Attack on “The Internet of Things” – linux.darlloz

The Internet of Things

The concept of the “Internet of Things” was first proposed back in 1999 by Kevin Ashton – and refers to the concept that computers in their traditional sense are not the only things taking up “space” on the internet. internetofthings There are other “things” which utilise the internet – for example, modern TV’s and media players, home automation technologies, surveillance cameras, routers, high-tech white-goods, security equipment and the list goes on.  The majority of those things have traditionally used Linux based operating systems due to the fact that Linux can be stript back to bare necessities in order to make it as streamlined as possible for the efficient running of the device it is controlling.

The worm targets small, Internet-enabled devices in addition to traditional computers. Variants exist specifically for devices such as home routers, set-top boxes and security cameras.A new worm has been discovered by Symantec which attacks these Linux systems, and hence is being dubbed an attack on “The Internet of Things”.

So far, no attacks against these devices have occurred “in the wild” (outside controlled environments).  However, the risk exists since there are so many users who do not realise they are even at risk.  This is because many users are oblivious to fact that the devices they own have an operating system, let understanding that it is based on Linux.

What is the risk?

Well, if exploited, this could allow attackers to access of your Surveillance visions.  Access the camera mounted on your new TV.  Intercept all your transmissions through your modem and/or router. At the less invasive end of the spectrum, they could fiddle with the settings on your Internet Enabled Fridge – costing you a full fridge/freezer worth of food.  At the extreme level, someone with a Smart House could be in a lot of trouble – Think HAL from Space Odyssey 2001!!

What is Linux.Darlloz?

The worm, Linux.Darlloz, exploits an old vulnerability in the PHP programming platform. For the techies out there – it exploits PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which was patched in May 2012. This Proof of Concept (PoC) worm was released in late Oct 2013.

Linux.Darlloz creates random IP addresses within specific ranges. It then attempts to access a specific path on the machine with common IDs and passwords, and sends a request message out to the malware’s “home base”. If the target is unpatched, it then downloads the worm from a malicious server and starts searching for its next target.

Many vendors of devices with “hidden” operating systems have configured their products without asking for usernames and passwords, and so users may not be aware that they are using vulnerable devices in their homes or offices. Similarly, many users may have older devices which are either unsupported, or do not have the capabilities of coping with the upgraded components.

To protect from infection by the worm, Symantec recommends users take the following steps:

  1. Verify all devices connected to the network
  2. Update their software/firmware to the latest version
  3. Update their security software when it is made available on their devices
  4. Make device passwords stronger
  5. If possible, block incoming HTTP POST requests to the following paths at the gateway or on each device if not required:
  • -/cgi-bin/php
  • -/cgi-bin/php5
  • -/cgi-bin/php-cgi
  • -/cgi-bin/php.cgi
  • -/cgi-bin/php4

Call us here at Askkiz if you would like to ensure your Internet of Things is not vulnerable, and you are not at risk.


Comments are closed.