Anti-Virus For All
I have been a part of many conversations about Linux-based systems running Anti-virus. To date my best examples for saying that it should be taken into consideration has been that it ensures that your hardening standards are consistent across the environment. Conversations of the fact that there are Linux-based malware, rootkits, privilege escalation vulnerabilities have all met with grumbled “Whatever”s, shaking of heads, and a look like “this conversation had better move on or we are done here.” A recent incident response, however, has provided me with a better example of how anti-virus running on any system, especially servers, can be beneficial.
Let’s set up the scenario. A US-based company has operating system hardening standards that they adhere to for all deployments. Servers should not be placed on the internal network until it is proven that the server has been updated and hardened appropriately. These hardening standards including anti-virus and file integrity software on all systems regardless of operating system. So you can imagine the surprise of one of the network administrators when she received an email from a company overseas asking them to investigate a server that was conducting a FTP brute force attack on several of their servers. A quick investigation showed that there had been a significant amount of network communications occurring between this internal server and several external IP addresses.
Network administrators started looking at the internal system in more detail. It turns out that several developers, in an effort to test updates to one of the companies primary web-based applications, had placed a test web-server and database on the network. Because of some older firewall rules the IP address they gave the server permitted access to the server on port 80, 443, and 22. Further investigation determined that these developers did not follow company policy and harden the server although they did install Symantec Anti-virus and configured it to start when the system was booted. After some initial investigations by server administrators the server was isolated from the network and I was asked to perform a data analysis to determine what had occurred on the system.
Once the data analysis was complete the story was fairly straight-forward. After being accessible to the Internet for approximately 24 hours the “root” account was access via an SSH brute force attack. This despite the fact that the developers had used an 8-character password with upper and lower case letters, one number, and one special character (the administrator I talked to also stated that it did not appear to be a modified dictionary word that he could readily read). Although the SSH brute force attack should have been very noticeable from a network standpoint, it was never flagged. With access to the “root” account the remote users started uploading tools to the server. Specifically, the uploaded several well-known attack scripts to run brute force and run denial of service attacks, along with programs designed to connect the server with a botnet, were uploaded to the server. Symantec anti-virus started alerting immediately. Although it did not detect all of the malicious files that were uploaded it definitely identified and quarantined many files while writing alerts to the system’s syslog.
As with all system compromises this scenario shows a breakdown of security protections on multiple levels. Incident response plans are recommended, and in some cases mandatory, for this very reason. But I find it interesting that of all of the security controls in place by this company, the one that ended up performing its task the best was the anti-virus program on a Linux-based operating system. Although anti-virus can be considered a prevention control, it is primarily a detection control. Had this system been configured to centrally log, or had the developers periodically reviewed the system logs, the unauthorized access would have been detected almost immediately. As it was, the system was used to attack other systems on the Internet for about a week before somebody alerted the company to their problem.
Hopefully this provides a little better explanation of the need and usefulness of deploying anti-virus programs within a Linux, Unix, Mac, FreeBSD, etc environment. Not only are you protecting your own assets by reducing the gap between system compromise and your staff’s response, you are also making the Interwebs a safer place.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
July 27th, 2009 at 7:08 pm
Protecting your own servers, whatever the operating system may be, is about more than being a good internet neighbor. If your site is broken into it may be used to launch attacks against targets much closer to home than an overseas company. Attacks installed on your site can affect your visitors and thereby have a direct consequence for your own reputation.
For example, it is believed that the theft of FTP credentials, used to upload content to websites, was behind a significant proportion of the recent Gumblar (Troj/JSRedir-R) attacks against websites. Stolen credentials work irrespective of your server platform, but anti-virus protection would alert you to the breach as malicious code is installed on your servers.
Richard Wang – SophosLabs
July 29th, 2009 at 2:25 pm
@doob,
Thank you for your input.
Don