Internet of Things – Symantec has discovered a new Linux worm

Symantec security experts have discovered a new Linux worm that was designed to target the “Internet of things” infecting Intel x86-powered Linux devices.

Symantec security experts have detected across a worm that exploits various vulnerabilities in PHP to infect Intel x86-powered Linux devices. Home internet kits with x86 chips are exposed to the risk of contagion, including routers and similar network equipment. Fortunately the majority of network-connected embedded devices are powered by ARM or MIPS processors

According Symantec despite the malware detected is specifically designed to infect Intel x86-powered Linux devices, its version for for ARM and MIPS architecture may be already available. The malware doesn’t appear really aggressive, the variants detected just silently spreading itself and wipe part of the system file.

“We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.”

A wide range of devices referred as “Internet of Things” that includes broadband routers, TV set-top boxes and similar object that daily surround us are at risk.

“The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php–cgi‘ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013.” states the Symantec blog post.

The worm generates random IP addresses and attempts to use commonly used credentials to log into the target machine, it sends HTTP POST requests specifically crafted to exploit the above vulnerability. If the target is not patched it downloads the worm from a malicious server and starts searching for other targets running a web server and PHP.

“Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”

Once the worm has compromised a device, it kills off access to any Telnet services running. Technology has reached an impressive level of penetration, objects around us have hidden operating systems, run a multitude of applications and are always online, it’s clear that their security is becoming a crucial issue. Let’s consider also that these devices must be continuously patched and updated during their life cycle and this is not always possible due a series of technical issues.

“Many users may not be aware that they are using vulnerable devices in their homes or offices,” “Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.” states the post.

To secure the devices from the attack of the worm it is recommended to change default settings, adopt strong password, keep updated the software and firmware, monitor network connections in the specific case block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

• -/cgi-bin/php
• -/cgi-bin/php5
• -/cgi-bin/php–cgi
• -/cgi-bin/php.cgi
• -/cgi-bin/php4

Internet of Things crucial component of our lives …  it could be a serious error underestimate the cyber threats.

Pierluigi Paganini

(Security Affairs –  Internet of Things, malware)