User: Password:
Subscribe / Log in / New account

Linux Worm Targeting Hidden Devices

The Symantec blog has a report of a new Linux worm capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. "The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013."
(Log in to post comments)

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 16:39 UTC (Tue) by mcpierce (guest, #69508) [Link]

Not a Linux worm, but a php-cgi worm. With SELinux enabled, this will not affect anybody's system running php-cgi, which is NEARLY 0% of Linux users.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 16:52 UTC (Tue) by jhoblitt (subscriber, #77733) [Link]

As in, 0% of Linux installations have SELinux enabled...

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 17:07 UTC (Tue) by mcpierce (guest, #69508) [Link]

Hehe, I think it's a little closer to 1%. :D

Honestly, after reading about how to use it, I think it's silly that someone would install Linux and not take the short time needed to understand SELinux security and enable it.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 17:21 UTC (Tue) by mathstuf (subscriber, #69389) [Link]

It looks like it is targeting small devices (routers, switches, TiVO, etc.), not servers with a sysadmin, so I don't see how SELinux would even generally be an option anywhere for users to poke even if it were available.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 17:24 UTC (Tue) by mcpierce (guest, #69508) [Link]

A device should have SELinux enabled by default and be totally locked down. Since you're not installing new software or creating user accounts willy nilly, it's the ideal system to have SELinux enabled.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 17:41 UTC (Tue) by gwolf (subscriber, #14632) [Link]

The end user will not harden their router/switch/TiVO, right. But I fully expect the people who sold/leased it (or the service provider who give it as part of the service) to be responsible enough to harden the devices at least enough not to be a liability for their owners.

Of course... I know it's very seldom the case. Yes, I also have some ISP-provided stuff at home, and know how easy it is to pwn them. But anyway, the responsability in such cases lies in the provider, not in the end user.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 17:25 UTC (Tue) by BlueLightning (subscriber, #38978) [Link]

FWIW, on my CentOS-based build server I have had SELinux enabled (as it comes out of the box) for about three years now, as a way to ensure our build system doesn't break on boxes with it enabled. Apart from an initial issue with the way we were building OpenSSL (execstack was enabled, which I fixed) I have experienced no difficulties as a result.

Granted, this isn't a desktop system where you might try to perform a wider range of "privileged" operations, but for servers I think having it enabled isn't as much of an encumbrance as some people think it is.

Linux Worm Targeting Hidden Devices

Posted Dec 4, 2013 13:20 UTC (Wed) by bjartur (guest, #67801) [Link]

If you only ever execute commands straigt from a manual, nothing will break. But for those people who run commands the rule author, who will in most cases not be the user himself, hasn't thought of or deemed useful. SELinux forbids suspicious activity. It just happens that "suspicious activity" is occasionally useful. And then, the problem of figuring out how to do things, such as moving files between user accounts without involving root, becomas a task of figuring out how to do it, finding that it doesn't work, figuring that it should work, then figuring out why the found method still doesn't work and lastly learning to either disable SELinux or how to remove the problematic rule and how to maintain a modified ruleset despite the package manager (if any).

That's one hell of an overcomplication. But, alas, it only happens ever so often. But as a matter of both usability and discoverability, it's scary. But routers don't have that excuse. On more mellable or user-facing systems, however, we'll ultimately have to do with finding, patching and preventing security holes. Which is precisely why static analysis is being worked on in tandem.

Linux Worm Targeting Hidden Devices

Posted Dec 3, 2013 23:10 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]

Good point.. but in fairness, they at least verified that the payload was targetting x86 ELF, and not just PE, so the few Linux users using php-cgi should be aware. Beats the presentations I've seen claiming cross platform that ignore the fact that, while the exploit is cross-platform, the payloads being delivered are not, which is sort of important to note :)

Linux Worm Targeting Hidden Devices

Posted Dec 4, 2013 4:31 UTC (Wed) by Arker (guest, #14205) [Link]

Eh, the binary being served up as of 'press time' was x86. However

1) The exploit is cross platform.
2) IIRC there were some signs that the maker of the x86 binary was already planning to take it cross platform as he executed this initial stage.
3) There could be any number of other blackhats already working on their own kit based on this exploit that we dont know about.

So I think it's fair to assume the attack either is already or will likely soon be cross platform, even without having seen it appear that way yet.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds