Tuesday, 03 December 2013 12:03

Symantec identifies Internet of Things worm

By

Symantec has identified a new worm that can potentially infect embedded devices within your home or business network.

Symantec researchers have detected a worm which seeks susceptible online hosts and then propagates itself. That’s what a worm does and they are never pleasant or fun; what makes this worm noteworthy is it carries a greater risk to so-called smart devices rather than computers and servers.

First, the worm – dubbed Linux.Darlloz – generates random IP addresses. It does not scan or probe a network in any meaningful way, but simply tries random attacks.

Upon choosing a target, the worm attempts to exploit a PHP vulnerability that was patched in May 2012. It will strive to invoke the following folders or executables on its target machine:

~/cgi-bin/php
~/cgi-bin/php5
~/cgi-bin/php-cgi
~/cgi-bin/php.cgi
~/cgi-bin/php4

If the attack is successful, the worm will download a new executable program, which is hard-coded to the ELF binary for Intel x86 architectures.

The worm then repeats itself, on the new device, ad infinitum.

What does this mean and who is vulnerable, you will ask. While any malicious program is a concern, it is important to be level-headed and consider the conditions required for a successful attack.

Given the exploit is one that was patched 18 months ago the probable risk to servers is low, but it is immediately prudent for systems administrators to ensure their PHP modules are up-to-date. This is always good advice for Internet-facing equipment.

Unless there is a compelling reason not to do so, the above listed PHP targets should be blocked from receiving inbound POST requests.

Next, if your server is not running PHP, or is not running Linux on an Intel x86 platform, then the worm cannot infect it. The exploit attempts may be annoying in the sense of wasteful traffic, but there is no risk of infection. Given most servers – at least for business – would be 64-bit (whether Intel or not) the number of viable targets for the worm would appear very low.

This brings us to the so-called “Internet of things”. This is where Symantec sees the risk. After all, if your server is not 64-bit, is not Intel, is not unpatched, then it is not a target.

Yet, if your BluRay player, your smart TV, your router, or other so-called “smart” devices is exposed to the Internet then it may be a target. Linux is a popular operating system choice for embedded devices because it is a freely available and highly configurable platform, with lean memory requirements and a rich repository of networking and media code.

What operating system do the smart devices in your home run? When was the last time you updated its firmware? Chances are you do not know or do not recall. Here is where the risk comes in – except, again, the worm targets Intel x86 processors. It is more likely these devices will be running an ARM or PPC or MIPS architecture, designed for low power consumption.

Still, the risk exists, and knowing of the problem is the first step, and knowing where to focus your efforts is the next.

Our recommendation is to identify and record the network-connected non-computer devices in your home – routers, switches, TVs, TiVos, PVRs, printers, BluRay players and others. Attempt to determine the operating system they run and their processor architecture. Visit vendor web sites to determine if these devices have embedded web servers (if you can browse to the device by its IP address and a web page comes up then they do) and to obtain any firmware upgrades that may have been released.

Of course, ensure your traditional computing devices are also current with patches too.

This is by no means the first Linux worm, and most certainly it will not be the last. It is notable however for the risk it potentially poses to devices that most people would not ordinarily think about when considering “computer security”. By understanding the specific conditions that must be met before infection can occur it is possible to keep a calm and level-head and to take action which will ensure you remain protected.

Read 4486 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GET READY FOR XCONF AUSTRALIA 2022

Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.


Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event

GET YOUR TICKET!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous

VENDOR NEWS