Beware of new worm targeting Linux PCs – Symantec

A new worm is targeting personal computers running the Linux operating system, and may also pose a threat to embedded devices such as home routers and set-top boxes, a security vendor reported this week.

 

Symantec said its researchers warned the malware, named Linux.Darlloz, spreads by exploiting a vulnerability in php-cgi that had been patched as early as May 2012.

 

"The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras," researcher Kaoru Hayashi said in a blog post. 

 

Hayashi added that while no attacks against such devices have been found in the wild, "many users may not realize they are at risk, since they are unaware they own devices that run Linux."

 

Also, Symantec's Hayashi noted Linux is the best known open source operating system and has been ported to various architectures.

 

Hayashi added Linux runs not just on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems.

 

"Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers," Hayashi said.

 

On the other hand, Hayashi said Symantec has verified the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

 

Investigation showed the worm, once executed, generates random IP (Internet Protocol) addresses and accesses a specific path on the machine with well-known ID and passwords.

 

The worm then sends HTTP POST requests that exploit the vulnerability.

 

”If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target," Hayashi said.

 

Hayashi said the worm at present appears to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

 

Worse, Hayashi said users may not be aware that they are using vulnerable devices in their homes or offices.

 

Symantec suggested that users take the following steps to prevent infection:

 

- Verify all devices connected to the network

- Update their software to the latest version

- Update their security software when it is made available on their devices

- Make device passwords stronger

- Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

-/cgi-bin/php

 

— KDM, GMA News