Some say it’s a worm. Some say it might be a BitCoin miner. We say that it might be forming/building a new type of BotNet. We’re talking about the Darlloz identified and labeled last year by Symantec.
What it is? Well, it’s a “good crafted” type of “malware something” by someone from Africa (as we know by now, yet it might be spreaded out by an innocent victim located there) and it’s a new kind of malware that attacks Linux and Linux powered embedded devices. And it’s generic, as it tends to buildup/use binaries for ARM, MIPS and many more architectures (it attacks several types of devices found in a network enviroment).
How does it spread? Well, it uses some exploits that are found in basic Linux distributions and, as it seems, a database with common credentials found on different embedded devices (routers, NASes, DVRs, NVRs, IP Cameras, maybe SmartTVs). And it doesn’t stop here: it also tries to attack x86(Intel/AMD) based servers.
How to check for it? Login into your ethernet/Internet enabled device and search for a process/file/folder that’s named zollard. If you find it, take extra care measures inside your network.
We’ll be releasing soon more information about it and, probably, an automated tool to test/verify local presence of this “linux-targeted” malware.