Linux worm targeting Internet of Things

Malware

by Ben Sullivan| 02 December 2013

Security cameras, set-top boxes and home routers all vulnerable.

A new Linux worm has been discovered that appears to be engineered to target the Internet of Things.

Symantec, who first discovered the worm, says that the worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.

On a blog post on its website, Symantec said: "The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild.

The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013.

"Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. Although no attacks against these devices have been found in the wild, many users may not realise they are at risk, since they are unaware they own devices that run Linux.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

A majority of Internet of Things devices run on the open source operating system Linux as it is not restricted to Intel-based computers. Linux can operate on devices with different CPUs, such as home routers, set-top boxes, security cameras and industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers.

Symantec said that it has also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

"These architectures are mostly used in the kinds of devices described above. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet."

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

716 people like this.
1528 people follow this.

Malware Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.