Over the weekend reports began to filter in of a new network worm that focused on a variety of vulnerabilities in products typically found in Linux-based Web servers.
Its been tagged by many as a Linux problem, and is, in a practical sense, although most of the vulnerabilities arent strictly Linux issues.
So far theres no evidence its a serious real-world problem, although the Internet Storm Center has been reporting that they are seeing multiple variants of it circulating around the net.
Most anti-virus companies and researchers are focusing on what is probably the most significant vulnerability attacked by the worm, the XML-RPC for PHP Remote Code Injection vulnerability.
The others at issue are the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability, both less common than PHP.
While the authors are clearly still feeling their way around, theres no reason to believe that this will be a real biggie. But if someone writes a well-designed grab bag worm to exploit the various bugs in PHP and other products common on Linux servers, we could have a problem on our hands.
Administrators of these systems dont always feel the pressure to apply updates as frantically as Windows admins. Complicating the problem is the fact that Linux distributors like Red Hat can take months to issue their own versions of updates.
On the other side of the equation, outfits like FrSIRT are working hard to get exploit code out there for vulnerabilities on Linux as well as Windows. Consider this Linux exploit; its over six months old, but I bet there are still plenty of vulnerable systems out there.
There are many ways that administrators can protect themselves, for instance by using an open-source intrusion detection and prevention system like Snort. Of course, even systems like this have their own vulnerabilities and exploits.
And once a system gets infected, things can get pretty hairy. Consider Symantecs recommendations in its write-up: “Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system.”
The bottom line is that if attackers start going after these less-attacked vulnerabilities with the same gusto they exhibit on Microsoft vulnerability day each month (Happy Second Tuesday, everyone!) then at least some of the problem will translate over to the Linux world.
Things cant get as bad as they are on Windows in part because the biggest problem in securing a system is getting the user to do it, and Linux admins are more likely to be aware of the need to do this than the average schmoe running Windows.
Still, its as condescending to over-assume the competence of Linux users as it is to under-assume the competence of Windows users, and there are no doubt still plenty of Linux systems out there that are misconfigured and running old, vulnerable versions of applications.
The fact that there havent been many major efforts at creating Linux worms isnt proof that they are impossible. I think well find out just how hard they are to write in the next few months if the people behind Luppi keep trying.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at [email protected]