Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Linux Worm Targets “Internet of things”

Malware hunters have stumbled upon a new Linux worm squirming through an old PHP vulnerability to infect hidden, Internet-enabled devices.

Linux Malware

Malware hunters have stumbled upon a new Linux worm squirming through an old PHP vulnerability to infect hidden, Internet-enabled devices.

Linux Malware

The worm, named Linux.Darlloz by Symantec, is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.  The company said variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras.

The worm spreads by exploiting a previously known vulnerability in PHP which was patched in May 2012.  Symantec researcher Kaoru Hayashi said the creator of the worm used proof-of-concept code that was released in late Oct 2013.

Technical details:

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”

Hayashi said the attacker is hosting some variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet,” Hayashi said.

To make matters worse, Hayashi said many users of hidden operating systems may not be aware that they are using vulnerable devices in their homes or offices. “Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software,” he added.

To mitigate this threat, Symantec recommends that users:

  • Verify all devices connected to the network
  • Update their software to the latest version
  • Update their security software when it is made available on their devices
  • Make device passwords stronger
  • Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

-/cgi-bin/php

-/cgi-bin/php5

-/cgi-bin/php-cgi

-/cgi-bin/php.cgi

-/cgi-bin/php4

Related Resource: Designing Security for Newly Networked Devices

Related Resource: Building Firewalls for Embedded Systems

Related Resource: Best Practices for Testing Secure Applications for Embedded Devices

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.