New Linux Worm Could Attack Tiny Devices, Routers


Symantec researchers have discocvered a worm that has the ability to spread rapidly by targeting a common vulnerability in Linux systems.

The Linux Darlloz worm exploits a PHP vulnerability, according to Symantec. The information disclosure vulnerability was patched in May 2012 but many embedded systems, such as home DVRs and Internet-enabled security cameras, are rarely updated.

"Although no attacks against these devices have been found in the wild, many users may not realize they are at risk since they are unaware they own devices that run Linux," wrote Kaoru Hayashi, a software engineer at Symantec Security Response in an analysis of the Linux worm issued Wednesday. "The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet."

[Related: 5 Warning Signs Your Business Has Been Breached]

The threat, created off proof-of-concept code released in October, could be used in targeted attack campaigns. The worm targets Intel x86 systems and the attacker hosts different variants of the worm for various architectures, Hayashi said.

Solution providers say threats that target PCs, laptops and mobile devices also can target an increasing number of Internet-enabled devices, from audio systems to clock radios, home appliances, thermostats and more. Despite having a tiny footprint, some embedded systems can perform critical functions, said Greg Williams, a security compliance consultant for MMIC, the largest policyholder-owned medical liability insurer in the Midwest.

Williams said health-care providers from large hospitals to small clinics must deal with embedded systems used in patient care. They try to reduce risk by keeping a buffer between most systems and the Internet, he said.

"Remediating risk is becoming a constant process at most health-care organizations, where security programs are less mature than businesses in other industries," Williams said. "The health-care industry itself is no stranger to risk, but there are a growing variety of elements that have to be assessed."

Symantec said it is monitoring the status of the Linux worm. PHP is used as a general-purpose programming language for some embedded devices as well as both website and Web server programming. Security researchers have demonstrated exploits that target similar coding errors in embedded systems, including pacemakers, glucose monitoring instruments and other medical devices.

PUBLISHED NOV. 27, 2013