Is This the Dawn of the Linux Worms?

By Larry Seltzer  |  Posted 2005-11-08 Print this article Print

Opinion: The Luppi worm is blazing a trail with great potential for attackers. We might learn a lot about how secure Linux systems are in the next few months.

Over the weekend reports began to filter in of a new network worm that focused on a variety of vulnerabilities in products typically found in Linux-based Web servers. Its been tagged by many as a Linux problem, and is, in a practical sense, although most of the vulnerabilities arent strictly Linux issues. So far theres no evidence its a serious real-world problem, although the Internet Storm Center has been reporting that they are seeing multiple variants of it circulating around the net.
IBM and Red Hat are teaming to deliver secure Linux. Read more here.
Most anti-virus companies and researchers are focusing on what is probably the most significant vulnerability attacked by the worm, the XML-RPC for PHP Remote Code Injection vulnerability. The others at issue are the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability, both less common than PHP. Click here to read more about Linux security issues, which were the focus at LinuxWorld 2005. While the authors are clearly still feeling their way around, theres no reason to believe that this will be a real biggie. But if someone writes a well-designed grab bag worm to exploit the various bugs in PHP and other products common on Linux servers, we could have a problem on our hands. Administrators of these systems dont always feel the pressure to apply updates as frantically as Windows admins. Complicating the problem is the fact that Linux distributors like Red Hat can take months to issue their own versions of updates. On the other side of the equation, outfits like FrSIRT are working hard to get exploit code out there for vulnerabilities on Linux as well as Windows. Consider this Linux exploit; its over six months old, but I bet there are still plenty of vulnerable systems out there. There are many ways that administrators can protect themselves, for instance by using an open-source intrusion detection and prevention system like Snort. Of course, even systems like this have their own vulnerabilities and exploits. And once a system gets infected, things can get pretty hairy. Consider Symantecs recommendations in its write-up: "Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system." The bottom line is that if attackers start going after these less-attacked vulnerabilities with the same gusto they exhibit on Microsoft vulnerability day each month (Happy Second Tuesday, everyone!) then at least some of the problem will translate over to the Linux world. Things cant get as bad as they are on Windows in part because the biggest problem in securing a system is getting the user to do it, and Linux admins are more likely to be aware of the need to do this than the average schmoe running Windows. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. Still, its as condescending to over-assume the competence of Linux users as it is to under-assume the competence of Windows users, and there are no doubt still plenty of Linux systems out there that are misconfigured and running old, vulnerable versions of applications. The fact that there havent been many major efforts at creating Linux worms isnt proof that they are impossible. I think well find out just how hard they are to write in the next few months if the people behind Luppi keep trying. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel