Linux.Darlloz Worm Targets x86 Linux PCs & Embedded Devices

The New Acunetix V12 Engine


So this is not a particularly technical source article, but it looks fairly interesting and I haven’t heard of this Linux.Darlloz worm before, so it might be new to some of you too.

Seems like it’s going after old php-cgi installs, which are very common on embedded systems (routers/pos systems/stbs etc). The vulnerability being used is actually pretty old and was patched back in May 2012.

It’s not really likely to cause a serious risk to servers, which tend not to run php-cgi any more – and it would be more common for them to be updated.

A new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.

According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.

The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.

“Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability,” the Symantec researchers explained. “If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.

The only variant seen to be spreading so far targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.

I’m not exactly sure what the end game for this worm is, perhaps it’s just into spreading and doesn’t do anything particularly malicious. But in this day and age, that seems pretty unlikely. Infected hosts are more likely to be turned into botnet zombies for a DDoS network.

It seems like it has infection vectors for non x86 architectures, but no actual infections on non PC devices have been confirmed – so the code might not even work properly.


However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

These architectures are used in embedded devices like home routers, IP cameras, set-top boxes, and many others.

“The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux,” the Symantec researchers said. “However, we have not confirmed attacks against non-PC devices yet.”

The firmware of many embedded devices is based on some type of Linux and includes a web server with PHP for the web-based administration interface. These kinds of devices might be easier to compromise than Linux PCs or servers because they don’t receive updates very often.

Patching vulnerabilities in embedded devices has never been an easy task. Many vendors don’t issue regular updates and when they do, users are often not properly informed about the security issues fixed in those updates.

In addition, installing an update on embedded devices requires more work and technical knowledge than updating regular software installed on a computer. Users have to know where the updates are published, download them manually and then upload them to their devices through a Web-based administration interface.

It’s an interesting enough story though, something to keep an eye out for, but honestly I don’t think it’s going to spread very far – and it won’t do much damage. Only old and neglected machines will be vulnerable to the exploit.

But well, as we know – there are far too many such machines plugged into the Internet.

Source: PC World

Posted in: Linux Hacking, Malware

,


Latest Posts:


NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.


Comments are closed.