|
|
BugTraq
new linux malware Feb 18 2006 10:40PM Gadi Evron (ge linuxbox org) (2 replies) Re: new linux malware Feb 20 2006 04:57PM Christine Kronberg (Christine_Kronberg genua de) (1 replies) Re: new linux malware Feb 20 2006 04:24PM Marco Monicelli (marco monicelli marcegaglia com) (1 replies) |
|
Privacy Statement |
> On Sun, 19 Feb 2006, Gadi Evron wrote:
>
>> Today, we received a notification about a new Linux malware ItW (In
>> the Wild).
>
>
> They are not exactly new. I've seen them floating around for about
> two months now. There a different binaries running around doing the
> same work (different the way that they have been compiled on different
> linux distributions). Part of that work is to be distributed by trying
> to get in via vulnerable php scripts. Look to me like being part of a
> worm.
>
> Cheers,
>
>
> Christine Kronberg.
>
Indeed, the most annoying thing about the PHP worms today is that these
PHP vulnerabilities being exploited are everywhere.
As I already mentioned, this recent Linux worm has more to it, but
that's in another post.
These vulnerabilities being exploited are very difficult to protect from
because:
1. PHP is the "serious" or at least open-source/Linux/security freak's
choice for web development. Mine as well (although as many still say,
Perl does a better job).
2. Developing secure applications in PHP is difficult, as one of PHP's
creators said recently - even to him after years of trying.
3. Staying on top of new PHP vulnerabilities has become impossible,
popping around everywhere.
4. Determining how secure a PHP application is, looking at the code and
for how silly past vulnerabilities were (i.e. looking at the coder
rather than the code) is now more important than the actual application.
Much like their self criticism said, PHP needs to grow to a far more
secure language, much like we need to chose more carefully what PHP
software we use.
Some of us have been joking for a while about creating a script to
choose from different paragraph we create, and email bugtraq
re-assembling the randomly with a new PHP bug and a random PHP
application name every few hours. Would any of us be able to readily
tell the difference?
From all the fish we can barely see the water. :(
As to the worms, been going on longer than 2 mounths like you mentioned,
but you are correct.
One note I'd like to make, is that even if the second (interesting)
payload in the Linux worm wasn't there, just because someone utilizes
old malware in the creation of new malware doesn't mean it is new, or
99.9% of any "virus" every written would be old.
Does Bagle.**** ring a bell with anyone? :)
Like I already mentioned, if any of you are interested in sharing web
server logs and be notified of new PHP problems we all notice online,
drop me a note.
Gadi.
--
http://blogs.securiteam.com/
"Out of the box is where I live".
-- Cara "Starbuck" Thrace, Battlestar Galactica.
[ reply ]