New Linux worm targets routers, cameras, “Internet of things” devices

Researchers have discovered a Linux worm capable of infecting a wide range of home routers, set-top boxes, security cameras, and other consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a low-level threat, partly because its current version targets only devices that run on CPUs made by Intel, Symantec researcher Kaoru Hayashi wrote in a blog post published Wednesday. But with a minor modification, the malware could begin using variants that incorporate already available executable and linkable format (ELF) files that infect a much wider range of "Internet-of-things" devices, including those that run chips made by ARM and those that use the PPC, MIPS, and MIPSEL architectures.

"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," Hayashi explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."

Read 4 remaining paragraphs | Comments


ike-scan – Discover & Fingerprint IKE Hosts (IPsec VPN Servers)

ike-scan discovers IKE hosts and can also fingerprint them using the retransmission backoff pattern. ike-scan can perform the following functions: Discovery Determine which hosts in a given IP range are running IKE. This is done by displaying those hosts which respond to the IKE requests sent by ike-scan. Fingerprinting Determine which IKE...

Read the full post at

A Winky Face Emoticon Is Not Enough: Man Fined for Facebook Comment

In Switzerland, a judge sentenced a young man to pay a fine for a comment he made on a social network. According to news reports, he felt he didn’t receive a sufficient number of birthday congratulations from his 290 friends on the social network. He posted a comment that roughly translates to, “Is no one happy about my birthday? (…) I am going to destroy you all, you will regret it, now no one can protect you… pow pow pow.” He later explained that it was obviously meant as a sarcastic comment and not intended as a death threat. The judge did not see the humor in the comment and sentenced him to pay a fine.

This is just the most recent case of many alleged fake threats that have been posted this year. Others have received much higher penalties, like a teenager in Texas who spent five months in prison after posting “an alleged threat on Facebook.” Comments that can be perceived as threats can quickly generate a costly response from local authorities.   

Remember that a winky face emoticon is not enough to show that you are joking—law enforcement does not view threats as jokes and they are not treated as such. It’s wise to think twice about what you post on your social network, including both pictures and comments.

Content on social networks can spread very quickly. For example, earlier this year, another hoax chain mail made its way around a popular smartphone application. There were multiple versions of the hoax and one of the messages was a computer-generated voice that said, “Send this message in the next 20 minutes to 20 friends or you will be dead by tomorrow.” Hopefully, this was viewed as an obvious hoax and simply ignored and deleted by any who received the message. However, this instant messaging service is very popular among teenagers. Many students were frightened and forwarded the message in fear of the threat. In Germany, the hoax took off like wildfire and reached enough under-age individuals that the police started to warn people about the hoax message.

It is important to think about the consequences of anything that is posted online. Keep in mind that an off-color joke can be perceived as an actual threat. If you have doubts about what to post, it may be better to err on the side of caution (or post a cute kitten picture) – or better yet, hold off on posting anything questionable at all.

Linux Worm Targeting Hidden Devices

Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes, and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux.

The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the proof of concept (POC) code released in late October 2013.

Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known IDs and passwords, and also sends HTTP POST requests which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers.

We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS, and MIPSEL on the same server.


Figure. “E_machine” value in ELF header indicates worm is for ARM architecture

These architectures are often used in the kinds of devices previously described. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet.

Vendors of devices with hidden operating systems and software, who have configured their products without asking users, have complicated matters. Many users may not be aware that they are using vulnerable devices in their homes or offices. Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.

To protect from infection by the worm, Symantec recommends users take the following steps:

  1. Verify all devices are connected to the network
  2. Update their software to the latest version
  3. Update their security software when it is made available on their devices
  4. Make device passwords stronger
  5. Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
    • -/cgi-bin/php
    • -/cgi-bin/php5
    • -/cgi-bin/php-cgi
    • -/cgi-bin/php.cgi
    • -/cgi-bin/php4