So this is not a particularly technical source article, but it looks fairly interesting and I haven’t heard of this Linux.Darlloz worm before, so it might be new to some of you too.
Seems like it’s going after old php-cgi installs, which are very common on embedded systems (routers/pos systems/stbs etc). The vulnerability being used is actually pretty old and was patched back in May 2012.
It’s not really likely to cause a serious risk to servers, which tend not to run php-cgi any more – and it would be more common for them to be updated.
A new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.
According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.
The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.
“Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” the Symantec researchers explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.
The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.
I’m not exactly sure what the end game for this worm is, perhaps it’s just into spreading and doesn’t do anything particularly malicious. But in this day and age, that seems pretty unlikely. Infected hosts are more likely to be turned into botnet zombies for a DDoS network.
It seems like it has infection vectors for non x86 architectures, but no actual infections on non PC devices have been confirmed – so the code might not even work properly.
However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.
These architectures are used in embedded devices like home routers, IP cameras, set-top boxes, and many others.
“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” the Symantec researchers said. “However, we have not confirmed attacks against non-PC devices yet.”
The firmware of many embedded devices is based on some type of Linux and includes a web server with PHP for the web-based administration interface. These kinds of devices might be easier to compromise than Linux PCs or servers because they don’t receive updates very often.
Patching vulnerabilities in embedded devices has never been an easy task. Many vendors don’t issue regular updates and when they do, users are often not properly informed about the security issues fixed in those updates.
In addition, installing an update on embedded devices requires more work and technical knowledge than updating regular software installed on a computer. Users have to know where the updates are published, download them manually and then upload them to their devices through a Web-based administration interface.
It’s an interesting enough story though, something to keep an eye out for, but honestly I don’t think it’s going to spread very far – and it won’t do much damage. Only old and neglected machines will be vulnerable to the exploit.
But well, as we know – there are far too many such machines plugged into the Internet.
Source: PC World