Darlloz.A
AppRisk Coverage: Yes
Type: Virus
OWASP: M4: Unintended Data Leakage
Aliases:
- Linux.Darlloz
Platform: iOS, Linux
File size (bytes): N/A
Filename: N/A
App title: N/A
MD5 Hash: N/A
SHA1 hash: N/A
Affected CVE:
- CVE-2012-1823
- CVE-2012-2311
- CVE-2012-2335
- CVE-2012-2336
Details or analysis:
This is a worm that exploits CVE-2012-1823, CVE-2012-2311, CVE-2012-2335, and CVE-2012-2336 in order to spread. On vulnerable systems, the worm attempts to download a copy of its code from an external site gpharma.co.
CVE-2012-1823 is a vulnerability in “sapi/cgi/cgi_main.c” found within PHP versions before 5.3.12, and 5.4.x before 5.4.2. When configured as a CGI script (aka “php-cgi“), it does not properly handle query strings that lack an = (equals sign) character. This allows remote attackers to execute arbitrary code by placing command-line options in the query string.
The vulnerability affects Linux and Apple servers. The worm creates the path “/var/run/.zollard/” and copies files to that location.
Reference:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336
- https://access.redhat.com/solutions/1477453
- http://securityaffairs.co/wordpress/20084/malware/internet-of-things-worm.html
- Security