Last November, Symantec found an Internet of Things (IoT) worm named Linux.Darlloz. The worm targets computers running Intel x86 architectures. Not only that, but the worm also focuses on devices running the ARM, MIPS and PowerPC architectures, which are usually found on routers and set-top boxes. Since the initial discovery of Linux.Darlloz, Symantec have found a new variant of the worm in mid-January. According to Symantec’s analysis, the author of the worm continuously updates the code and adds new features, particularly focusing on making money with the worm.
By scanning the entire Internet IP address space in February, we found that there were more than 31,000 devices infected with Linux.Darlloz.
Coin mining
In addition, we have discovered the current purpose of the worm is to mine cryptocurrencies. Once a computer running Intel architecture is infected with the new variant, the worm installs cpuminer, an open source coin mining software. The worm then starts mining Mincoins or Dogecoins on infected computers. By the end of February 2014, the attacker mined 42,438 Dogecoins (approximately US$46 at the time of writing) and 282 Mincoins (approximately US$150 at the time of writing). These amounts are relatively low for the average cybercrime activity so, we expect the attacker to continue to evolve their threat for increased monetization.
The worm’s new coin mining feature only affects computers running the Intel x86 architecture and we haven’t seen it impact IoT devices. These devices typically require more memory and a powerful CPU for coin mining.
Why IoT devices?
The Internet of Things is all about connected devices of all types. While many users may ensure that their computers are secure from attack, users may not realize that their IoT devices need to be protected too. Unlike regular computers, a lot of IoT devices ship with a default user name and password and many users may not have changed these. As a result, the use of default user names and passwords is one of the top attack vectors against IoT devices. Many of these devices also contain unpatched vulnerabilities users are unaware of.
While this particular threat focuses on computers, routers, set-top boxes and IP cameras, the worm could be updated to target other IoT devices in the future, such as home automation devices and wearable technology.
Infected IoT devices
Consumers may not realize that their IoT devices could be infected with malware. As a result, this worm managed to compromise 31,000 computers and IoT devices in four months and it is still spreading. We expect that the malware author will continue to update this worm with new features as the technology landscape changes over time. Symantec will continue to keep an eye on this threat.
Mitigation
- Apply security patches for all software installed on computers or IoT devices
- Update firmware on all devices
- Change the password from default on all devices
- Block the connection on port 23 or 80 from outside if not required
