Linux worm Darlloz targets Intel architecture to mine digital currency

Linux worm Darlloz targets Intel architecture to mine digital currency

Summary: A new variant of the Darlloz worm focuses on manipulating home systems to mine for digital currency beyond Bitcoin.

SHARE:
TOPICS: Security, Intel, Linux
30
credit cnet
Credit: CNET

A Linux worm variant found in the wild targets routers, set-top boxes, and now PCs in order to mine for cryptocurrency.

According to research firm Symantec, a new Internet of Things (IoT) worm was discovered last November. Dubbed Linux.Darlloz, the worm targets computers running Intel x86 architectures, as well as devices running the ARM, MIPS and PowerPC architectures, such as routers and set-top boxes.

Preloaded with usernames and passwords in order to crack into such systems, a new variation has now been found, which continuously updates and is now making money through the mining of cryptocurrency.

Kaoru Hayashi, a senior development manager and threat analyst with Symantec, wrote that the new version focuses on finding Intel architecture PCs in order to install "cpuminer," an open-source mining program. As Bitcoin can no longer be mined effectively from personal computers, the worm mines spin-off currencies such as Mincoins and Dogecoins instead, where money can still be made.

"The reason for this is [that] Mincoin and Dogecoin use the scrypt algorithm, which can still mine successfully on home PCs, whereas Bitcoin requires custom ASIC chips to be profitable," Hayashi wrote.

In Symantec's last scan, researchers found that 31,000 devices have been infected with the worm, with half of the infections based in India, China, South Korea, Taiwan, and the United States. By the end of February this year, the cyberattackers were able to mine 42,438 Dogecoins and 282 Mincoins, worth approximately $46 and $150. While this is a low amount, further attacks can boost the monetization substantially over time.

It is believed that the hackers capitalize on a backdoor in several router types, which can be exploited to gain remote access. However, this represents a threat to Darlloz if more malware is installed, and so the author implemented a feature to block the backdoor port by "creating a new firewall rule on infected devices to ensure that no other attackers can get in through the same back door."

In total, 31,716 identified IP addresses were infected. 43 percent of Darlloz infections compromised Intel based-computers or servers running on Linux, and 38 percent of Darlloz infections have affected a variety of IoT devices.

IoT devices are often left on default password settings and generally have lax security, leaving such vulnerabilities wide open. Symantec suggests that security patches are applied to all software installed on PCs or IoT devices, and passwords are changed from default settings. In addition, to further improve security, blocking connections on ports 23 and 80 are recommended.

Topics: Security, Intel, Linux

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

30 comments
Log in or register to join the discussion
  • More detail

    How about more detail? Attack vector? Linux Version/Variant?
    BrentRBrian
    • re; More detail

      Technical Details

      http://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2
      RickLively
  • linux worms dont exist

    Its not possible.
    greywolf7
    • Happy to read some FUD are we?

      Did you read the part where the "worm" comes with preinstalled set of passwords. If your password is 'password' you deserve to be pawned no matter what your OS is.
      Actually this worm is an indication how good Linux is- if people were so desperate that they wrote a "worm" that uses this kind of attack the OS is really doing a good job.
      kirovs@...
      • You're absolutely right.

        If the owners of the infected devices skipped over the bold, red, warning at the top of quick start guide that says: "CHANGE THE DEFAULT PASSWORD IMMEDIATELY!", then it's pretty hard to feel sorry for them.
        anothercanuck
      • Re: Happy to read some FUD are we....

        I'm sorry, but I don't agree. There are many users out there that could certainly use some training, to create very good passwords, but a lot of people, just don't know, or understand. You need to do some volunter work, to know what I mean.

        It's pretty amazing! Users really believe that there birthdates, names, sur names addresses should be good enough.....

        TW
        T-Wrench
        • Default credentials

          "Users really believe that there birthdates, names, sur names addresses should be good enough....."

          Any of these would be better than leaving the defaults set at the factory in place.
          radleym
    • Ignorance is bliss.

      You're absolutely right. Linux is invincible! Hackers are idiots. There is no way they can be smarter than the Linux gods.
      Shift4SMS
  • Yet another asinine and irresponsible piece of journalism

    This article is bologna.

    We really do need to stamp out this kind of asinine irresponsible journalism now.

    This article posits things which are not possible unless the systems involved are completely unprotected (whatever we might mean by that) and maybe the system admin has posted the root password for the system on the open Internet someplace. For crying out loud, stop it!

    This article has no point except to foster levels of uncertainty, fear, or doubt. There is no other purpose for this tripe. Just stop.

    Please.
    marcushh777
    • You are kidding right?

      You can get a list of devices with known default root passwords ordered by brand/make/model and version with a 0.03 second google search.
      traxxion
      • If you run a device with a default

        root password, you deserve to be powned./
        marcushh777
  • Linux worm Darlloz targets Intel architecture to mine digital currency

    But I was told linux was immune to these problems. Even when I pointed out proof I was still told it wasn't possible and then called names and threatened. I'm guessing the worm enters the system through linux's open telnet port and then replicates from there. The linux sysadmins are having a busy week this week having to recompile their kernel to fix all the issues that have cropped up. Nothing like that false sense of security when using a linux system.
    Loverock.Davidson
    • Yes Dear

      ;)
      RickLively
    • Ah, the old "open telnet port" red herring again...

      I post maybe 3 messages a year to ZD, but I'm quite sure that I've replied to L.D. at least once on this same old wives tale.

      Linux systems haven't been shipped with an open telnet port in 15 years. Telnet hasn't even been shipped as base software in 5 years. It requires effort for an admin to open a telnet port to their system. It requires insanity to allow access to that port from the Internet.
      dh1760
      • He's roped you in thrice?

        You seriously fell for it THREE times?
        ye
    • UNIX is immune

      to viruses because they keep the executable length in the header. That's all it is. Worms and Trojan horses are still possible, but relatively pointless because they usually are configured to deposit a virus on the attacked system.

      Ubuntu already released fixes to prevent spread of this worm more than a year ago. Most Linux systems are updated on a regular basis, and if they are not you get what you deserve.
      Tony Burzio
      • Not sure storing the executable length in the header provides immunity.

        In simple terms, virus writers can reverse engineer an executable binary, find a rarely used block in the code segment, and replace it with their own assembly code. Eventually it will be executed, and by the time the user notices their intended function didn't run, it is generally too late. If they need a bigger code block, without changing the header they effectively do the same thing in the data segment to store a payload. That payload can be passed to an external interpreter at runtime (shell, perl, etc).
        dh1760
      • Executable length?

        Can't you just update length value in the header?
        Length in the header does not look like a sophisticated defense mechanism.
        paul2011
      • Nope.

        The actual protection is that system binaries are not writable by users.

        Most (not all) network services also do not run as root.

        In this particular case, a vulnerabilitiy in some PHP code is vulnerable. If the Web server has that particular PHP code installed, then it is vulnerable.
        jessepollard
    • You can't read can you.

      It can only enter those systems with web servers.

      Of those web servers it can only enter those with PHP enabled.

      Of those web servers with PHP enabled it can only enter those with the specific PHP cgi vulnerability.

      Not that many over all.

      Also trivially patched (just remove the PHP cgi script itself). Normally this would have been removed during development. Unfortunately, a number of quickie admins didn't - and the result is being distributed.
      jessepollard