Symantec researchers have detected a worm which seeks susceptible online hosts and then propagates itself. That’s what a worm does and they are never pleasant or fun; what makes this worm noteworthy is it carries a greater risk to so-called smart devices rather than computers and servers.
First, the worm – dubbed Linux.Darlloz – generates random IP addresses. It does not scan or probe a network in any meaningful way, but simply tries random attacks.
Upon choosing a target, the worm attempts to exploit a PHP vulnerability that was patched in May 2012. It will strive to invoke the following folders or executables on its target machine:
If the attack is successful, the worm will download a new executable program, which is hard-coded to the ELF binary for Intel x86 architectures.
What does this mean and who is vulnerable, you will ask. While any malicious program is a concern, it is important to be level-headed and consider the conditions required for a successful attack.
Given the exploit is one that was patched 18 months ago the probable risk to servers is low, but it is immediately prudent for systems administrators to ensure their PHP modules are up-to-date. This is always good advice for Internet-facing equipment.
Unless there is a compelling reason not to do so, the above listed PHP targets should be blocked from receiving inbound POST requests.
Next, if your server is not running PHP, or is not running Linux on an Intel x86 platform, then the worm cannot infect it. The exploit attempts may be annoying in the sense of wasteful traffic, but there is no risk of infection. Given most servers – at least for business – would be 64-bit (whether Intel or not) the number of viable targets for the worm would appear very low.
This brings us to the so-called “Internet of things”. This is where Symantec sees the risk. After all, if your server is not 64-bit, is not Intel, is not unpatched, then it is not a target.
Yet, if your BluRay player, your smart TV, your router, or other so-called “smart” devices is exposed to the Internet then it may be a target. Linux is a popular operating system choice for embedded devices because it is a freely available and highly configurable platform, with lean memory requirements and a rich repository of networking and media code.
What operating system do the smart devices in your home run? When was the last time you updated its firmware? Chances are you do not know or do not recall. Here is where the risk comes in – except, again, the worm targets Intel x86 processors. It is more likely these devices will be running an ARM or PPC or MIPS architecture, designed for low power consumption.
Still, the risk exists, and knowing of the problem is the first step, and knowing where to focus your efforts is the next.
Our recommendation is to identify and record the network-connected non-computer devices in your home – routers, switches, TVs, TiVos, PVRs, printers, BluRay players and others. Attempt to determine the operating system they run and their processor architecture. Visit vendor web sites to determine if these devices have embedded web servers (if you can browse to the device by its IP address and a web page comes up then they do) and to obtain any firmware upgrades that may have been released.
Of course, ensure your traditional computing devices are also current with patches too.
This is by no means the first Linux worm, and most certainly it will not be the last. It is notable however for the risk it potentially poses to devices that most people would not ordinarily think about when considering “computer security”. By understanding the specific conditions that must be met before infection can occur it is possible to keep a calm and level-head and to take action which will ensure you remain protected.