Symantec discovers Linux.Darlloz worm targetting embedded systems

Kauro Hayashi of Symantec announced the discovery of a malicious worm, named Linux.Darlloz, infecting Linux powered embedded systems. The worm seems to be targeted at the ‘Internet of things’, basically, any device capable of obtaining an IP address and connecting to the Internet. Common examples include home routers, security cameras and set-top boxes. Linux is widely used in such devices.

The worm exploits a vulnerability in PHP which was patched more than one and half years back, in May 2012. This worm currently targets the x86 architecture. However, variants for  ARM, PPC, MIPS and MIPSEL have been found on the server hosting this worm. As can be inferred, an opportunity presents itself to the worm to propagate and infect a huge number of devices.

As per the post, the worm propagates by finding out devices which use familiar login credentials. For e.g. many routers are set up with default login and password which use common keywords. Once the worm is able to successfully hack into a system, it downloads itself into the device, generates random IP addresses to find the next victim. Currently, the worm seems only to propagate and has not known to perform any other malicious action.

Symantec recommends the following actions to protect a system from attack –

  1.  Verify all devices connected to the network
  2. Update their software to the latest version
  3. Update their security software when it is made available on their devices
  4. Make device passwords stronger
  5. Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
    • /cgi-bin/php
    • -/cgi-bin/php5
    • -/cgi-bin/php-cgi
    • -/cgi-bin/php.cgi
    • -/cgi-bin/php4

What complicates matters is that users may not even know that they are at risk as vendors of routers or set-top boxes are extremely lazy to keep such devices updated.

About Varghese Chacko

An IT guy, I have been working as a QA professional for around 6.5 years. I keenly follow technology with a special focus on open source. After much distro-hopping, I settled down on using openSUSE as my distribution of choice. A fan of Arsenal ever since I started following football, I keenly follow sports and am good for a game always.

9 thoughts on “Symantec discovers Linux.Darlloz worm targetting embedded systems

  1. The worm targets PHP, which is an application that works on multiple operating systems, including most variants and recent versions of Linux. It does not target the Linux operating system. Precision in reporting is important – even if you are just repeating Symantec’s claims/

    1. “Once the worm is able to successfully hack into a system, it downloads itself into the device” — It uses PHP to gain access, but everything that happens from then is done by a native binary.

  2. Pingback: Trackback
  3. Pingback: Trackback
  4. Pingback: Trackback
  5. Pingback: Trackback
  6. Pingback: Trackback
  7. Pingback: Trackback

Leave a Reply