How a Linux bug may affect Windows-based infrastructure

The recent developments with “big bugs” such as Heartbleed and Shellshock created a global security strain, with many questions emerging. Both bugs were open-source software-related, but indirectly they would constitute a threat to Windows-based infrastructure. In this post we review a few scenarios of an attack on mostly Windows-based network with Linux servers at certain points.

The recent developments with “big bugs” such as Heartbleed and Shellshock created a global security strain with a lot of questions. Both bugs were open-source software-related, but indirectly they could constitute a threat to Windows-based infrastructure.

Many IT workers agree that to determine how a Linux bug might affect Windows-based infrastructure, certain clarifications are required. They have pinpointed a few scenarios where a successfully exploited flaw in Linux, or some additional software used with it, may be used to inflict harm on Windows-based infrastructure. Depending on the position of the Linux-based machine in the network, the consequences may be more or less dramatic.

1. At the gates…

The worst-case scenario is when the flawed Linux-based machine is the main gateway of a company’s local network.

If it goes down, so does the entire network: it stops distributing the network addresses, no traffic is going through it so you get disconnected from the Web, and the local network is crumbling. It doesn’t matter if the endpoint workstation is based on Windows, Mac OS X, or another OS (some desktop variant of Linux perhaps). If attackers have “pwned” and crashed the gateway, the entire system is gone. However, it is more likely that commercial-minded attackers would use this machine to set up a foothold within the corporate network for some time – possibly a very long time given that the network devices are often overlooked, and the Linux-based machines are considered safe and resilient to attacks.

The same server may be also used to redirect all traffic to or through some malicious website, seeding Windows malware all over the endpoints. A few years ago a handful of DNS-changing Trojans ran rampant, among them the notorious Zlob Trojan. One of its variants was called DNSChanger and it took the FBI’s “Operation Ghost Click” to take it down. The FBI hijacked DNSChanger’s C&C servers, and then kept them up for months while actively promoting the measures to clean the endpoint PCs so that people wouldn’t lose connection to the Internet completely.

Some other Zlob variants were attempted – often quite successfully – to hack any detected router and change the DNS settings. Then it would re-route traffic from legitimate websites to suspicious or malicious ones, while displaying the stacks of adult-themed banners in the browser.

If we speak specifically to Shellshock, the concerns that it can be used in order to conduct attacks against broadband routers surfaced almost immediately. And since Shellshock grants a potential ability to run an arbitrary code on the affected system, it’s not hard to imagine a multi-stage attack with the goal to set the entire network of a targeted company on fire – or just spy on it.


2. Where the wild files grow

Another scenario: Attackers would love to get the server under their control so that they will have access to all corporate data stored there and shared between the employees, given that it’s unencrypted.

It is common for a company to use some Linux-based file-server for their collaboration and file-sharing needs while the endpoints are Windows-based. Attackers might spear-phish some of the target company’s employees, delivering spying malware on his or her desktop and getting it under their control. Then they’d try to identify the file-server, given it is located on the same network as the attacked desktop, and after making sure that it runs on Linux with unpatched Bash, exploit its vulnerability to take it over as well. From there, they can theoretically do anything with data stored there – export, modify, delete or even install extra malware which would be distributed across the whole network, infecting other desktops. If the data isn’t encrypted, that’s all an easy task.

The possibility of such “multi-route” attacks where attackers use malware for different operating systems had been envisioned by Kaspersky Lab’s experts many years ago; even then it was clear that despite the general opinion, Linux wasn’t safe from malware attacks.

There is also a question of attacking a virtual infrastructure where most of the VMs run on Windows, while the hypervisor is a Linux-based solution. This will be covered in one of our upcoming posts.