|
|
Log in / Subscribe / Register

A new Linux worm

February 21, 2006

This article was contributed by Jake Edge.

A Linux worm (called "Mare.D" by some) that exploits an old PHP XML-RPC vulnerability has been sighted in the wild and was reported on Sunday to the full-disclosure mailing list. An update later in the day makes it clear that this is a new attack, based on an earlier worm, kaiten, and attempts to connect infected systems to a botnet.

The attack starts with a crafted XML-RPC request targeted at Wordpress, Drupal, phpBB and other content management systems that were known to be vulnerable in June 2005, when this problem was first reported. The request contains code which will be executed by PHP; this code, in turn, retrieves another script from a (now defunct) server and executes it. The second script then retrieves yet another pair of executables from the server; these are the main payload of the attack.

The first of these programs is the 'spreader' which attempts to find other vulnerable hosts and infect them. The other program, instead, connects to an IRC server which functions as the 'command and control' (C&C) element for a botnet. The irc server would instruct the client to download yet another program which opens a backdoor shell when executed. It is unknown what else the attacker planned with the bots as the C&C server has been shut down.

It is interesting to note that this worm does not compromise root and does not gain complete control of the host, but it does provide enough privileges that makes it attractive for a botnet. The exploit will allow the attacker to run with the permissions of the user who owns the httpd process (typically 'apache' or 'httpd') which is sufficient to perform the two most likely bot tasks: spamming and distributed denial of service. On the flipside, because it did not gain root privileges, it cannot do very much to hide itself and it should be very easy to detect on an infected system.

Overall, the impact of this attack is relatively small thanks, in part, to fast action to shut down the servers providing the scripts and controlling the botnet. But it seems likely that the backdoor shell is running on some hosts which got an "execute" command for that script before the servers were terminated. Another possibility is that there are different versions of the attack floating around, using different server addresses; those servers may still be running.

As is the case for many malware attacks, this would only affect systems that did not have up-to-date software. Eight months seems like enough time to update affected systems, so the fact that there are still vulnerable systems out there is a sad testament to how little attention is paid to security by some, probably many, Linux system administrators.

More information about this exploit can be found in the Shadowserver article and updates on this attack are being posted to the Securiteam blog.


Index entries for this article
GuestArticlesEdge, Jake

to post comments

A new Linux worm

Posted Feb 21, 2006 18:33 UTC (Tue) by xtifr (guest, #143) [Link] (15 responses)

Is this actually a "Linux worm"? Or is it merely a worm that affects any system running old versions of PHP XML-RPC and a vulnerable CMS? Wouldn't Windows/AIX/BSD/Solaris/etc. systems be equally affected? The linked reports didn't really make this clear (at least to me).

A new Linux worm

Posted Feb 21, 2006 19:05 UTC (Tue) by smoogen (subscriber, #97) [Link] (5 responses)

The shell script is Bash and the executable it downloads is Linux only... so in this case if you are running Apache on Windows.. you are home clear.

From what I can tell this variant has been around since Feb 14th. The infected bot boxes do a scan for various vulnerabilities.. and then downloads the worm onto the box. It then executes the worm and listens for commands from the boss-bot.

As always.. your OS is only as good as you can AND will patch it :)

A new Linux worm

Posted Feb 22, 2006 1:40 UTC (Wed) by cventers (guest, #31465) [Link]

I wish these malware authors would learn to write portable code so that
we can stop calling PHP security problems "Linux" problems...

:)

A new Linux worm

Posted Feb 22, 2006 9:46 UTC (Wed) by hawk (guest, #3195) [Link]

Well, sounds like you're equally exploitable, just that this particular worm isn't compatible with your system.

A new Linux worm

Posted Feb 22, 2006 11:13 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

Oh good, another exploit killed by digsig.

A new Linux worm

Posted Feb 23, 2006 8:58 UTC (Thu) by emj (guest, #14307) [Link] (1 responses)

Digsig is a Linux kernel module, which checks RSA digital signatures of ELF binaries and libraries before they are run.

But if this had been done with just bash scripts, digsig wouldn't be of much help, right?

A new Linux worm

Posted Feb 23, 2006 9:44 UTC (Thu) by nix (subscriber, #2304) [Link]

The webpage is out of date: as of the CVS release (stable as hell despite not being released yet), scripts can be checked too, but it's more annoying (you have to decorate every script you'll run).

A new Linux worm

Posted Feb 22, 2006 9:43 UTC (Wed) by nhippi (subscriber, #34640) [Link] (7 responses)

PHP worm might be more appropriate term. However in this case popular media (like usually) is using "Linux" as synonym of "Open Source systems". Considering the extreme popularity of PHP, it is quite suprising there seems to be very little effort to actually make it secure.

The "PHP is the weak link of LAMP security" aspect is amplified with the fact that most PHP applications are not installed with package managment (apt/yum), and thus do not get security updates via the normal process.

A new Linux worm

Posted Feb 22, 2006 20:47 UTC (Wed) by NightMonkey (subscriber, #23051) [Link] (1 responses)

One of the many reasons I like Gentoo's Portage - web apps are (almost) first-class citizens there. webapp-config, while taking a bit to get used to, allows easy updating of web apps, with similar protection and managed updating of configuration files as in any other application. And it handles virtual hosts!

A new Linux worm

Posted Feb 23, 2006 9:10 UTC (Thu) by tzafrir (subscriber, #11501) [Link]

It is also in Debian and was also true for Mandrake last time I looked over three years ago.

However package managers don't interact well with SQL. And furthermore many of those programs are horribly packaged and are a pain to package correctly: no separation between the basic schema and data and the extra data the user adds.

For instance, have you seen any such sql app where the web app does not have full control over the database?

A new Linux worm

Posted Feb 23, 2006 7:41 UTC (Thu) by job (guest, #670) [Link] (4 responses)

I get why popular media has some interest in making Linux look bad (as it understandably provides less advertising revenue), but I think LWN could have had PHP in the headline instead. It's not a scandals magazine :).

A new Linux worm

Posted Feb 23, 2006 18:58 UTC (Thu) by cventers (guest, #31465) [Link]

Agreed. It's kind of like Stallman's gripe with the "Intellectual
Property" propaganda term... using language that confuses the issue
clearly destroys the ability to think clearly.

A new Linux worm

Posted Feb 24, 2006 1:56 UTC (Fri) by roelofs (guest, #2599) [Link] (2 responses)

I get why popular media has some interest in making Linux look bad (as it understandably provides less advertising revenue), but I think LWN could have had PHP in the headline instead. It's not a scandals magazine :).

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones.

If that's not the exact definition of "Linux worm," I don't know what is.

Greg

A new Linux worm

Posted Feb 26, 2006 14:06 UTC (Sun) by job (guest, #670) [Link]

If it had been a virus I might agree, but this is different. You don't call a Skype worm a "Windows worm" just because it is platform specific. Just like "the sendmail worm" was exactly that.

Posted Apr 25, 2006 5:41 UTC (Tue) by rickmoen (subscriber, #6943) [Link]

roelofs wrote:

It's also not prone to misleading/inaccurate titles. Did you overlook smoogen's upstream comment? The article clearly states that one of the binaries is what does the "worm" part (i.e., propagation), and his comment identifies said binaries as Linux ones. If that's not the exact definition of "Linux worm," I don't know what is.

Greg, the payload of the "Mare.D" worm (which is really just yet another retread of last year's Lupper/ Plupii/Plupii worm) is only incidentally a Linux x86 ELF binary: Without significant change (and, in most cases without change at all), it could be recompiled for Solaris, *BSD, HP/UX, Mac OS X, Win32, etc.

Calling "Mare" (and Lupper) a "Linux worm" suggests that people running with the exact same, identically exploitable PHPXMLRPC vulnerability on other OS platforms need not pay attention. Does that sound reasonable? And would the exact same exploit code, identical except with the payload compiled for Win32, be fairly regarded as a different "worm"?

In a sense, all of this is actually missing the main point: The real problem isn't "worms", which, after all, are merely automated attack tools against known-exploitable vulnerabilities. The real problem is the underlying vulnerabilities. Any sysadmin who's still running known-remotely-exploitable server-app code by the time the "worms" come out -- inevitably months to years later -- is criminally negligent.

Flaws in user applications that handle public content (Web browsers, MUAs, PDF readers, AV players) concern me a great deal more, frankly. They're more likely to be exposed to danger by completely unwary, security-ignorant people -- as opposed to Web site sysadmins.

Rick Moen
rick@linuxmafia.com

A new Linux worm

Posted Mar 6, 2006 12:27 UTC (Mon) by watkin5 (subscriber, #36313) [Link]

Should it not be called a GNU/Linux worm?

Linux Worm? Sure it is.

Posted Feb 23, 2006 9:05 UTC (Thu) by emj (guest, #14307) [Link]

If the worm had downloaded it self from the infecting host then this Worm would still be spreading. It's not as bad as Windows worms because very few people run phpBB and stuff, but it's the same danger as Windows worms. It's scary that you just try to shrug it off as "not a Linux specific thing". One should ask what can be one to minimize the damage? Locking down net access for the Apache user? Only running things/scipts not owned by the Apache User?

A new abuse of the Linux term

Posted Feb 25, 2006 1:56 UTC (Sat) by bignose (subscriber, #40) [Link] (1 responses)

Linux is the name of a program: an operating system kernel. This is a worm affecting PHP. In what way is this a "Linux worm"? If anything that exploits a particular system configuration, that happens to also include Linux, is to be called a "Linux worm", the term becomes indistinguishable from exploits that *do* affect Linux. By that logic, a better term would be an "Apache worm", since "a system running Apache" is far more likely to be also running PHP than just "a system running Linux".

Please, can we have some journalistic integrity? The misuse of the term "Linux" to refer to any of thousands of programs that may or may not be installed on a particular system is just meaningless. In this case, it's very misleading.

A new abuse of the Linux term

Posted Feb 25, 2006 15:26 UTC (Sat) by jake (editor, #205) [Link]

> Linux is the name of a program: an operating system kernel. This is a worm affecting PHP. In what way is this a "Linux worm"?

Well, it is hard to imagine a Linux worm that didn't involve more than just the kernel as services running on top of that kernel are typically what is exploited. This particular worm targetted Linux, it would not run on other systems that were running PHP so it can't really be called a PHP worm ... perhaps Linux/PHP worm?

I personally believe that it is a completely fair characterization to call this a Linux worm, but YMMV ...

jake

Not 'based on an earlier worm, kaiten'

Posted Apr 25, 2006 6:05 UTC (Tue) by rickmoen (subscriber, #6943) [Link]

Reporter Jake Edge wrote:

An update later in the day makes it clear that this is a new attack, based on an earlier worm, kaiten, and attempts to connect infected systems to a botnet.

Kaiten is not a worm, but rather is the trojan-horse (backdoor) payload. It's thus, in effect, an after-effect of the actual worm, which in this case is last year's Lupper attack code, recycled, Lupper's exploit against a seven-month-old, rather ghastly input-validation bug in PHPXMLRPC v. 1.1.1 and later.

Rick Moen
rick@linuxmafia.com


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds