A new Linux worm [LWN.net]

February 21, 2006

This article was contributed by Jake Edge.

A Linux worm (called "Mare.D" by some) that exploits an old PHP XML-RPC vulnerability has been sighted in the wild and was reported on Sunday to the full-disclosure mailing list. An update later in the day makes it clear that this is a new attack, based on an earlier worm, kaiten, and attempts to connect infected systems to a botnet.

The attack starts with a crafted XML-RPC request targeted at Wordpress, Drupal, phpBB and other content management systems that were known to be vulnerable in June 2005, when this problem was first reported. The request contains code which will be executed by PHP; this code, in turn, retrieves another script from a (now defunct) server and executes it. The second script then retrieves yet another pair of executables from the server; these are the main payload of the attack.

The first of these programs is the 'spreader' which attempts to find other vulnerable hosts and infect them. The other program, instead, connects to an IRC server which functions as the 'command and control' (C&C) element for a botnet. The irc server would instruct the client to download yet another program which opens a backdoor shell when executed. It is unknown what else the attacker planned with the bots as the C&C server has been shut down.

It is interesting to note that this worm does not compromise root and does not gain complete control of the host, but it does provide enough privileges that makes it attractive for a botnet. The exploit will allow the attacker to run with the permissions of the user who owns the httpd process (typically 'apache' or 'httpd') which is sufficient to perform the two most likely bot tasks: spamming and distributed denial of service. On the flipside, because it did not gain root privileges, it cannot do very much to hide itself and it should be very easy to detect on an infected system.

Overall, the impact of this attack is relatively small thanks, in part, to fast action to shut down the servers providing the scripts and controlling the botnet. But it seems likely that the backdoor shell is running on some hosts which got an "execute" command for that script before the servers were terminated. Another possibility is that there are different versions of the attack floating around, using different server addresses; those servers may still be running.

As is the case for many malware attacks, this would only affect systems that did not have up-to-date software. Eight months seems like enough time to update affected systems, so the fact that there are still vulnerable systems out there is a sad testament to how little attention is paid to security by some, probably many, Linux system administrators.

More information about this exploit can be found in the Shadowserver article and updates on this attack are being posted to the Securiteam blog.

(Log in to post comments)

A new Linux worm

Posted Feb 21, 2006 19:05 UTC (Tue) by smoogen (subscriber, #97) [Link]

The shell script is Bash and the executable it downloads is Linux only... so in this case if you are running Apache on Windows.. you are home clear.

From what I can tell this variant has been around since Feb 14th. The infected bot boxes do a scan for various vulnerabilities.. and then downloads the worm onto the box. It then executes the worm and listens for commands from the boss-bot.

As always.. your OS is only as good as you can AND will patch it :)

A new Linux worm

Posted Feb 22, 2006 1:40 UTC (Wed) by cventers (guest, #31465) [Link]

I wish these malware authors would learn to write portable code so that
we can stop calling PHP security problems "Linux" problems...

:)

A new Linux worm

Posted Feb 22, 2006 9:46 UTC (Wed) by hawk (subscriber, #3195) [Link]

Well, sounds like you're equally exploitable, just that this particular worm isn't compatible with your system.

A new Linux worm

Posted Feb 22, 2006 11:13 UTC (Wed) by nix (subscriber, #2304) [Link]

Oh good, another exploit killed by digsig.

A new Linux worm

Posted Feb 23, 2006 8:58 UTC (Thu) by emj (guest, #14307) [Link]

Digsig is a Linux kernel module, which checks RSA digital signatures of ELF binaries and libraries before they are run.

But if this had been done with just bash scripts, digsig wouldn't be of much help, right?

A new Linux worm

Posted Feb 23, 2006 9:44 UTC (Thu) by nix (subscriber, #2304) [Link]

The webpage is out of date: as of the CVS release (stable as hell despite not being released yet), scripts can be checked too, but it's more annoying (you have to decorate every script you'll run).

A new Linux worm

Posted Feb 22, 2006 9:43 UTC (Wed) by nhippi (subscriber, #34640) [Link]

PHP worm might be more appropriate term. However in this case popular media (like usually) is using "Linux" as synonym of "Open Source systems". Considering the extreme popularity of PHP, it is quite suprising there seems to be very little effort to actually make it secure.

The "PHP is the weak link of LAMP security" aspect is amplified with the fact that most PHP applications are not installed with package managment (apt/yum), and thus do not get security updates via the normal process.

A new Linux worm

Posted Feb 22, 2006 20:47 UTC (Wed) by NightMonkey (subscriber, #23051) [Link]

One of the many reasons I like Gentoo's Portage - web apps are (almost) first-class citizens there. webapp-config, while taking a bit to get used to, allows easy updating of web apps, with similar protection and managed updating of configuration files as in any other application. And it handles virtual hosts!

A new Linux worm

Posted Feb 23, 2006 9:10 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

It is also in Debian and was also true for Mandrake last time I looked over three years ago.

However package managers don't interact well with SQL. And furthermore many of those programs are horribly packaged and are a pain to package correctly: no separation between the basic schema and data and the extra data the user adds.

For instance, have you seen any such sql app where the web app does not have full control over the database?

A new Linux worm

Posted Feb 23, 2006 7:41 UTC (Thu) by job (guest, #670) [Link]

I get why popular media has some interest in making Linux look bad (as it understandably provides less advertising revenue), but I think LWN could have had PHP in the headline instead. It's not a scandals magazine :).

A new Linux worm

Posted Feb 23, 2006 18:58 UTC (Thu) by cventers (guest, #31465) [Link]

Agreed. It's kind of like Stallman's gripe with the "Intellectual
Property" propaganda term... using language that confuses the issue
clearly destroys the ability to think clearly.

A new Linux worm

Posted Feb 24, 2006 1:56 UTC (Fri) by roelofs (guest, #2599) [Link]

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones.

If that's not the exact definition of "Linux worm," I don't know what is.

Greg

A new Linux worm

Posted Feb 26, 2006 14:06 UTC (Sun) by job (guest, #670) [Link]

If it had been a virus I might agree, but this is different. You don't call a Skype worm a "Windows worm" just because it is platform specific. Just like "the sendmail worm" was exactly that.

Posted Apr 25, 2006 5:41 UTC (Tue) by rickmoen (guest, #6943) [Link]

roelofs wrote:

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones. If that's not the exact definition of "Linux worm," I don't know what is.

Greg, the payload of the "Mare.D" worm (which is really just yet another retread of last year's Lupper/ Plupii/Plupii worm) is only incidentally a Linux x86 ELF binary: Without significant change (and, in most cases without change at all), it could be recompiled for Solaris, *BSD, HP/UX, Mac OS X, Win32, etc.

Calling "Mare" (and Lupper) a "Linux worm" suggests that people running with the exact same, identically exploitable PHPXMLRPC vulnerability on other OS platforms need not pay attention. Does that sound reasonable? And would the exact same exploit code, identical except with the payload compiled for Win32, be fairly regarded as a different "worm"?

In a sense, all of this is actually missing the main point: The real problem isn't "worms", which, after all, are merely automated attack tools against known-exploitable vulnerabilities. The real problem is the underlying vulnerabilities. Any sysadmin who's still running known-remotely-exploitable server-app code by the time the "worms" come out -- inevitably months to years later -- is criminally negligent.

Flaws in user applications that handle public content (Web browsers, MUAs, PDF readers, AV players) concern me a great deal more, frankly. They're more likely to be exposed to danger by completely unwary, security-ignorant people -- as opposed to Web site sysadmins.

Rick Moen
rick@linuxmafia.com

A new Linux worm

Posted Mar 6, 2006 12:27 UTC (Mon) by watkin5 (subscriber, #36313) [Link]

Should it not be called a GNU/Linux worm?