Symantec, who discovered the worm, has named it Linux.Darlloz, and says that it "appears to be engineered to target the 'Internet of things.'" It exploits an old PHP vulnerability to propagate, although Symantec has not yet found it in the wild. "The attacker," says Kaoru Hayashi in a company blog, "recently created the worm based on the Proof of Concept (PoC) code released in late Oct 2013."
This is not (yet) an actual threat to the Internet of Things. Hayashi notes, "We have also verified that the attacker already hosts some variants for other architectures including ARM, PPC, MIPS and MIPSEL…. The attacker is apparently trying to maximize the infection opportunity by expanding coverage to any devices running on Linux. However, we have not confirmed attacks against non-PC devices yet."
Davi Ottenheimer, president of flyingpenguin and EMC senior director of trust, picks up on this. "In other words, the only known attacks are on PCs," he blogged yesterday. "Other devices are just speculation. Given the Symantec report details, it seems quite clear the attacker is NOT TARGETING HIDDEN DEVICES."
Nevertheless, Linux.Darlloz highlights the coming problems. It uses an old vulnerability long since patched; but 'things' are not easily updated. "This particular threat is not a concern from an Internet of Things perspective," PandaLabs' technical director Luis Corrons told Infosecurity; "however it should be a heads up. We are talking about millions of devices that are usually untouched once installed: their default password is never changed, their operating system is never updated – which leads," he added, "to millions of devices available to be hacked.
"Users," he stressed, "have to be aware of this. Most, for example, don't realize that IP cameras are really easy to hack; and the same goes for every device with network capabilities. People think that this happens in personal computers and could also happen every leap year in mobile devices, while the truth is that every network connected device is at risk: from our computer to our smart TV."
David Harley, ESET senior research fellow, agrees that this is more of a warning for the future than a threat today. He notes that the attacker seems to be testing versions for other architectures, and comments, "the fact that someone is thinking about distinguishing between targets by architecture does suggest potential for much more targeted attacks in the future, with malware that discriminates not only by e_machine but by function, providing openings for other kinds of malicious activity. Targeting devices that aren’t PCs and therefore probably don’t have an explicit malware detection mechanism would reduce the likelihood of early detection of device-specific malware. Payloads that would take advantage of device-specific functionality would require significant research and development," he told Infosecurity, "but who, a few years ago, would have given much thought to the likelihood of malware targeting uranium enrichment centrifuges?"
The problem for the future, he says, is that things in the Internet of Things are not likely to attract much security software. "I guess we can only hope that the makers of such devices will devote more thought to building in sound security and update mechanisms for internet-connected devices. And maybe talking to security specialists about the potential intrusive or disruptive attacks against such devices in the design and planning stages."