Beware of new worm targeting Linux PCs – Symantec

GMA News ^ | 1 December 2013 | KDM

[ShadowAce]

A new worm is targeting personal computers running the Linux operating system, and may also pose a threat to embedded devices such as home routers and set-top boxes, a security vendor reported this week.

 

Symantec said its researchers warned the malware, named Linux.Darlloz, spreads by exploiting a vulnerability in php-cgi that had been patched as early as May 2012.

 

"The worm is capable of attacking a range of small, Internet-enabled devices in addition to traditional computers. Variants exist for chip architectures usually found in devices such as home routers, set-top boxes and security cameras," researcher Kaoru Hayashi said in a blog post. 

 

Hayashi added that while no attacks against such devices have been found in the wild, "many users may not realize they are at risk, since they are unaware they own devices that run Linux."

 

Also, Symantec's Hayashi noted Linux is the best known open source operating system and has been ported to various architectures.

 

Hayashi added Linux runs not just on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems.

 

"Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers," Hayashi said.

 

On the other hand, Hayashi said Symantec has verified the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server.

 

Investigation showed the worm, once executed, generates random IP (Internet Protocol) addresses and accesses a specific path on the machine with well-known ID and passwords.

 

The worm then sends HTTP POST requests that exploit the vulnerability.

 

”If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target," Hayashi said.

 

Hayashi said the worm at present appears to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.

 

Worse, Hayashi said users may not be aware that they are using vulnerable devices in their homes or offices.

 

Symantec suggested that users take the following steps to prevent infection:

 

- Verify all devices connected to the network

- Update their software to the latest version

- Update their security software when it is made available on their devices

- Make device passwords stronger

- Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:

-/cgi-bin/php

[ShadowAce]

[Graewoulf]

Thanks!

[Bloody Sam Roberts]

Looks like Symantec is ready to roll out its latest product. I wonder if they have a fix for it?

[Abathar]

(tinfoil hat on)

They probably do, unfortunately many of us believe they and other companies might be writing some of these themselves to guarantee next years sales.

(removes tinfoil before coworkers notice)

[ShadowAce]

My work has several hundred Linux servers. Due to policy/state law, we must have an AV on every server in our datacenters. You can guess how many hits we get on the Linux servers. It’s not only a waste of money, but of CPU cycles as well.

[JoeProBono]

[Abathar]

Yep, but it only takes one to ruin your whole day and if scammers know there are large swatches vulnerable they will concentrate more frequently on them.

Better safe than sorry later imho.

[for-q-clinton]

I’m save I’m using Windows 8.

[for-q-clinton]

*safe*

[LaRueLaDue]

Yep. Anti-virus on unix/linux servers is a total waste of time and money. If you can adequately admin unix, and use industry-accepted security procedures and techniques, you will be secure. You just have to pay attention to what you are doing

Windows is not unix/linux.

[ShadowAce]

Linux users are pretty much safe as well. This was patched in May 2012.

[rarestia]

Note that the exploit requires the ability to USE HTTP POST. If you’re not running websites with unauthenticated POST commands, you’re safe. This exploits CGI-BIN/PHP, and that’s only useable if you’ve left your cgi-bin wide open.

Since most of us are smart enough to secure our websites (right guys?), this isn’t a huge issue.

If you have a router with “password” as the password, enjoy your worms!

[raybbr]

If you have a router with “password” as the password, enjoy your worms!

LOL Changed mine and it takes fifteen minutes to remember what I changed it to.

[rarestia]

I put mine in a password vault on account of it’s a 25-character random password with letters, numbers, symbols, and spaces.

[Lee N. Field]

Symantec said its researchers warned the malware, named Linux.Darlloz, spreads by exploiting a vulnerability in php-cgi that had been patched as early as May 2012.

That's a long time to go without running updates.

(Yes, routers and linux based appliances may have a problem.)

[Lee N. Field]

My work has several hundred Linux servers. Due to policy/state law, we must have an AV on every server in our datacenters. You can guess how many hits we get on the Linux servers. It’s not only a waste of money, but of CPU cycles as well.

"Sudo apt-get install clamav" Done.

[GeronL]

“in the wild”

lolz

[dfwgator]

If you have a router with “password” as the password, enjoy your worms!

"1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage!"

[Billthedrill]

I'm perfectly safe. I'm not running Linux, I'm running Ubuntu and Mint.

What?