Symantec has been tracking a new worm it found in November 2013 and found out that this worm named Linux.Dorlloz has already infected 31000 computers running on Linux. The area of operation of Dorlloz is the United States, China, India, South Korea and Taiwan but it is spreading too fast for comfort.
The author of Dorlloz is constantly updating and add new features to his creation. The worm when discovered was able to infect only computers running Intel x86 architectures. But with constant updates, Dorlloz is now capable of infecting devices running MIPS, ARM, PowerPC architectures. Routers, set-top boxes and any other devices connected to internet.
For the uninitiated, Internet of Things (IoT) means all the devices which are connected to the internet. These can be any of the above devices which constantly update themselves. Most of these things are shipped with default username and password and usually dont get attention from the users regarding their security and are like a sitting bomb waiting to explode in the hands of a cyber criminal.
Another thing which Symantec discovered was that the author of this worm was using is solely for the purpose of mining cryptocurrencies like Dogecoin and Mincoin. Once a computer running Intel architecture is infected with the new variant, the worm installs cpuminer, an open source coin mining software. The worm then starts mining Mincoins or Dogecoins on infected computers. As per Symantec the author of Dorlloz has successfully mined 42,438 Dogecoins ($46.00) and 282 Mincoins ($150.00) at the time of writing) by the end of February 2014.
Symantec says that Dorlloz mines Dogecoin and Mincoin because both these cyrptocurrencies us the skrypt algorithm for mining. The skrypt algorithm can be run on any home/office computer whereas for mining the more popular and more expensive Bitcoin a specialised machine running of ASIC chips is required. However Symantec has warned that slowly but surely, the author will evolve Dorlloz to increase his income by targeting ASIC chip run systems.
It may also be noted that though this is a IoT worm, so far it can abuse only system running on X86 architecture because the primary aim of the author of Dorlloz is to mine cryptocurrencies and the miner skrypt cant be run on “Internet of Things” (IoT) devices like set top boxes or routers as they dont have the required processing power for mining operations. But for some reason which Symantec has not yet deciphered, the current Dorlloz is targeting IoT devices and it uses a combination of 13 commonly used username/passwords to access them, while the pre update version had only nine combos
Symantec says that as of now Dorlloz only targets IP cameras, computers, set-top boxes and routers but given the pace at which the author is rolling out updates, it may soon be able to wearable technology and automation devices. Symantec researchers have identified a total of 31,716 IP addresses that open port 58455 (on which Darlloz communicates) and host malware files on static paths. The infections are spread out across 139 regions. Most affected are China, the US, South Korea, Taiwan and India. These 5 countries account for half the Dorlloz victims.
Further break up reveals that 43% of infected devices are computers or servers (Intel-based) running Linux. Printers, cameras, set-top boxes, routers and other smart devices represent 38% of the total number of infections. The large number of impacted IoT gadgets is due to the fact that users seldom scan them for malware.
