{
	"id": "23f1b529-6c96-4708-9784-9904ff0e9cc8",
	"created_at": "2026-04-06T00:06:11.874737Z",
	"updated_at": "2026-04-10T03:24:29.169789Z",
	"deleted_at": null,
	"sha1_hash": "add5b75f949733c50b7cc99008e56009eb322a04",
	"title": "The Internet of Everything, Including Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 413435,
	"plain_text": "The Internet of Everything, Including Malware\r\nBy Craig Williams\r\nPublished: 2013-12-04 · Archived: 2026-04-05 23:00:01 UTC\r\nWe are witnessing the growth of the Internet of Everything (IoE), the network of embedded physical objects\r\naccessed through the Internet, and it’s connecting new devices to the Internet which may not traditionally have\r\nbeen there before. Unfortunately, some of these devices may be deployed with a security posture that may need\r\nimprovement.\r\nNaturally when we saw a few posts about multi-architecture malware focused on the “Internet of Things”, we\r\ndecided to take a look. The issue being exploited in those posts is CVE-2012-1823, which has both an existing\r\nCisco IPS signature as well as some for Snort. It turns out this vulnerability is actually quite heavily exploited by\r\nmany different worms, and it took quite a bit of effort to exclude all of the alerts generated by other pieces of\r\nmalware in Cisco IPS network participation. Due to the vulnerability-specific nature of the Cisco IPS signature,\r\nthe same signature covers this issue as well as any others that use this technique; just one signature provides\r\nprotection against all attempts to exploit this vulnerability.  As you can see in the graph below this is a heavily\r\nexploited vulnerability. Note that these events are any attack attempting to exploit this issue, not necessarily just\r\nthe Zollard worm.\r\nThe graph below is derived from both Cisco IPS and Sourcefire IPS customers. The Cisco data is from customers\r\nwho have ‘opted-in’ to network participation. This service is not on by default. The Sourcefire data below is\r\nderived from their SPARK network of test sensors. This graph is showing the percent increase of alert volume\r\nfrom the normal for each dataset at the specified time.\r\nhttps://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nPage 1 of 5\n\nHere you can see a request that attempted to exploit one of our managed services customers, specifically the piece\r\nof malware that uses the “User-Agent: Zollard” indicator. This customer was running their IPS in inline mode so\r\nthis attack attempt, along with many others attempting to exploit them, were blocked by the network device inline.\r\nThis is exactly how the IoE should be protected.\r\nhttps://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nPage 2 of 5\n\nYou will notice that the POST request is encoded. I’ve decoded it above so that you can see both versions. I’ve\r\npreviously posted about a similar php based exploit:\r\nhttps://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nPage 3 of 5\n\nIn the decoded POST request, we can see a number of interesting arguments. The exploit is turning off\r\nany possible hardening that is in place on the server. The allow_url_include=on argument allows the\r\nattacker to include arbitrary PHP scripting; the impact is described here.  Next, safe_mode is turned off.\r\nAs a final step, Suhosin, a PHP hardening patch is put into simulation mode. This mode is designed for\r\napplication testing and effectively turns off any additional protection on the server (as well as\r\nprotections against processing PHP script via the php:// URI handler).\r\nWe have been able to associate the following md5s with this malware, which is detected by the clamAV signature\r\n“Linux.Trojan.Zollard”:\r\nb61b8521bae5058c4ed37358344c7599  ppc\r\n5ef7ac971cf52850570f8c3ad149deee  mips\r\n19911cb32b0b58d49d1ff694d4aeb979  mipsel\r\n00a299fd149939cec860c71224b77209  x86\r\n5ef7ac971cf52850570f8c3ad149deee  x86\r\n00a299fd149939cec860c71224b77209  x86\r\nSince embedded devices require firmware updates, they typically have more complex quality assurance cycles,\r\nwhich in turn may cause them to lag behind other products from a security update perspective. To complicate this\r\nfurther, embedded devices often have a very basic setup process that is run once at deployment, and then never\r\ntouched again. This results in most embedded devices running fairly standard configurations. If a vulnerability is\r\nfound in default or common embedded configurations, attackers are much more likely to focus on it since the\r\nattack surface is going to be widespread.\r\nAs smaller and more common devices become Internet-enabled, their collective security posture will become\r\nmore important. The stable nature of devices in the IoE could make vulnerable devices quite an attractive and\r\nlong-lived platform from which to launch malware, attacks, reconnaissance, or any other malicious activity if they\r\nare co-opted by attackers. Protection at the network level is the only way to scale effectively, though as always\r\npracticing defense in depth where possible is even better.\r\nSpecial thanks to Nick Randolph from the VRT for providing help with this post.\r\nAuthors\r\nhttps://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nPage 4 of 5\n\nCisco Cybersecurity Viewpoints\r\nWhere security insights and innovation meet. Read the e-book, see the video, dive into the infographic and more...\r\nWhy Cisco Security?\r\nExplore our Products \u0026 Services\r\nSource: https://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nhttps://blogs.cisco.com/security/the-internet-of-everything-including-malware\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.cisco.com/security/the-internet-of-everything-including-malware"
	],
	"report_names": [
		"the-internet-of-everything-including-malware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433971,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/add5b75f949733c50b7cc99008e56009eb322a04.pdf",
		"text": "https://archive.orkl.eu/add5b75f949733c50b7cc99008e56009eb322a04.txt",
		"img": "https://archive.orkl.eu/add5b75f949733c50b7cc99008e56009eb322a04.jpg"
	}
}