A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability (CVE-2012-1823) to propagate that has been patched as far back as May 2012.
Linux worm, which has been dubbed Linux.Darlloz, poses a threat to devices such as home routers and set-top boxes, Security Cameras, and even industrial control systems. It is based on proof-of-concept code released in late October and it helps spread malware by exploiting a vulnerability in php-cgi.
"Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target." the Symantec researchers explained.
The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files.
So far the malware variant targets x86 systems, because the malicious binary downloaded from the attacker's server is in ELF (Executable and Linkable Format) format for Intel architectures.
However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.
No attacks have been reported in the wild, but warned that most users would not realize they were at risk as they would be unaware that their own devices ran on Linux.
To protect their devices from the worm, users are advised to update their software to the latest version, make device passwords stronger and block incoming HTTP POST requests to the -/cgi-bin/php* paths.
