Skip to comments.
Beware of new worm targeting Linux PCs – Symantec
GMA News ^
| 1 December 2013
| KDM
Posted on 12/03/2013 6:12:54 AM PST by ShadowAce
A new worm is targeting personal computers running the Linux operating system, and may also pose a threat to embedded devices such as home routers and set-top boxes, a security vendor reported this week.
Symantec said its researchers warned the malware, named Linux.Darlloz, spreads by exploiting a vulnerability in php-cgi that had been patched as early as May 2012.
"The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras," researcher Kaoru Hayashi said in
a blog post.
Hayashi added that while no attacks against such devices have been found in the wild, "many users may not realize they are at risk, since they are unaware they own devices that run Linux."
Also, Symantec's Hayashi noted Linux is the best known open source operating system and has been ported to various architectures.
Hayashi added Linux runs not just on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems.
"Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers," Hayashi said.
On the other hand, Hayashi said Symantec has verified the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.
Investigation showed the worm, once executed, generates random IP (Internet Protocol) addresses and accesses a specific path on the machine with well-known ID and passwords.
The worm then sends HTTP POST requests that exploit the vulnerability.
If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target," Hayashi said.
Hayashi said the worm at present appears to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.
Worse, Hayashi said users may not be aware that they are using vulnerable devices in their homes or offices.
Symantec suggested that users take the following steps to prevent infection:
- Verify all devices connected to the network
- Update their software to the latest version
- Update their security software when it is made available on their devices
- Make device passwords stronger
- Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
-/cgi-bin/php
TOPICS: Computers/Internet
KEYWORDS: linux; security; worm
1
posted on
12/03/2013 6:12:54 AM PST
by
ShadowAce
To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...
2
posted on
12/03/2013 6:13:21 AM PST
by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: ShadowAce
3
posted on
12/03/2013 6:24:28 AM PST
by
Graewoulf
(Democrats' Obamacare Socialist Health Insur. Tax violates U.S. Constitution AND Anti-Trust Law.)
To: ShadowAce
Looks like Symantec is ready to roll out its latest product. I wonder if they have a fix for it?
4
posted on
12/03/2013 6:42:52 AM PST
by
Bloody Sam Roberts
("It does not take a majority to prevail, but rather an irate, tireless minority...")
To: Bloody Sam Roberts
(tinfoil hat on)
They probably do, unfortunately many of us believe they and other companies might be writing some of these themselves to guarantee next years sales.
(removes tinfoil before coworkers notice)
5
posted on
12/03/2013 6:48:05 AM PST
by
Abathar
(Proudly posting without reading the article carefully since 2004)
To: Abathar
My work has several hundred Linux servers. Due to policy/state law, we must have an AV on every server in our datacenters. You can guess how many hits we get on the Linux servers. It’s not only a waste of money, but of CPU cycles as well.
6
posted on
12/03/2013 6:50:34 AM PST
by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: ShadowAce
7
posted on
12/03/2013 6:53:13 AM PST
by
JoeProBono
(SOME IMAGES MAY BE DISTURBING VIEWER DISCRETION IS ADVISED;-{)
To: ShadowAce
Yep, but it only takes one to ruin your whole day and if scammers know there are large swatches vulnerable they will concentrate more frequently on them.
Better safe than sorry later imho.
8
posted on
12/03/2013 7:09:40 AM PST
by
Abathar
(Proudly posting without reading the article carefully since 2004)
To: ShadowAce
I’m save I’m using Windows 8.
9
posted on
12/03/2013 7:10:10 AM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: for-q-clinton
10
posted on
12/03/2013 7:10:25 AM PST
by
for-q-clinton
(If at first you don't succeed keep on sucking until you do succeed)
To: ShadowAce
Yep. Anti-virus on unix/linux servers is a total waste of time and money. If you can adequately admin unix, and use industry-accepted security procedures and techniques, you will be secure. You just have to pay attention to what you are doing
Windows is not unix/linux.
To: for-q-clinton
Linux users are pretty much safe as well. This was patched in May 2012.
12
posted on
12/03/2013 7:20:29 AM PST
by
ShadowAce
(Linux -- The Ultimate Windows Service Pack)
To: for-q-clinton
Note that the exploit requires the ability to USE HTTP POST. If you’re not running websites with unauthenticated POST commands, you’re safe. This exploits CGI-BIN/PHP, and that’s only useable if you’ve left your cgi-bin wide open.
Since most of us are smart enough to secure our websites (right guys?), this isn’t a huge issue.
If you have a router with “password” as the password, enjoy your worms!
13
posted on
12/03/2013 9:36:35 AM PST
by
rarestia
(It's time to water the Tree of Liberty.)
To: rarestia
If you have a router with password as the password, enjoy your worms!LOL Changed mine and it takes fifteen minutes to remember what I changed it to.
14
posted on
12/03/2013 10:15:42 AM PST
by
raybbr
(I weep over my sons' future in this Godforsaken country.)
To: raybbr
I put mine in a password vault on account of it’s a 25-character random password with letters, numbers, symbols, and spaces.
15
posted on
12/03/2013 10:25:15 AM PST
by
rarestia
(It's time to water the Tree of Liberty.)
To: ShadowAce
Symantec said its researchers warned the malware, named Linux.Darlloz, spreads by exploiting a vulnerability in php-cgi that had been patched as early as May 2012.
That's a long time to go without running updates.
(Yes, routers and linux based appliances may have a problem.)
16
posted on
12/03/2013 10:25:43 AM PST
by
Lee N. Field
("You keep using that verse, but I do not think it means what you think it means.")
To: ShadowAce
My work has several hundred Linux servers. Due to policy/state law, we must have an AV on every server in our datacenters. You can guess how many hits we get on the Linux servers. Its not only a waste of money, but of CPU cycles as well.
"Sudo apt-get install clamav" Done.
17
posted on
12/03/2013 10:27:09 AM PST
by
Lee N. Field
("You keep using that verse, but I do not think it means what you think it means.")
To: ShadowAce
18
posted on
12/03/2013 10:42:49 AM PST
by
GeronL
(Extra Large Cheesy Over-Stuffed Hobbit)
To: rarestia
If you have a router with password as the password, enjoy your worms! "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"
19
posted on
12/03/2013 10:48:25 AM PST
by
dfwgator
(Fire Muschamp. Go Michigan State!)
To: ShadowAce
I'm perfectly safe. I'm not running Linux, I'm running Ubuntu and Mint.
What?
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson