The malware ecosystem is a complex environment. Criminals must acquire victims, develop scams and figure out the most effective way to turn that activity into cash. Most Internet crimes are opportunistic, meaning that online attacks are best operated as a high-volume business.
The keys to profitability are the ability to exploit a high percentage of potential victims, being able to cast a wide net to gather said victims, and some sort of payload that can steal information or extort money from a victim.
In research conducted in February 2015 at SophosLabs in Vancouver, Canada, we found that Linux machines represented approximately 80% of the 178,635 newly malicious websites discovered by Sophos during that week. This compares to approximately 73% of all websites being served by non-Windows servers.
Why should this be the case? What leads Linux to be such an integral part of malware distribution?
There appear to be three primary factors leading Linux to being favored by online criminals.
- Linux servers are preferred by budget cloud hosting providers for their low cost (free) and flexibility. These providers do not provide security services and largely cater to amateur web enthusiasts.
- Linux servers are undefended. Linux administrators and server operators have the perception that Linux is immune to malware and usually do not install nor configure antivirus, firewalls, intrusion prevention systems (IPS) or other defensive technologies.
- Linux exists primarily in the data center. This provides high availability and access to large amounts of bandwidth without triggering suspicious use of network resources.
The unprotected nature of Linux in the enterprise allows for long term exploitation, as detection isn’t typically possible if you aren’t looking for problems to begin with.
Based on the data we collected, it appears that most of the innocent websites that are commandeered to host and direct victims to malware, phishing scams and exploits are operated by amateur webmasters. Most servers were not up to date with operating system patches nor running patched and updated applications like WordPress, Drupal or cPanel.
What can IT professionals do to help prevent this abuse of Linux infrastructure? Here are our recommendations:
- Schedule updates for Linux servers the same as you do for Windows. Have a bi-weekly calendar invitation to remind you to apply the latest fixes.
- Recommend amateurs to use cloud services for hosting blogs and websites rather than operate and be responsible for maintaining entire servers.
- Run antivirus, firewalls, and IPS to protect all assets, regardless of operating system.
- Secure publication systems with two-factor authentication to prevent the abuse of stolen FTP and SSH credentials and keys.
Malware on Linux – When Penguins Attack
Image of Linix logo courtesy of Flickr user Andrés Álvarez Iglesias.