New worm targets Linux

The newest distros the lastest Nvidia driver, gadgets .....

Moderators: b1o, jkerr82508

User avatar
viking60
Über-Berserk
Posts: 9318
Joined: 14 Mar 2010, 16:34

New worm targets Linux

Postby viking60 » 28 Nov 2013, 00:03

There is this new worm that targets Linux and Symantec is tickled pink about it (business yeah!).

So let us see what it needs to work
1 php-cgi
2 An Intel x86 arch


You probably do not have that so you can relax. The exploit is done in php-cgi which most people and sites do not use. And a patch is already provided so it will only affect older PHP versions.

So if you have un-patched PHP this might happen:
"Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," the Symantec researchers explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target."


The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker's server is in ELF (Executable and Linkable Format) format for Intel architectures.

So your Linux desktop is pretty much as safe as ever from this worm.

What Symantec has verified is that the malicious server also holds a variant of the worm for ARM , PPC, MIPS and MIPSEL on the same server.

And even if no infection has ever been found - these are clearly targeted against smartphones, routers and gadgets in general.
But so far they have not infected anything as far as we know - so they might not be all to successful.

In fact this worm warning is more of a marketing campaign than a threat.

If you full fill all the requirements to be infected it should be enough to block HTTP POST requests to the following paths at the gateway or on each device:
    -/cgi-bin/php
    -/cgi-bin/php5
    -/cgi-bin/php-cgi
    -/cgi-bin/php.cgi
    -/cgi-bin/php4

Symantec recommends 4 more steps but they will never happen if you block the requests as shown above.

And that wont even be necessary if you update your system to the patched php versions.

Still something is cooking - and we will continue to watch and comment on every existing virus for Linux here.

More here
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

Return to “Linux News”