Symantec Warns: Worm Can Target Internet of Things

Symantec, the security software firm, is reporting that its researchers have discovered a new, malicious “worm” that is spreading on the Internet and has been adapted to attack embedded devices running the Linux operating system, including many devices that are part of the Internet of Things.

Symantec is warning about a malicious program that can infect Internet of Things products running the LInux operating system
Symantec is warning about a malicious program that can infect Internet of Things products running the LInux operating system

Writing on the Symantec research blog, Kaoru Hayashi, a threat analyst within Symantec’s Security Response organization, said that the company had uncovered the worm, dubbed Linux.Darlloz, spreading between more common PC systems. However, an analysis of the program revealed that its creators were thinking big: engineering the worm to be capable of attacking a “range of small, Internet-enabled devices in addition to traditional computers.”

Specifically, Symantec’s team found variants of Darlloz for chip architectures common in devices ranging from home routers and set-top boxes to security cameras.

The warnings about an “Internet of Things worm” were hypothetical, however. Hayashi said that no attacks against non-PC devices had been observed “in the wild.” 

The worm uses a known vulnerability in PHP to spread. The vulnerability, CVE-2012-1823 was patched in May 2012 and affects versions of PHP before 5.3.12 and 5.4.x before 5.4.2. It allows a remote attacker to execute malicious code on vulnerable systems by embedding it in specially formatted query strings.

Proof of Concept (PoC) code for Darlloz was released in late Oct, 2013. According to Symantec, when the malicious file is run, the worm scans the Internet using a list of randomly generated IP addresses. When it finds a host, it attempts to access specific paths on the machine including /cgi-bin/php, /cgi-bin/php5, /cgi-bin/php-cgi and so on.

The worm attempts to brute force access to those with well-known ID and password combinations. Should one of those work, it sends HTTP POST requests, which exploit the vulnerability. If the target not running a patched version of PHP, it will download the worm from a malicious server and install it. That machine will then begin searching for its next target.

Symantec said the worm, so far, infects Intel x86 systems. The company’s conclusion that Darlloz was an IoT focused piece of malware comes from a forensic analysis that revealed variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server that hosted the x86 version. Those hardware platforms are common for embedded devices including surveillance cameras and consumer appliances.

To guard against infection, Symantec advised companies to develop an inventory of PC and non-PC devices connected to their network and to guard against incoming HTTP POST requests to paths exploited by Darollz, if they aren’t required by the device.

Malware that specifically targets Linux and embedded devices is still more the exception than the rule. Still, the growing adoption of smart devices including IP enabled cameras and appliances by consumers and businesses could open enterprise networks to new forms of attack. In a recent poll of more than 2,000 members of ISACA, a worldwide association of information security professionals, found almost unanimous agreement that the Internet of Things poses a governance problem for their networks, with increased security threats the most oft-cited governance issue raised by IoT adoption.

The analyst firm Gartner recently wrote that trends such as consumerization of information technology, cloud-based architectures, social media and virtualization will make traditional IT obsolete by the end of the decade, with vast implications for enterprises and IT security.