[LACNIC/Seguridad] New Linux worm targets routers, cameras, “Internet of things” devices

Fernando Gont fgont en si6networks.com
Mar Dic 3 17:38:25 BRST 2013



---- cut here ----
New Linux worm targets routers, cameras, “Internet of things” devices
Too many Internet-connected devices run code that's woefully out of date.

by Dan Goodin - Nov 27 2013, 5:25pm ART

Researchers have discovered a Linux worm capable of infecting a wide
range of home routers, set-top boxes, security cameras, and other
consumer devices that are increasingly equipped with an Internet connection.

Linux.Darlloz, as the worm has been dubbed, is now classified as a
low-level threat, partly because its current version targets only
devices that run on CPUs made by Intel, Symantec researcher Kaoru
Hayashi wrote in a blog post published Wednesday. But with a minor
modification, the malware could begin using variants that incorporate
already available executable and linkable format (ELF) files that infect
a much wider range of "Internet-of-things" devices, including those that
run chips made by ARM and those that use the PPC, MIPS, and MIPSEL

"Upon execution, the worm generates IP addresses randomly, accesses a
specific path on the machine with well-known ID and passwords, and sends
HTTP POST requests, which exploit the vulnerability," Hayashi explained.
"If the target is unpatched, it downloads the worm from a malicious
server and starts searching for its next target. Currently, the worm
seems to infect only Intel x86 systems, because the downloaded URL in
the exploit code is hard-coded to the ELF binary for Intel architectures."

The researcher went on to say the attacker behind the Intel version is
also hosting ELF files that exploit the other chip architectures.

Out of date

While not posing much of a real-world threat now, Darlloz demonstrates a
major shortcoming with most Internet-of-things devices available
today—they typically run Linux or other types of open source code that
are woefully out of date. Making matters worse, many Internet-connected
consumer devices can't be updated because their lightweight hardware
can't handle the requirements of newer code versions. Hijacking one of
these devices thus becomes much easier than exploiting, say, an
up-to-date version of Windows, OS X, or Linux.

Darlloz exploits a vulnerability in the PHP scripting language that was
patched 18 months ago. Devices that use older versions of PHP to provide
a Web-based interface to make configuration changes may be vulnerable to
the attack. With minor modifications, the worm could potentially be
reprogrammed to exploit dozens of patched vulnerabilities that still
haven't made their way into most consumer devices.

Readers who want to tighten the security of their routers and other
devices should consider doing research ahead of purchases and buying
only gear that can be updated easily. For existing devices, update to
the latest available version, change default passwords, and block
incoming POST requests and other types of HTTP calls if at all possible.
---- cut here ----

Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución Seguridad