A Linux worm variant found in the wild targets routers, set-top boxes, and now PCs in order to mine for cryptocurrency.
According to research firm Symantec, a new Internet of Things (IoT) worm was discovered last November. Dubbed Linux.Darlloz, the worm targets computers running Intel x86 architectures, as well as devices running the ARM, MIPS and PowerPC architectures, such as routers and set-top boxes.
Preloaded with usernames and passwords in order to crack into such systems, a new variation has now been found, which continuously updates and is now making money through the mining of cryptocurrency.
Kaoru Hayashi, a senior development manager and threat analyst with Symantec, wrote that the new version focuses on finding Intel architecture PCs in order to install "cpuminer," an open-source mining program. As Bitcoin can no longer be mined effectively from personal computers, the worm mines spin-off currencies such as Mincoins and Dogecoins instead, where money can still be made.
"The reason for this is [that] Mincoin and Dogecoin use the scrypt algorithm, which can still mine successfully on home PCs, whereas Bitcoin requires custom ASIC chips to be profitable," Hayashi wrote.
In Symantec's last scan, researchers found that 31,000 devices have been infected with the worm, with half of the infections based in India, China, South Korea, Taiwan, and the United States. By the end of February this year, the cyberattackers were able to mine 42,438 Dogecoins and 282 Mincoins, worth approximately $46 and $150. While this is a low amount, further attacks can boost the monetization substantially over time.
It is believed that the hackers capitalize on a backdoor in several router types, which can be exploited to gain remote access. However, this represents a threat to Darlloz if more malware is installed, and so the author implemented a feature to block the backdoor port by "creating a new firewall rule on infected devices to ensure that no other attackers can get in through the same back door."
In total, 31,716 identified IP addresses were infected. 43 percent of Darlloz infections compromised Intel based-computers or servers running on Linux, and 38 percent of Darlloz infections have affected a variety of IoT devices.
IoT devices are often left on default password settings and generally have lax security, leaving such vulnerabilities wide open. Symantec suggests that security patches are applied to all software installed on PCs or IoT devices, and passwords are changed from default settings. In addition, to further improve security, blocking connections on ports 23 and 80 are recommended.