back to article Weird PHP-poking Linux worm slithers into home routers, Internet of Things

Symantec has stumbled across a worm that exploits various vulnerabilities in PHP to infect Intel x86-powered Linux devices. The security biz says the malware threatens to compromise home broadband routers and similar equipment. However, home internet kit with x86 chips are few and far between – most network-connected embedded …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    Should've gone with *BSD

    1. Anonymous Coward
      Anonymous Coward

      Or Windows Server for anything Internet facing. Both have far lower vulnerability counts than a LAMP stack....

      1. Anonymous Coward
        Anonymous Coward

        AC, I'm a Windows user, but you really are a complete prick (yes we all know you are the same AC time and time again).

        Can't see Server 2012 running a set top box, can you?

        1. Anonymous Coward
          Anonymous Coward

          "Can't see Server 2012 running a set top box, can you?"

          You must have missed the Xbox One launch then....same OS kernel...

          The Windows kernel already scales down to for example mobile phones (and is more efficient and less memory hungry than say Android)...

          1. Roo

            @ alleged legion of AC trollops (eg: 11:51)

            ""Can't see Server 2012 running a set top box, can you?"

            You must have missed the Xbox One launch then....same OS kernel...

            The Windows kernel already scales down to for example mobile phones (and is more efficient and less memory hungry than say Android)..."

            Awesome, so you can put your money where your mouth is.

            All you need to do is to publish the IP of the windows server you have connected directly to the Internet and then we can all test to see how secure it really is. I figure that you won't do that because you really don't believe a word you say about Windows being the OS with the least vulnerabilities.

            Nothing to hide, nothing to fear, right ? :)

            1. Anonymous Coward
              Anonymous Coward

              Re: @ alleged legion of AC trollops (eg: 11:51)

              Sure - try www.microsoft.com

              1. Lee D Silver badge

                Re: @ alleged legion of AC trollops (eg: 11:51)

                I highly doubt MS has a couple of thousand Windows Servers just sitting direct on a leased line without security hardware in between (almost certainly Cisco), so that's as daft as saying "try google.com" for a Linux test. (And, if memory serves, microsoft.com is behind an Akamai cache which also performs security functions, and they tend to use Linux, so... whatever).

                Fact is, thinking you're any better off with ANY product is really blind faith. What matters is response time and public knowledge - just because you have seen no published vulnerabilities on the Microsoft mailing list means NOTHING in terms of the actual security of the product. And when there are some, MS can takes months to get around to fixing them while they are STILL public knowledge... and that's quite dangerous.

                Nobody's immune. And "my product is better than yours" is as stupid as saying "my systems are secure - attack them..."

                1. Vic

                  Re: @ alleged legion of AC trollops (eg: 11:51)

                  > as stupid as saying "my systems are secure - attack them..."

                  Russell Coker put his root password on his website. I don't know if the machine is still up - I'm at work, and can't ssh out of the building.

                  It was pretty secure last time I logged in (as root) and tried stuff...

                  Vic.

                2. Wzrd1 Silver badge

                  Re: @ alleged legion of AC trollops (eg: 11:51)

                  "Fact is, thinking you're any better off with ANY product is really blind faith."

                  True enough. One is taking it on blind faith that the vendor will patch their hardware and not claim that there isn't enough memory, it's too slow, etc.

                  I'll not even to into the cheap, fly by night Chinese hardware vendors. Here today, gone next year after pissing off tens of thousands of customers with shitty software, vulnerability laden firmware or in one instance, infected at the factory hardware (USB drive that was a promotional give-away for one US state's National Guard, it had a CD image built in that contained windrives.b worm on it. One soldier was married to a recruiter from that state, he gave one to her, she plugged it into one of our installation's computers and I received an antivirus alert. We'll suffice it to say that the CIO of the National Guard Bureau was quite upset over the unauthorized hardware vendor, unauthorized hardware giveaway and the presence of that worm after I alerted him to the issue).

                  I still have that drive around here somewhere, as the soldier did not want the infected, unauthorized device and she gave it to me to add to my collection. Great educational tool!

              2. Skrrp

                Re: IIS

                I prefer my web servers to work, thanks.

                telnet> o www.microsoft.com 80

                Trying 64.4.11.42...

                Connected to www.microsoft.com.

                Escape character is '^]'.

                OPTIONS * HTTP/1.1

                Host: microsoft.com

                HTTP/1.1 404 Not Found

                Content-Type: text/html

                Server: Microsoft-IIS/8.0

                X-Powered-By: ASP.NET

                Date: Thu, 28 Nov 2013 12:44:17 GMT

                Connection: close

                Content-Length: 1245

                <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

                <html xmlns="http://www.w3.org/1999/xhtml">

                <head>

                <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>

                <title>404 - File or directory not found.</title>

                <style type="text/css">

                <!--

                body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}

                fieldset{padding:0 15px 10px 15px;}

                h1{font-size:2.4em;margin:0;color:#FFF;}

                h2{font-size:1.7em;margin:0;color:#CC0000;}

                h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}

                #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;

                background-color:#555555;}

                #content{margin:0 0 0 2%;position:relative;}

                .content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}

                -->

                </style>

                </head>

                <body>

                <div id="header"><h1>Server Error</h1></div>

                <div id="content">

                <div class="content-container"><fieldset>

                <h2>404 - File or directory not found.</h2>

                <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>

                </fieldset></div>

                </div>

                </body>

                </html>

                Connection closed by foreign host.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: IIS

                  That seems to work perfectly to me...

              3. Roo

                Re: @ alleged legion of AC trollops (eg: 11:51)

                "Sure - try www.microsoft.com"

                -1 for trolling, -1 for failing to put *your money* where your mouth is. Microsoft's servers are non-applicable for this one - unless of course you are on the MS payroll. ;) It wouldn't be the first bit of astroturfing and FUDing that MS has engaged in.

                To do a fair test you need a Windows box that you value connected directly to the service provider - no filtering inbound or outbound, and while you are comparing to LAMP stacks add the all that AMP bit too so you are comparing like with like.

            2. Anonymous Coward
              Anonymous Coward

              Re: @ alleged legion of AC trollops (eg: 11:51)

              "you really don't believe a word you say about Windows being the OS with the least vulnerabilities."

              I don't think anyone claimed that. BSD has a better record. The point is that Windows has a much lower vulnerability count in recent years than an Enterprise Linux distribution...That's a verifiable fact. Not just an opinion.

              1. Anonymous Coward
                Anonymous Coward

                Re: @ alleged legion of AC trollops (eg: 11:51)

                Post links to your INDEPENDENT sources (no pro Microsoft, or pro Linux /BSD) of these facts then. And that they specifically are due to vulnerabilities in Apache, Linux and BSD, and not incompetent administration. Then we can start to have a sensible conversation.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @ alleged legion of AC trollops (eg: 11:51)

                  "Post links to your INDEPENDENT sources (no pro Microsoft, or pro Linux /BSD) of these facts then"

                  Here you go: http://www.zone-h.org/news/id/4737

                  (Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)

                  1. Paul Crawford Silver badge

                    Re: @ AC 14:14

                    Ah yes, a report from 2010 is conclusive evidence of Linux vs Windows today?

                    And did you actually read it?

                    "But should be the out-of-date Linux server the only reason of this huge amount of defacements?

                    Yes and no.

                    We were talking about local kernel exploits, but the first problem is in the website code. For example, we received too many single defacements due a remote upload flaw in OsCommerce CMS, that allows the defacers to upload anything to the CMS folder without a proper credential check. When this flaw became public, the develop­ers had a too much time to fix it, but the fix appeared few months later. Pity.

                    Year after year, the developers are still coding by an unsafely, keeping tons of the remote and local file inclusion and the SQL injections, that the attackers use as the first step to gain the access into the server OS."

                    That read to me as if the web developers and tools are the biggest part in such attacks. But hey, you don't care when having a good rant?

                    1. sabroni Silver badge
                      Meh

                      Re:But hey, you don't care when having a good rant?

                      A three line post is hardly a rant, and the "it's the third party code that's shit" argument is equally true whether running on Windows or *nix.

                      1. Paul Crawford Silver badge

                        Re: @sabroni

                        That "three line post" is but a continuation of the same tedious vague claims made by (most probably) the same AC over and over again.

                        Just as tedious as those who claim Linux in invincible to every Windows hole found.

                      2. tom dial Silver badge

                        Re: Re:But hey, you don't care when having a good rant?

                        Made up statistic for today, Thursday, November 28, 2013:

                        83 % of Register posters can rant successfully in three or fewer lines.

                      3. Ilsa Loving

                        Re: Re:But hey, you don't care when having a good rant?

                        Why did this get downvoted? It's completely true. Windows used to be a security joke. But as Microsoft beefed things up, hackers have been going after 3rd party targets that are easier to hit, such as Adobe flash.

                        You need only one exploit to get from outside to local, and only one local exploit to hose the whole box. That means any OS... ANY OS.... is only 2 exploits away from being compromised.

                        Linux is getting exploited the most because it's the single most popular web stack out there. Linux is to web what Windows is to desktop. And the article itself said it.... virtually all the root-access hacks have been through things like 3rd party CMSes, and the kernel itself compromised by exactly 1 exploit.

                        So maybe we should focus less on how big everyone's OS-penis is, and more on the fact that far too many people write crap code.

                        And I will opine that it's because companies have made it FAR too easy for someone to sit down, bang a few commands on a keyboard, and suddenly think they know how to code. Until programmers are put through the same level of rigor as, say, engineers, this problem will never get better.

                    2. Eddy Ito

                      Re: @ AC 14:14

                      Oh, here I thought the take-away from the article was that the most secure OSs were Novell Netware and AS/400 but it seems TheVogon is right in that IIS 8 and 8.5 were invulnerable a few years before they were released. Seriously it really would be nice for sites like this to have unrestricted information and access to all the data on a single page so you could get useful metrics, perhaps one that indicated the area of the target surface and not just the number of hits on the target. Also if "Heh…just for fun!" and "I just want to be the best defacer" make up 79% of the reasons for defacing a site, it means there are a lot of bored skiddies out there.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: @ AC 14:14

                        Oh, here I thought the take-away from the article was that the most secure OSs were Novell Netware and AS/400

                        No if you want secure you should buy MVS :-)

                        http://www.cvedetails.com/product/4720/

                    3. TheVogon

                      Re: @ AC 14:14

                      "Ah yes, a report from 2010 is conclusive evidence of Linux vs Windows today?"

                      The gap is even wider now - Linux vulnerabilities have stayed pretty constant whereas Windows vulnerabilities have steadily declined in number....

                  2. Anonymous Coward
                    Anonymous Coward

                    Re: @ alleged legion of AC trollops (eg: 11:51)

                    "Here you go: http://www.zone-h.org/news/id/4737"

                    Yes, seen that zone-h article thank you, embarrassing isn't it.

                    Embarrassing for you, that is, if you really have nothing more relevant to quote than reported website defacement statistics, and nothing more recent to quote than than defacement data from 2010 in an article from 2011, and no better logic than you have just displayed.

                    What kind of halfwit logic leads from lots of defaced websites, many sharing the same underlying problem, to "Linux is generically less secure than Windows"?

                    Still, at least the article refers to CVE, which is more than you and your fellow travellers have managed so far.

                    Readers who follow the referenced CVE link [1] will see that the problem isn't even a generic Linux problem, it's one only exposed in the context of an x86-32 application running on certain versions of the x86-64 Linux kernel (which admittedly may have been a quite common situation).

                    It's also 'only' a possible elevation of privilege exploit rather than the (common with Patch Tuesday) generic unauthenticated remote code execution exploit.

                    It's also one which had long ago been patched (in 2007) but somehow managed to re-emerge in 2010 (more detail in the CVE article and its references, not reproduced here), and because it was a set of circumstances in widespread use, there were lots of vulnerable websites and they were widely defaced and widely reported.

                    So, what logic leads from lots of defaced websites, many sharing the same underlying problem, to "Linux is generically less secure than Windows"?

                    Anyone got anything better to offer? And remember, facts good, logic good, hearsay bad.

                    [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3301

                    2007 description: "The IA32 system call emulation functionality in Linux kernel 2.4.x and 2.6.x before 2.6.22.7, when running on the x86_64 architecture, does not zero extend the eax register after the 32bit entry path to ptrace is used, which might allow local users to gain privileges by triggering an out-of-bounds access to the system call table using the %RAX register"

                2. sisk

                  Re: @ alleged legion of AC trollops (eg: 11:51)

                  And that they specifically are due to vulnerabilities in Apache, Linux and BSD, and not incompetent administration

                  In my experience most successful attacks are due to bad administration, regardless of the platform. Any platform can be locked down pretty securely these days.

                  The one in the article is a pretty good example: it attacks PHP apps that can't grok the query strings properly. Personally I regard that sort of vulnerability in this day and age as an incompetent or lazy web developer. Honestly it's stupid easy to escape special characters in query strings in pretty much any language that would be dealing with them.

                  My servers have come under SQL injection attacks several times a day for several years now and never been compromised. Why? Because I teach my apps how to cleanse their input so the attacks are stripped out of the input before it goes into a query. I consider this to be as basic as using whitespace in your code.

          2. Charles Manning

            Sorry AC, Windows CE ain't Windows

            "The Windows kernel already scales down to for example mobile phones (and is more efficient and less memory hungry than say Android)..."

            Having spent years working deep in the Windows CE OS and in Linux (writing drivers etc for both), I can assure you that Windows CE might be able to run with less memory, but is incredibly inefficient in CPU usage.

            Windows CE is also very stunted. It is not scaled down Windows but an entirely different kernel that lacks most of the Windows services and has a completely pathetic security model.

            1. Anonymous Coward
              Anonymous Coward

              Re: Sorry AC, Windows CE ain't Windows

              "Having spent years working deep in the Windows CE OS and in Linux <Crap snipped>"

              My condolences, but who said anything about Windows CE. The conversation is about the current Windows kernel used in Xbox One, Windows Phone, Windows 8.1, Server 2012 R2, etc....

        2. Anonymous Coward
          Anonymous Coward

          re: (yes we all know you are the same AC time and time again).

          No, I'm not. There's loads of me on here!

        3. Anonymous Coward
          Anonymous Coward

          Never seen Windows Embedded, didn't you?

          There's also Windows Embedded, and that's tell a lot about the knowledge about Windows of many MS haters - they still think Windows is 95 and NT 3.5. And when they see Linux is vulnerable as well, they go paranoid...

      2. Anonymous Coward
        Anonymous Coward

        Yes, because IIS exploits are of course largely theoretical...

        1. TheVogon

          "Yes, because IIS exploits are of course largely theoretical..."

          IIS has a very good security record - one of the more secure platforms....current versions (IIS 8 / 8.5) have zero known vulnerabilities I believe....and before that you have to go back years to find anything that affected a default installation of an IIS webserver...

          As per website defacement statistics - you are several times more likely to be hacked running say Linux....

          1. Chemist

            AC/TheVogon/RICHTO - what's the difference ?

            1. TheVogon

              Richto was my previous name on here - changed because of confusion it was some sort of boast about wealth - not a new account

              1. Chemist

                "Richto was my previous name on here - changed because of confusion it was some sort of boast about wealth - not a new account"

                Most regulars know that - apart from anything else your tedious style, idiotic references that often actually disprove the point you are trying to make and general pro-Windows, anti Linux rants are rather obvious even when posting as AC

                1. TheVogon

                  Then why bother posting it? Just makes you look like a pedantic twat....

                  1. Anonymous Coward
                    Anonymous Coward

                    "Then why bother posting it?...."

                    It's about time all the single issue loons who besmirch the Reg forums were given the Eadon treatment. The Vogon could be next in the queue.

                    1. Ken Hagan Gold badge

                      First they came for Eadon and I said nothing because, well, he was Eadon.

                      Then they came for the single issue loons and I said nothing because I have *several* hobby horses.

                      Then they came for folks who take the piss out of Godwin's Law and I was well stuffed, I can tell you.

                  2. Chemist

                    @TheVogon

                    "Then why bother posting it?"

                    You don't really know what pedantic means - do you ?

                    1. TheVogon

                      Re: @TheVogon

                      Yes I do, pedant.

              2. Destroy All Monsters Silver badge
                Trollface

                Richto was my previous name on here - changed because of confusion it was some sort of boast about wealth - not a new account

                EPIC RETCONNING!

          2. Anonymous Coward
            Anonymous Coward

            As per website defacement statistics - you are several times more likely to be hacked running say Linux....

            Only if you're a Windows Administrator who doesn't know how to configure a *NIX type OS.

            1. sabroni Silver badge
              Facepalm

              Only if you're a Windows Administrator who doesn't know how to configure a *NIX type OS.

              Ah, it makes sense now. It's the Windows Administrators that are responsible for all the Linux defacements....

              1. Anonymous Coward
                Anonymous Coward

                Re: Only if you're a Windows Administrator who doesn't know how to configure a *NIX type OS.

                @sabroni

                Ah, it makes sense now. It's the Windows Administrators that are responsible for all the Linux defacements....

                Are you sure about that?

                Only I know several Windows administrators who are quite capable of correctly configuring a *NIX type OS, I even know some who have qualifications in configuring both Linux and Windows systems.

            2. Anonymous Coward
              Anonymous Coward

              "Only if you're a Windows Administrator who doesn't know how to configure a *NIX type OS"

              So you are agreeing that a current Windows version is much more secure by default, and special effort and skills are required to secure a *NIX type OS?

          3. Anonymous Coward
            Anonymous Coward

            Not hard to explain..

            "As per website defacement statistics - you are several times more likely to be hacked running say Linux...."

            A quick glance at any actual statistics tells you exactly why that is - there are 4 times more Internet-facing websites running HTTP servers on open source platforms than there are running IIS on Windows. Malware writers target popular platforms; on the desktop that is Windows, in the web server market that means LAMP, and increasingly, LEMP (and lest we forget the goal of those server compromises, the aim is to target Windows boxes with appropriate malware payloads). Sorry to disappoint, but it's not a reflection on the security of Windows or Linux, only a reflection of their popularity in a market.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not hard to explain..

              "A quick glance at any actual statistics tells you exactly why that is - there are 4 times more Internet-facing websites running HTTP servers on open source platforms"

              I guess you missed the part that said:

              (Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)

              And actually for LAMP to IIS it's under 2:1 - as per the latest Netcraft survey, IIS is on 24.1% and Apache is on 44.33%...

              1. Anonymous Coward
                Stop

                Re: Not hard to explain..

                "I guess you missed the part that said: (Even after adjusting for market share, you are several times more likely to be hacked on Linux - mostly due to kernel vulnerabilities...)"

                I guess you missed it too because there's no reference to market share to be found in the article you cite. The only mention of it is by you in your post, which makes it an opinion, not a source. The other problem is that you cited an article where Zone H break down the defacement stats THEY have by OS.

                Three million-odd Linux defacements recorded on Zero-H since 2000? - no doubt there are many millions more compromises of other types every year as not every attacker is am immature script kiddy out to boast. Still, even if you were to (incorrectly) assume a similar rate for EVERY year Linux has ever existed, the Bredolab Windows botnet alone makes that figure pale into insignificance. 30 million compromised machines, in one botnet, in one year.

                http://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets

                Whether part of a Botnet or not 58 million PCs were infected in the US alone last year, and you can be certain the number of PCs involved that were not running Windows was a very small number indeed. That's why market share matters:

                http://www.darkreading.com/privacy/consumer-reports-58-million-us-pcs-infec/240154081

                I don't like being rude, but you're cherry-picking figures out of context and ignoring the huge volume of other types of compromise. You are to put things bluntly, talking rubbish.

                Computers are usually compromised because of decisions made (or not made) by humans, whether that's the decision to set a good password or to not bother patching OSes and updating AV signatures, or not following good coding practice in the kernel or on the web server. When that is the default situation, how secure an OS is becomes almost irrelevant in the face of failure to apply common sense to security.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Not hard to explain..

                  "there's no reference to market share to be found in the article you cite. The only mention of it is by you in your post, which makes it an opinion, not a source."

                  Perhaps you could just Bing it? I then named the source - as you are clearly a bit of an idiot, here is a URL: http://news.netcraft.com/

                  "Bredolab Windows botnet alone makes that figure pale into insignificance. 30 million compromised machines"

                  Those are client PCs infected by user interaction - not servers infected by remote exploits which we are discussing here - completely different scenario...

                  "but you're cherry-picking figures out of context and ignoring the huge volume of other types of compromise"

                  You are the one taking things out of context and are spouting irrelevant rubbish. We are discussing worms / remote exploits here - not user interaction based exploits. However if you want to consider how Linux would cope in that scenario if it ever made it over 1% market share on the desktop, just look at the Malware infected mess that is Android...

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Not hard to explain..

                    "Perhaps you could just Bing it? I then named the source - as you are clearly a bit of an idiot, here is a URL: http://news.netcraft.com/"

                    Searching news.netcraft.com for 'market share' in any context results in 235 hits. None of them appear to refer to market share in the context of vulnerabilities in the Linux kernel. So again, cite your source. Also thanks for the insult, always a good indicator when a certain variety of person knows their argument has had the legs knocked out from under it.

                    "Those are client PCs infected by user interaction - not servers infected by remote exploits which we are discussing here - completely different scenario..."

                    There are 42000-odd cases for 2010 in the report you cite which used unpatched vulnerabilities as their vector - there is no indication how that breaks down by OS. By comparison the five places above that and amounting to almost 1m defacements are all directly related to human error, just as clicking on an infected attachment or visiting compromised sites, resulting in Botnet client infection is an example of human error. Enough with the nonsense - either cite the actual source you're using or admit it doesn't exist.

                    "We are discussing worms / remote exploits here - not user interaction based exploits.

                    Then stop using user-based issues in your claims, because the majority in the article you did cite are the result of actions by a human.

                    "However if you want to consider how Linux would cope in that scenario if it ever made it over 1% market share on the desktop, just look at the Malware infected mess that is Android..."

                    Android is not a Linux distribution, stop changing the subject again.

      3. sisk

        Or Windows Server for anything Internet facing. Both have far lower vulnerability counts than a LAMP stack....

        First, that's only true if you count the vulnerabilities for every package in a given distros repository, which is the equivalent of counting every single vulnerability in every single application available for Windows. No system runs every package in it's distro's repository. In fact even attempting to do so would be an exercise in frustration. Try having two wireless management systems that compete for the same resources for example.

        Second, even if it were true of just the core files needed to get a Linux system off the ground a vulnerability count is a meaningless number when taken on its own. More important factors are severity, access, and time to patch. Go learn a little about security before you try to comment on it.

Page:

This topic is closed for new posts.

Other stories you might like