Linux.Darlloz

Nov 29, 2013, by admin

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of “Internet-of-things” devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” Hayashi explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”

The researcher went on to say the attacker behind the Intel version is also hosting ELF files that exploit the other chip architectures.

Darlloz exploits a vulnerability in the PHP scripting language that was patched 18 months ago. Devices that use older versions of PHP to provide a Web-based interface to make configuration changes may be vulnerable to the attack. With minor modifications, the worm could potentially be reprogrammed to exploit dozens of patched vulnerabilities that still haven’t made their way into most consumer devices.

Readers who want to tighten the security of their routers and other devices should consider doing research ahead of purchases and buying only gear that can be updated easily. For existing devices, update to the latest available version, change default passwords, and block incoming POST requests and other types of HTTP calls if at all possible.