New 'internet of things' worm discovered

Symantec announces discovery of a worm that attacks devices such as home routers, set-top boxes and security cameras running Linux

Security vendor Symantec has discovered a Linux worm called Linux.Darlloz that has been engineered to exploit a known bug in PHP (php-cgi Information Disclosure Vulnerability) that was patched last year. Vulnerable devices include unpatched routers, set-top boxes and security cameras that have a web-based interface.

While Symantec classifies the risk posed by Darlloz as Very Low, it is concerned that it could be a proof of concept release that could easily be adapted to attack other connected machine-to-machine devices that make up the internet of things.

The current version only attacks Linux systems based on Intel chips, but Symantec says that it has discovered variants for other architectures including ARM, PPC, MIPS and MIPSEL, indicating that it could be intended to spread to other small, embedded connected devices.

In a blog Symantec spokesperson Kaoru Hayashi describes the way the current version of the worm operates:

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

The danger, says Hayashi, is that many organisations and consumers will not realise that these devices run Linux and will often not have the most up to date patches installed.

To protect against infection by Darlloz, Symantec recommends taking the following steps: