New worm targets Linux systems

CNET News.com ^ | November 7, 2005, 5:12 PM PST | Joris Evers

[Bush2000]

New worm targets Linux systems
By Joris Evers
Staff Writer, CNET News.com
Published: November 7, 2005, 5:12 PM PST

A new worm that propagates by exploiting security vulnerabilities in Web server software is attacking Linux systems, warned antivirus companies on Monday.

The worm spreads by exploiting Web servers that host susceptible scripts at specific locations, according to antivirus software maker McAfee, which has named the worm "Lupper."

Lupper blindly attacks Web servers, installing and executing a copy of the worm when a vulnerable server is found, McAfee said in its description of the worm.

A backdoor is installed on infected servers, giving the attacker remote control over the system. The server joins a network of compromised systems, which can be used, for example, in attacks against other computers, according to McAfee.

The worm exploits three vulnerabilities to propagate the XML-RPC for PHP Remote Code Injection vulnerability; AWStats Rawlog Plugin Logfile Parameter Input Validation vulnerability; and Darryl Burgdorf's Webhints Remote Command Execution Vulnerability, according to Symantec's online description of the worm.

The XML-RPC flaw affects blogging, wiki and content management software and was discovered earlier this year. Patches are available for most systems. AWStats is a log analyzer tool; a fix for the flaw has been available since February. Darryl Burgdorf's Webhints is a hint generation script, no fixes are available for the script, according to Symantec's DeepSight Alert Services.

McAfee rates Lupper as a low risk. Symantec, which calls the worm Plupii, rates it medium risk, but notes that the worm has not been widely distributed. The SANS Internet Storm Center, which tracks network threats, reports some worm sightings.

Symantec and McAfee have updated their products to protect against the worm. If a system has been infected, Symantec recommends complete reinstallation of the system because it will be difficult to determine what else the computer has been exposed to, the company said.

[Bush2000]

This has to be incorrect. My Linux friends assure me that, with their zillions of eyeballs constantly scanning the open source code, Linux can't be targeted by worms and viruses...

[Bush2000]

Can somebody please explain why there are always more vulnerabilities found for UNIX/Linux systems than Windows in these bulletins?

http://www.us-cert.gov/cas/bulletins/

This is some kind of mistake, right?

[A CA Guy]

I wonder how long it took Microsoft to write it? ;-)

[Michael Goldsberry]

Looks like a web service bug, not the base OS.

Your friends are correct.

[chronic_loser]

How long MS to write it? Hell. I wonder how long it took Mr. Objective here to find the article?

[A CA Guy]

I'm still of the opinion that the reason MS gets most all of the virus attacks is simply because it is what most all use in the world.

Do you go after the 99.2% or the .8% of the systems?
I think they go where they can affect the most people.

Computers are nothing more than a bunch of magnetized 011010010101010's regarding hard drives, so there really is no protection where there is a will to bust it.

[Bush2000]

Looks like a web service bug, not the base OS.

And IIS is only a web server. And IE is only a web browser. And Outlook Express is only an email client ... blah, blah, blah...

[RedBloodedAmerican]

"vulnerabilities in Web server software is attacking Linux systems"

Yes, it's attacking systems, not some web service.

Wouldn't it be easier and less challenging to write code (worms) to an open source system?

[Michael Goldsberry]

Can somebody please explain why there are always more vulnerabilities found for UNIX

Perhaps because when a problem is found, we fix it right away?

[Bush2000]

Wouldn't it be easier and less challenging to write code (worms) to an open source system?

Yes, it would be. But hackers apparently are more interested in targeting systems with enormous market share.

[Michael Goldsberry]

blah, blah, blah...

Yes, okay.

[Bush2000]

Perhaps because when a problem is found, we fix it right away?

Again, why are there more vulnerabilities found in the open source code? If security-through-obscurity doesn't work, then you would expect an equivalent number of vulnerabilities in closed source systems. But that doesn't seem to be happening...

[Michael Goldsberry]

But that doesn't seem to be happening...

I disagree. Your OS is not in my server room because it is unreliable. This goes directly to the heart of your "vulnerabilities" argument.

[Michael Goldsberry]

BTW, I'm more a Solaris/HP-UX/AIX guy than Linux.

[Bush2000]

I disagree. Your OS is not in my server room because it is unreliable.

Or, alternatively, you're an ABMer zealot ... This goes directly to the heart of our "vulnerabilities" argument.

Your deployment choice doesn't constitute proof. Try dealing with the issue of vulnerabilities. You know: fact-based reality...

[Bush2000]

BTW, I'm more a Solaris/HP-UX/AIX guy than Linux.

Ohhhhh, then you're very familiar with vulnerabilities...

[Michael Goldsberry]

ABMer zealot

I'm a career Unix Admin, so I'm probably guilty on the ABM thing. However, that opinion is based upon observation.

As to your tagline: Whatever. Linux/BSD/FreeBSD/whatever.
Yes, they are better than the current Microsoft products.

However, they are nowhere near to matching real commercial Unixes.

[FLAMING DEATH]

Unbelieveable. You have friends?

[RedBloodedAmerican]

Unreliable? I would use Windows 2000 Advanced Server or 2003 Server over anything, anyday in a corporate LAN/WAN environment.

[youngtechster]

in truth, vulnerabilities are more publicized by the Open Source Software Community (hereafter referred to as OSS).. when comparing it to Micro$oft'$ vulnerabilities you are more likely to get a severe downsizing of the actual problem. in otherwords, they only publicize what they want to admit to.

The best way to get the truth is to go someplace that tracks bug reports on multiple fronts, the best place (IMHO) is Secunia. You'll find that there are multiples of vulnerabilities EVERY DAY reported for OSS, as well as Apple and M$ on occasion. The real key is when you look at the expedience in said vulnerabilities getting fixed, or 'patched'.

here's a scary thought: Windows XP Professional
compare the above to this: Gentoo Linux
Kinda scary if you ask me.

Also, to respond to the comment "I'm still of the opinion that the reason MS gets most all of the virus attacks is simply because it is what most all use in the world."

Yes, thats true, BUT even if the world did use OSS as a majority you'd find that many of the bugs that can be exploited are patched within days (if not hours). The reason exploits hit M$'s products so hard is because the bug is found, and M$ does nothing with it for weeks if not months. That is where the strength of OSS comes in.