Security vendor Symantec has discovered a Linux worm called Linux.Darlloz that has been engineered to exploit a known bug in PHP (php-cgi Information Disclosure Vulnerability) that was patched last year. Vulnerable devices include unpatched routers, set-top boxes and security cameras that have a web-based interface.
While Symantec classifies the risk posed by Darlloz as Very Low, it is concerned that it could be a proof of concept release that could easily be adapted to attack other connected machine-to-machine devices that make up the internet of things.
Further reading RSA 2013: Anti-virus software companies unveil new tools and features Symantec: More than one-third of cyber-attacks aimed at SMEs Anti-virus software 'becoming ineffective' - study
The current version only attacks Linux systems based on Intel chips, but Symantec says that it has discovered variants for other architectures including ARM, PPC, MIPS and MIPSEL, indicating that it could be intended to spread to other small, embedded connected devices.
In a blog Symantec spokesperson Kaoru Hayashi describes the way the current version of the worm operates:
"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."
The danger, says Hayashi, is that many organisations and consumers will not realise that these devices run Linux and will often not have the most up to date patches installed.
To protect against infection by Darlloz, Symantec recommends taking the following steps:
Verify all devices connected to the network Update software to the latest version Update their security software when it is made available on their devices Make device passwords stronger Block incoming HTTP POST requests to the -/cgi-bin/php* paths
