A new Linux worm has been discovered that appears to be engineered to target the Internet of Things.
Symantec, who first discovered the worm, says that the worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers.
On a blog post on its website, Symantec said: "The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild.
The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013.
"Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras. Although no attacks against these devices have been found in the wild, many users may not realise they are at risk, since they are unaware they own devices that run Linux.
"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures."
A majority of Internet of Things devices run on the open source operating system Linux as it is not restricted to Intel-based computers. Linux can operate on devices with different CPUs, such as home routers, set-top boxes, security cameras and industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers.
Symantec said that it has also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.
"These architectures are mostly used in the kinds of devices described above. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet."
