Symantec finds new variant of Linux.Darlloz worm that targets the Internet of Things

Security software specialists, Symantec have reported the first known use of  the Darlloz worm to infect devices connected in the Internet of Things (IoT). The Linux.Darlloz worm spreads to vulnerable systems by exploiting the PHP ‘php-cgi’ Information Disclosure Vulnerability.

Darlloz was discovered on November 26, 2013 and classified by Symantec on December 12 as a medium level threat with low level distribution. The worm functions by opening a back door to delete files.

Linux.Darlloz

Symantec has now blogged (IoT Worm Used to Mine Cryptocurrency) about an IoT worm, which is being used to mine cryptocurrency. Symantec’s Kaoru Hayashi said: “Last November, we found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. The worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes.”

Hayashi continued: “Since the initial discovery of Linux.Darlloz, we have found a new variant of the worm in mid-January. According to our analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm. By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.”

Symantec’s investigations show that the latest purpose of the worm is to mine cryptocurrencies. Once a computer running Intel architecture is infected with the new variant, the worm installs cpuminer, an open source coin mining software. The worm then mines Mincoins or Dogecoins on infected computers.

According to Hayashi: “By the end of February 2014, the attacker had mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetisation.”

Initially, there was said to be no impact on IoT devices, but this changed with Symantec’s latest report. “While many users may ensure that their computers are secure from attack, users may not realise that their IoT devices need to be protected too. Unlike regular computers, a lot of IoT devices ship with a default user name and password and many users may not have changed these. As a result, the use of default user names and passwords is one of the top attack vectors against IoT devices. Many of these devices also contain unpatched vulnerabilities users are unaware of.”

At present this threat focuses on computers, routers, set-top boxes and IP cameras. However, the worm could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.

 

Commenting on this, TK Keanini (pictured above), the CTO of Lancope, said: “It is interesting to read this piece because Darlloz has been around for a while, and only recently has it been associated with the Internet of Things. In months prior, it was just an attack on embedded Linux. The rule goes something like this: If you leave anything open to attack on the internet, the bad guys will 1) find it and 2) put it to “good” use (where “good” means a resource for them).

 

“The internet has always seen this team A versus team B battle when it comes to acquiring vulnerable computers. We saw it with the SpyEye vs. Zeus battle, and now it is the Aidra vs. Darlloz battle,” said Keanini. “It is like watching two competitors fight it out for market share. I expect to see more of this in the future as more devices come online, as well as more ways to compromise these devices are invented.”

Lancope, Inc. is based in Alpharetta, Georgia, USA from where it provides network visibility and security intelligence services to defend enterprises against today’s IT threats.