Linux.Darlloz, in addition to being able to attack Linux computers, has the ability to target small devices attached to the internet. Vulnerabilities in chips used in home routers, security cameras, set-top boxes like Apple TV, Roku, cable boxes and etc. and even industrial controllers are susceptible to this worm.
The devices above utilize Linux services to provide users interfaces. The interfaces use Apache Web servers and PHP servers. The malware uses an old PHP vulnerability, Information Disclosure Vulnerability (CVE-2012-1823), that was patched in May of 2012. Since the malware is designed to attack the Elf binary so far Linux.Darlloz only infects Intel x86 systems. However, the servers used to host the worm have versions for ARM, PPC, MIPS and MIPSEL
Behavior exhibited by Linux.Darlloz includes randomly generated IP addresses, access to the path where IDs and passwords are kept and sends HTTP POST requests. Once the victim is infected it starts searching for its next target.
To protect yourself from this worm you should:
- Update device software to the latest version
- Update security software when it is made available on devices
- Use strong passwords on your devices
- Block incoming HTTP POST requests on either your firewall or on specific devices
- Protect the following paths: