Sunday, 12 January 2014

Symantec Discovers Linux Worm Targeting Hidden Devices

Antivirus company Symantec has announced that it has discovered a new worm on the loose—one that attacks vulnerabilities in computer systems running Linux. Thenew Linux worm that appears to be engineered to target the “Internet of things”. Symantec has named the worm Linux.Darlloz ( Linux.Darlloz) and reports that its main abilities at this time appear to be one of replication by taking advantage of a PHP vulnerability in systems running older versions of Linux. When it executes, it creates random IP addresses and attempts to locate pathways to other devices on the network. Those devices that aren't protected become infected as well, which in turn serve as aids in propagating the worm. Linux is an open source operating system and has been ported to various architectures that is similar in many respects to Unix and has been widely used as both a learning and research tool. More recently, those making hardware devices have begun using it because no licensing fee is required. The down side is that because it's open source, many versions lack the security features of more robust operating systems such as (Unix based OS X) or Windows. Linux not only runs on Intel-based computers, but also on small devices with different CPUs, such as home routers, set-top boxes, security cameras, and even industrial control systems. Some of these devices provide a Web-based user interface for settings or monitoring, such as Apache Web servers and PHP servers. The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013. We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server. Figure: The “e_machine” value in ELF header indicates the worm is for ARM architecture. These architectures are mostly used in the kinds of devices described above. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet. Vendors of devices with hidden operating systems and software, who have configured their products without asking users, have complicated matters. Many users may not be aware that they are using vulnerable devices in their homes or offices. Another issue we could face is that even if users notice vulnerable devices, no updates have been provided to some products by the vendor, because of outdated technology or hardware limitations, such as not having enough memory or a CPU that is too slow to support new versions of the software. To protect from infection by the worm, Symantec recommends users take the following steps: 1.Verify all devices connected to the network 2.Update their software to the latest version 3.Update their security software when it is made available on their devices 4.Make device passwords stronger 5.Block incoming HTTP POST requests to the following paths at the gateway or on each device if not required: *.-/cgi-bin/php *.-/cgi-bin/php5 *.-/cgi-bin/php-cgi *.-/cgi-bin/php.cgi *.-/cgi-bin/php4 The worst part is almost nobody knows these appliacations run Linux and are even vulnerable to such things. Pretty smart set of targets. Ultimately how these appliances are built, updated, maintained and secured will have to change. One thing that is crystal clear in OS security is it is not a matter of if but of when a particular OS will be found vulnerable. Leaving devices with no security upgrade path will make them prime targets moving forward. These kind of worms would be potential threat in the future of Linux.

No comments:

Post a Comment