple Local/Remote Vulnerabilities linux 160 S D Filip Palian
2009-06-04 Kloxo 5.75 (24 Issues) Multiple Remote Vulnerabilities linux 157 S D Inj3ct0r
2009-04-29 Adobe 8.1.4/9.1 customDictionaryOpen() Code Execution Exploit linux 124 S D Arr1val
2009-04-29 Adobe Reader 8.1.4/9.1 GetAnnots() Remote Code Execution Exploit linux 123 S D Arr1val
2009-04-28 Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit linux 294 S D sgrakkyu
2009-04-09 net2ftp <= 0.97 Cross-Site Scripting/Request Forgery Vulnerabilities linux 106 S D cicatriz
2009-01-08 Samba < 3.0.20 Remote Heap Overflow Exploit (oldie but goodie) linux 212 S D zuc
There are less than 200 remote exploits listed since Nov 16, 2000. That amounts to about one exploit per month. Hardly the dozen or more per month claimed. One can't claim that there are more because other hak0r sites have more listings. These sites make a point of sharing their exploits with each other, and hak0rs post their work on as many sites as they can all of them.
Also, just because an exploit is listed doesn't mean that it ever was or is still a threat, as we found out with the PAM_MPTD "exploit". The real question is how many viruses are wondering around IN THE WILD automatically infecting Linux boxes without assistance from the user? I (and you can too) search the Internet for news of a few of these exploits appearing in the wild. I couldn't find any. I found LOTS of other hak0r sites listing the exploit code, but no news of the exploit IN THE WILD.
You may want to browse around Symantec's list of Linux viruses. http://searchg.symantec.com/search?q...S&proxycustom=
With the exception of the known dozen or so Linux threats which infected more than a handful of machines, most Linux malware listed are like theLinux.Phalax, from 2008. Note that the number of known infections was less than 50, and it was found on fewer than 3 sites. It was also easy to contain and remove.
Linux.Phalax
Risk Level 1: Very Low
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
* Payload: Opens a back door on the compromised computer.
Distribution
* Distribution Level: Low
Writeup By: Alfredo Pesoli
Risk Level 1: Very Low
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
* Payload: Opens a back door on the compromised computer.
Distribution
* Distribution Level: Low
Writeup By: Alfredo Pesoli
Or, Linux.Psybot, which appeared in March, 2009, and quickly disappeared.
Linux.Psybot
Risk Level 1: Very Low
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Payload: Spreads through routers.
Distribution
* Distribution Level: Low
* Ports: May lock administrative access to certain ports.
* Target of Infection: Targets routers and DSL modems.
Writeup By: Liam O Murchu & Mario Ballano
Risk Level 1: Very Low
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Payload: Spreads through routers.
Distribution
* Distribution Level: Low
* Ports: May lock administrative access to certain ports.
* Target of Infection: Targets routers and DSL modems.
Writeup By: Liam O Murchu & Mario Ballano
For purposes of comparison here is the information on the Slapper.Worm.
http://www.symantec.com/security_res...091311-5851-99
Linux.Slapper.Worm
Risk Level 2: Low
Threat Assessment
Wild
* Wild Level: Medium
* Number of Infections: More than 1000
* Number of Sites: More than 10
* Geographical Distribution: Medium
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Medium
Writeup By: Peter Szor
Risk Level 2: Low
Threat Assessment
Wild
* Wild Level: Medium
* Number of Infections: More than 1000
* Number of Sites: More than 10
* Geographical Distribution: Medium
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Medium
Writeup By: Peter Szor
The slapper worm was the only malware in the last 10 years that had more than 50 infections and was found at more than 2 sites, mostly on boxes where the user was running as root. Even then it was easy to contain and remove. I've also noticed that the database has viruses which are windows viruses with "linux" added to their names. Windows jpeg "cross platform" viruses are treated this way. Also, while only the first 100 infective agents are listed you can continue to click the "next" button and it will continue to show you several hundred agents.
Despite all their marketing, claims of Linux vulnerability, and puffing up possible Linux infections (i.e., "exploits") the AV houses have not been able to generate a market within the Linux user base because the need remains un-demonstrated. Linux users, if they run AV software at all, do so to avoid passing on Windows viruses to their Windows using friends. Other Linux users take no such precautions, claiming it is not their responsibility to help Windows users keep their machines from getting infected. That what Microsoft was paid to do.
So, while you are regularly treated to yet another news story of a virus or Trojan infecting large numbers of Windows boxes even without the cooperation of the user, one RARELY even hears of a break-in on a Linux computer, let alone a bot farm. A year ago it took hackers about 180 days to create a farm containing 770 bots. Let that fact soak in. IF there was an easier way to gain control of a large collection of Linux boxes do you really think professional thieves would use difficult manual break-ins? This large expenditure of personal labor to capture such a small number of Linux boxes also demonstrates what HIGH VALUE professional thieves place on Linux. After they gain control of it they do what the user should have done, secured it against further remote exploits. They want to protect their investment. Another fact that this event brings out is that most Linux boxes, either because of built-in security measures during install, like Ubuntu or Kubuntu, or because of diligent users, are too secure for professional thieves to break into to. If that were not the case these thieves would have captured many, many more than 770 boxes. Or, they wouldn't have bothered to waste their investment in the box if another thief could so easily capture it.
If you see two guys running around a track and one keeps stumbling countless times and the other only rarely, it's hard to claim that both are equally clumsy.
Comment