Researchers at the Center for Internet Security Security Operations Center (CIS SOC) warn of a measurable uptick in events related to the Linux.Darlloz worm which targets versions of PHP configured to run as a CGI script.
The PHP versions in question are vulnerable to the entry of unexpected queries, and targets several CPU architectures, including X86, ARM, MIPS, and PPC.
“The increased exploitation of this vulnerability is likely associated with the release of exploit code by a researcher. After this code was published, the CIS SOC identified an increase in activity attempting to exploit the vulnerability,” wrote Jacob Berry, an Operations Center Analyst with CIS.
“This worm has been identified to be spreading via integrated network devices (EX: home routers, small business networking equipment) and web servers running outdated versions of PHP,” Berry said.
The worm was discovered by researchers in late November and is known to exploit a “php-cgi” vulnerability disclosed in CVE-2012-1823, and is capable of infecting a broad range of devices designed to be connected to the internet.
“The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the proof of concept (POC) code released in late October 2013,” the researchers wrote.
“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known IDs and passwords, and also sends HTTP POST requests which exploit the vulnerability,” the researchers explained.
“If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”
CIS has provided several recommendations to mitigate the spread of the worm, including steps to verify devices running a web interface or web server.
Categories: Top Security Stories