Researchers from Symantec have come across a new Linux worm which they’ve dubbed Darlloz. In addition to computers, the threat is also capable of infecting other devices connected to the internet, such as routers, set-top boxes, security cameras and even industrial control systems that run Linux.
According to experts, the malware spreads by exploiting a PHP vulnerability that was patched back in May 2012. The developer used proof-of concept code published in October to create Darlloz.
“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target,” Symantec’s Kaoru Hayashi noted in a blog post.
The variant analyzed by Symantec is designed to infect only devices running on Intel architectures. However, researchers have also spotted versions for other architectures as well, including MIPS, PPC and ARM. On the other hand, attacks against non-PC devices haven’t been seen yet.
Experts note that while they haven’t spotted any Darlloz attacks in the wild, a large number of users who don’t even realize that their devices are running Linux are at risk.
Symantec recommends users to check all their devices that are connected to the network and make sure their software is updated. Always install security patches when they’re made available.
Default device passwords should always be changed. The passwords that are set should be strong.
Finally, incoming HTTP POST requests to paths such as -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4 should be blocked.
Unfortunately, in some cases, vendors might not provide updates because of hardware limitations or outdated technology.