Late last year security researcher Kaoru Hayashi documented the discovery of a Linux worm that is capable of infecting a braod range of devices designed to be connected to the internet (CVE-2012-1823). Analysis indicated that several variants of the malware existed that could be considered a threat to “home routers, set-top boxes and security cameras,” and variants for other architectures like “ARM, PPC, MIPS and MIPSEL,” though no active exploits had been detected at the time.
Then researchers at the Center for Internet Security Security Operations Center (CIS SOC) warned of a measurable uptick in events related to a Linux.Darlloz worm which targeted versions of PHP configured to run as a CGI script. The PHP versions in question were vulnerable to the entry of unexpected queries, and targets several CPU architectures, including X86, ARM, MIPS, and PPC.
In January researchers discovered a new variant of the worm which is believed to have now infected over 31,000 devices, and is designed primarily as crypto-currency mining agent employing the open source mining software called CPUminer.
“We have discovered the current purpose of the worm is to mine cryptocurrencies. Once a computer running Intel architecture is infected with the new variant, the worm installs cpuminer, an open source coin mining software,” Hayashi writes.
“The worm then starts mining Mincoins or Dogecoins on infected computers. By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization,” he continued.
Hayashi says the worm’s new coin mining features will only impact computers running the Intel x86 architecture which typically require more memory and a more powerful CPU than other internet connected devices that Darlloz can infect.
Read More Here…