Re: [LUG] PHP Worm traffic?

To: list@xxxxxxxxxxxxx

Subject: Re: [LUG] PHP Worm traffic?

From: Simon Avery <digdilem@xxxxxxxxx>

Date: Tue, 17 Dec 2013 17:54:24 +0000

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=irfpxtRKRfxHjPkxquStTgpOabsHr6WJgiZZOQPjesY=; b=BXtudOghxUkxPanmqHRX+FtXGE+R5PiM7Lpy/OgAmrq0n/l2N5SEJcE1iDztDJfCee ZhN5l+1iLwu+Kb4y5HSy2fiQxTIciWbWoGDOM+nCJ0WhAXZNiTeQf5sDZNc/jOB0G8vg yGIZPd1oWpybOooqpSGaQIscIP8HzKw5Q93sZuC82PFYznQmHwa0ueOQ6Pcegv+z3wKy v8YXgxP7JJ4FROhvh1E2E94VSHuTqAV4rf3OwV178ZbGJ3Nr7MvjBzKRh/hUbYktXPlj iDB3vo9+McuCdU/ui4rObrofCocCzVswyxvcw9Pc97glbFkRsChgbUj2joKo3OEvyqpE 4DkQ==

I think this worm has scope to become a major issue still

What's the payload?

Symantec reports it opens a backdoor to the system (not that a new one was needed), and the system joins in the hunts for other vulnerable systems.

I would say it appears to be fairly modest payload, but the Symantec article suggests the authors have put a lot of work in to compromise all systems vulnerable to this attack suggesting to me there is a purposes other than idle curiosity.

On the other hand it isn't aggressive, an aggressive tool of this type could have owned all vulnerable servers within minutes, which suggests it isn't say a state actor with clear intent.

Thank you. Some of the most affective viruses, computer or biological, are subtle in their damage.

To some extent, the payload is secondary to the method of propogation. Even if the purpose of this worm is primarily to replicate, it will be days or even hours before someone else has another exploiting the same vectors, and perhaps with a different agenda.

You can't trust malware authors to play by the rules...

S