Linux Worm Targeting Hidden Devices

Symantec has discovered a new Linux worm that appears to be engineered to target the “Internet of things”. The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes, and security cameras. Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux.

The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the proof of concept (POC) code released in late October 2013.

Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known IDs and passwords, and also sends HTTP POST requests which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

Linux is the best known open source operating system and has been ported to various architectures. Linux not only runs on Intel-based computers but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers.

We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS, and MIPSEL on the same server.

ARM_0.png

Figure. “E_machine” value in ELF header indicates worm is for ARM architecture

These architectures are often used in the kinds of devices previously described. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet.

Vendors of devices with hidden operating systems and software, who have configured their products without asking users, have complicated matters. Many users may not be aware that they are using vulnerable devices in their homes or offices. Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software.

To protect from infection by the worm, Symantec recommends users take the following steps:

  1. Verify all devices are connected to the network
  2. Update their software to the latest version
  3. Update their security software when it is made available on their devices
  4. Make device passwords stronger
  5. Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
    • -/cgi-bin/php
    • -/cgi-bin/php5
    • -/cgi-bin/php-cgi
    • -/cgi-bin/php.cgi
    • -/cgi-bin/php4