Symantec Finds Linux Worm Aimed at Internet of Everything Devices
Newly discovered Linux malware can infect Intel (INTC)-based Internet-connected devices not typically targeted by hackers such as routers, security cameras and set-top boxes as well as PCs, according to a Symantec (SYMC) security researcher.
Symantec, which discovered the worm on November 26 and named it Linux.Darlloz, for now has classified the threat as low level.
Newly discovered Linux malware can infect Intel (INTC)-based Internet-connected devices not typically targeted by hackers such as routers, security cameras and set-top boxes, as well as PCs, according to a Symantec (SYMC) security researcher.
Symantec, which discovered the worm Nov. 26 and named it Linux.Darlloz, for now has classified the threat as low level.
“The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers,” wrote Symantec researcher Kaoru Hayashi in a blog post on Nov. 27.
Right now the worm isn’t a big deal because it’s limited to a relatively small number of Intel-based Internet-connected devices. And, it doesn’t do much more than spread itself and wipe system files, but it has the potential to attack a far broader spectrum of things running on ARM chips as well as PPC, MIPS and MIPSEL architectures, Hayashi wrote.
“Although no attacks against these devices have been found in the wild, many users may not realize they are at risk, since they are unaware they own devices that run Linux,” he wrote. “Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF [executable and linkable format] binary for Intel architectures.”
“We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server,” he continued.
“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” wrote Hayashi. “However, we have not confirmed attacks against non-PC devices yet.”
Linux.Darlloz exploits a vulnerability in web servers running PHP programming language patched in May 2012. Hayashi said the attacker created the worm based on Proof of Concept code released in October.
“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords (think admin-admin), and sends HTTP POST requests, which exploit the vulnerability,” wrote Hayashi. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.”
To protect from infection by the worm, Symantec recommends users take stock of all their Internet-connected devices, update software including security software, make device passwords stronger, and block incoming HTTP POST requests on specific paths or the gateway on each device.
