A new worm has been found that attacks Internet of Things devices. The worm, Linux.Darlloz, exploits a PHP vulnerability to propagate itself in the wild. The worm utilizes the PHP ‘php-cgi’ Information Disclosure Vulnerability (CVE-2012-1823), which is an old vulnerability that was patched in May 2012. The attacker recently created the worm based on the proof of concept (POC) code released in late October 2013.
Symantec researcher Kaoru Hayashi says “Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target. Currently, the worm seems to infect only Intel x86 systems, because the downloaded URL in the exploit code is hard-coded to the ELF binary for Intel architectures.”
The worm is not believed to be too dangerous as it relies on vulnerabilities that have since been patched. Of course, with any embedded devices, applying the patch may be difficult, and these affected devices will continue to run for a long time in a vulnerable state.