Skip to content ↓ | Skip to navigation ↓

Security researcher Kaoru Hayashi has documented the discovery of a Linux worm that is capable of infecting a braod range of devices designed to be connected to the internet.

Analysis indicates that several variants of the malware exist that can be considered a threat to “home routers, set-top boxes and security cameras,” and variants for other architectures like “ARM, PPC, MIPS and MIPSEL,” though no active exploits have been detected.

“The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013,” Hayashi writes.

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures,” he explained.

Read more Here…