Linux worm threatens 'Internet of Things' devices

News by Kate O'Flaherty

A Linux worm capable of infecting connected devices has been discovered by security researchers.

A Linux worm capable of infecting connected devices has been discovered by security researchers.

The worm, dubbed Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild, Symantec researchers found. It is capable of attacking routers, set top boxes and security devices, as well as PCs.

Linux.Darlloz utilises the PHP 'php-cgi' Information Disclosure Vulnerability, an old vulnerability which was patched in May 2012. The attacker created the worm based on the Proof of Concept code released in October this year.

The emergence of Linux.Darlloz highlights the possible risks behind 'Internet of Things' devices, experts agree. Many users will not realise they are at risk, as they are unaware their devices run Linux, Symantec researcher Kaoru Hayashi said in a blog post.

"Now Linux is widely used  in commercially available products it presents a viable target," Jamie Moss, senior analyst at Informa Telecoms and Media, told, adding that it is "guaranteed" more malicious code for the Linux operating system will be created.

"There is now a very real opportunity to exploit a huge number of devices out there, whether it's to gain information or join networks for malicious purposes," said Moss. "There was previously no commercial opportunity in Linux, but there is now."

It is likely there will be more attacks like this in 2014, Tom Davison, technical director for Check Point agreed. He told "Criminals will look for weaknesses that can be exploited by hooking into these systems to gain personal information - as well as to cause disruption to devices."

The worm highlights the need for firmware updates, Moss said, adding: "People put Linux on their devices because it is free, but there is an advantage to licensed operating systems such as Windows, as it is obliged to patch issues. This isn't necessarily the case when the operating system is free."

Orla Cox, senior manager, Symantec Security Response added: "The popularity of the Linux operating system coinciding with the ‘Internet of things' means that threats have the potential to find their way into homes and businesses through different channels. Although we haven't identified any instances of the worm on non-PC devices, we do advise users to secure web-based user interfaces for devices. Stronger passwords and updating device software, including security, will help to protect against the worm."   

Davison agreed that the onus is on users to take security precautions including "changing device passwords from default settings, and keeping software and firmware updated as much as possible".

The current version of Linux.Darlloz's current version targets only devices that run on CPUs made by Intel. However, Hayashi added on his blog: "We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL on the same server."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews