Kauro Hayashi of Symantec announced the discovery of a malicious worm, named Linux.Darlloz, infecting Linux powered embedded systems. The worm seems to be targeted at the ‘Internet of things’, basically, any device capable of obtaining an IP address and connecting to the Internet. Common examples include home routers, security cameras and set-top boxes. Linux is widely used in such devices.
The worm exploits a vulnerability in PHP which was patched more than one and half years back, in May 2012. This worm currently targets the x86 architecture. However, variants for ARM, PPC, MIPS and MIPSEL have been found on the server hosting this worm. As can be inferred, an opportunity presents itself to the worm to propagate and infect a huge number of devices.
As per the post, the worm propagates by finding out devices which use familiar login credentials. For e.g. many routers are set up with default login and password which use common keywords. Once the worm is able to successfully hack into a system, it downloads itself into the device, generates random IP addresses to find the next victim. Currently, the worm seems only to propagate and has not known to perform any other malicious action.
Symantec recommends the following actions to protect a system from attack -
- Verify all devices connected to the network
- Update their software to the latest version
- Update their security software when it is made available on their devices
- Make device passwords stronger
- Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
What complicates matters is that users may not even know that they are at risk as vendors of routers or set-top boxes are extremely lazy to keep such devices updated.