Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Worm Targets “Internet of things”

Malware hunters have stumbled upon a new Linux worm squirming through an old PHP vulnerability to infect hidden, Internet-enabled devices.

Linux Malware

Malware hunters have stumbled upon a new Linux worm squirming through an old PHP vulnerability to infect hidden, Internet-enabled devices.

Linux Malware

The worm, named Linux.Darlloz by Symantec, is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.  The company said variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.

The worm spreads by exploiting a previously known vulnerability in PHP which was patched in May 2012.  Symantec researcher Kaoru Hayashi said the creator of the worm used proof-of-concept code that was released in late Oct 2013.

Technical details:

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”

Hayashi said the attacker is hosting some variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet,” Hayashi said.

To make matters worse, Hayashi said many users of hidden operating systems may not be aware that they are using vulnerable devices in their homes or offices. “Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software,” he added.

Advertisement. Scroll to continue reading.

To mitigate this threat, Symantec recommends that users:

  • Verify all devices connected to the network
  • Update their software to the latest version
  • Update their security software when it is made available on their devices
  • Make device passwords stronger
  • Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

-/cgi-bin/php

-/cgi-bin/php5

-/cgi-bin/php-cgi

-/cgi-bin/php.cgi

-/cgi-bin/php4

Related Resource: Designing Security for Newly Networked Devices

Related Resource: Building Firewalls for Embedded Systems

Related Resource: Best Practices for Testing Secure Applications for Embedded Devices

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights