Connect with us

Hi, what are you looking for?


Email Security

Linux Worm Turns Focus to Digital Dollars

A Linux worm first spotted in November has joined the growing ranks of malware mining for crypto-currency.

The worm is called Darlloz. Late last year, Symantec reported that the worm was spreading via a known vulnerability in PHP that was patched in 2012.

A Linux worm first spotted in November has joined the growing ranks of malware mining for crypto-currency.

The worm is called Darlloz. Late last year, Symantec reported that the worm was spreading via a known vulnerability in PHP that was patched in 2012.

“The worm targets computers running Intel x86 architectures,” blogged Symantec researcher Kaoru Hayashi. “Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.”

The most recent update includes functionality that installs ‘cpuminer’ and begins mining for Mincoins or Dogecoins, which are similar to bitcoins. The main reason for this is Mincoin and Dogecoin use the scrypt algorithm, which can still successfully mine on home PCs, whereas bitcoin requires custom ASIC chips to be profitable, the researcher explained.

“By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing),” Hayashi blogged. “These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization.”

While the initial version of Darlloz has nine combinations of usernames and passwords for routers and set-top boxes, the latest version comes armed with 13 of these login credential combinations – including ones that work for IP cameras. Once a device is infected, the malware starts a HTTP Web server on port 58455 in order to spread. The server hosts worm files and lets anyone download files through this port by using a HTTP GET request, the researcher explained.

“The Internet of Things is all about connected devices of all types,” Hayashi blogged. “While many users may ensure that their computers are secure from attack, users may not realize that their IoT (Internet of Things) devices need to be protected too. Unlike regular computers, a lot of IoT devices ship with a default user name and password and many users may not have changed these. As a result, the use of default user names and passwords is one of the top attack vectors against IoT devices. Many of these devices also contain unpatched vulnerabilities users are unaware of. While this particular threat focuses on computers, routers, set-top boxes and IP cameras, the worm could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.”

The worm also includes functionality to block other malware to keep other attackers from controlling an infected device. So far, Symantec has identified more than 31,000 unique IP addresses as being infected. Thirty-eight percent appear to be IoT devices such as routers, IP cameras and printers. Five regions of the world that account for half of the Darlloz infections are China, South Korea, Taiwan, India and the United States.

Advertisement. Scroll to continue reading.

“Consumers may not realize that their IoT devices could be infected with malware,” blogged Hayashi. “As a result, this worm managed to compromise 31,000 computers and IoT devices in four months and it is still spreading. We expect that the malware author will continue to update this worm with new features as the technology landscape changes over time. Symantec will continue to keep an eye on this threat.”

Related: Linux Worm Targets “Internet of things”

Related: New Banking Trojan Targets Linux Users

Related: Exploring the Misconceptions of Linux Security – Focus

Related: Researchers Uncover Attack Campaign Leveraging 25,000 Unix Servers

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.