Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.
Discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.
The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012.
The malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.
The worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.
Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.
Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems.
To protect from infection by the worm, Symantec recommends users take the following steps:
Discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.
The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012.
The malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.
The worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.
Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.
Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems.
To protect from infection by the worm, Symantec recommends users take the following steps:
- Verify all devices connected to the network
- Update their software to the latest version
- Update their security software when it is made available on their devices
- Make device passwords stronger
- Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
- -/cgi-bin/php
- -/cgi-bin/php5
- -/cgi-bin/php-cgi
- -/cgi-bin/php.cgi
- -/cgi-bin/php4
No comments:
Post a Comment