Linux.Darlloz Worm Targets Embedded Linux Devices
Symantec has recently discovered a new Linux worm, called Linux.Darlloz, that targets Internet-enabled devices running Linux in addition to traditional computers. That means devices such as home routers, set-top boxes and security cameras could be at risk of infection, although no attacks against non-PC devices have been confirmed yet.
The worm exploits an “old” PHP vulnerability, which was patched in May 2012 (PHP 5.4.3, and PHP 5.3.13), and currently only affects Intel (x86) based systems. So you’d need an embedded system powered by an Intel processor, running Linux and PHP to be at risk. Having said that, Symantec also explains code for other architectures such as ARM, PPC, and MIPS, is also present in the worm, and these systems could potentially be at risk too with small modifications.
Here’s how the worm operates:
Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.
So it seems the most obvious way to protect the system is to change the default password, and create a strong password. Unfortunately most people don’t seem to do that. I stayed in about 15 places during a recent trip, and most Wi-Fi routers could still be accessed with the usual “admin / admin”.
Contrary to computers, which nowadays automatically install security patches regularly, embedded devices seldom get firmware updates, and security is sometimes and afterthought. So beside making device passwords stronger, the company also recommends to following measures:
- Verify all devices connected to the network
- Update the software to the latest version
- Update the security software when it is made available on their devices
- Block incoming HTTP POST requests to -/cgi-bin/php* paths
To add to the complexity, many vendors do not disclose the operating systems running on their products, so it might be difficult for the average user to even know if their system is at risk.