Microsoft confirms Russian pill-pusher attack on its network
Is there a Linux admin in the house?
Microsoft has confirmed that two devices on its corporate network were compromised to help a notorious gang of Russian criminals push Viagra, Human Growth Hormone, and other knockoff pharmaceuticals.
The admission came in response to an article The Register published on Tuesday. It reported that two internet addresses belonging to Microsoft were helping to route traffic to more than 1,000 websites that belong to a fraudulent online pharmacy known as the Canadian Health&Care Mall. Microsoft on Wednesday said an investigation of that report confirmed the hijacking was the result of an attack on machines connected to its network.
“We have completed our investigation and found that two misconfigured network hardware devices in a testing lab were compromised due to human error,” the five-sentence statement said. “Those devices have been removed and we can confirm that no customer data was compromised and no production systems were affected. We are taking steps to better ensure that testing lab hardware devices that are internet accessible are configured with proper security controls.”
According to network security researcher Ronald F. Guilmette, the Microsoft IP addresses had been used to host the websites' authoritative name servers since at least September 22. El Reg ran the data he supplied by experts in DNS and botnet take-downs, and most said it likely indicated that one or more machines on Microsoft's network had been infected with malware.
About 24 hours after The Reg article ran, security reporter Brian Krebs reported that one of the two Microsoft IPs had been used to coordinate a massive denial-of-service attack against his website, KrebsOnSecurity.com. Shortly after the attacks began on September 23, researchers were able to pinpoint the Microsoft IP and within hours they notified Microsoft of the compromised IPs, the site reported.
Remarkably, the machines weren't unplugged from Microsoft's network until Tuesday, almost three weeks later, shortly after The Register article was published. Also notable, according to Krebs, the machines that were compromised were running Linux. ®
Use Linux day in, day out, nothing better or worse about Linux than Windows. You stick stupid password like [blank] on the root or any other high admin user account, connect it to the big 'ole web and watch it get pwned 3 sec flat!
The best O/S is one configured correctly by someone who knows what they are doing. Even as a Penguinista, I would happily put a good Windows admin up against a Unix admin.
The trouble is the world and his wife use Windows at home, have for years, when they get in the workplace they put down on the CV that they can admin a Windows box, just 'cos they managed to find the network configuration dialogs in control panel! Then there are the muppets who think just 'cos they installed Windows Vista at home, configuring Windows server is the same thing.
A good, well trained Windows admin is the match for any system admin on any other system, there's just a lot more cowboys working in the WIndows field, so finding good admins is not easy.
Oh God I just stuck up for Windows, I feel all dirty now...
Linux does nothing special to keep an application from being compromised; it merely makes it unlikely for a compromised program to elevate itself to root privileges. This isn't as restrictive as it seems - it's entirely possible for an unprivileged program to do everything described in the article, provided it avoids most ports below 1024 or so(though I'm pretty sure that restriction's limited purely to receiving and that it could send to a low port without hassle).
"Network Hardware Devices"
Microsoft called the things "Network Hardware Devices", which sounds more like an ADSL router or some such to me than a Linux Server. These days most commodity network kit is running Linux, and sadly the people that throw together the firmware for these things are often reasonably clueless and rushed embedded hardware engineers, who have no interest in whether the result of their efforts is secure, as long as it provides the main functionality that they've been told to implement. Then they kick it out of the door and forget about it, more often than not failing to provide the board manufacturer with the source, thus setting the manufacturer up for a GPL violation case.
If MS had such a widget in their test lab, well that's no surprise, they were probably checking that uPnP worked on it or some such. Being in their test lab, it probably had the Admin/Admin password still set. I suppose, depending on what exactly they were testing, it's even reasonable that it had to really be plugged into the Internet with no intervening firewall.
The problem is likely to be that quite a lot of these devices default to having ports like FTP and Telnet open on the outside. That is the fault of the rushed engineer that knocked up the firmware. There is also the person that set the kit up, and probably didn't immediately check that it had no port open on the outside, and didn't bother changing the password. The only thing you can really blame Microsoft for is not tracking the problem down more quickly after they were told about it.
Trying to use any of this to draw conclusions about the security or otherwise of GNU/Linux in general is moronic.