Home > Linux > Linux.Darlloz Worm Targets Embedded Linux Devices

Linux.Darlloz Worm Targets Embedded Linux Devices

November 29th, 2013 Leave a comment Go to comments

Symantec has recently discovered a new Linux worm, called Linux.Darlloz, that targets Internet-enabled devices running Linux in addition to traditional computers. That means devices such as home routers, set-top boxes and security cameras could be at risk of infection, although no attacks against non-PC devices have been confirmed yet.

The worm exploits an “old” PHP vulnerability, which was patched in May 2012 (PHP 5.4.3, and PHP 5.3.13), and currently only affects Intel (x86) based systems. So you’d need an embedded system powered by an Intel processor, running Linux and PHP to be at risk. Having said that, Symantec also explains code for other architectures such as ARM, PPC, and MIPS, is also present in the worm, and these systems could potentially be at risk too with small modifications.

ARM ELF Binary Code found in Linux Worm

ARM ELF Binary Code found in Linux Worm

Here’s how the worm operates:

Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

So it seems the most obvious way to protect the system is to change the default password, and create a strong password. Unfortunately most people don’t seem to do that. I stayed in about 15 places during a recent trip, and most Wi-Fi routers could still be accessed with the usual “admin / admin”.

Contrary to computers, which nowadays automatically install security patches regularly, embedded devices seldom get firmware updates, and security is sometimes and afterthought. So beside making device passwords stronger, the company also recommends to following measures:

  1. Verify all devices connected to the network
  2. Update the software to the latest version
  3. Update the security software when it is made available on their devices
  4. Block incoming HTTP POST requests to -/cgi-bin/php* paths

To add to the complexity, many vendors do not disclose the operating systems running on their products, so it might be difficult for the average user to even know if their system is at risk.

Via Arstechnica

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter

Categories: Linux Tags: Linux, arm, intel, mips, router, security, x86
  1. Ian Tester
    December 2nd, 2013 at 15:36 | #1

    Yet another reason to avoid that terrible scripting language.

  1. No trackbacks yet.