|
Bulletin: 'Dangerous' Linux worm in the wild
Web posted at: 2:02 p.m. EST (1902 GMT)
March 23, 2001
 (IDG)
-- A dangerous worm is spreading across the Internet and infecting
Linux servers running vulnerable domain name software, the SANS
Institute warned Friday.
Called Lion, the worm steals passwords, installs and hides other
hacking tools on infected systems, and then uses those systems to
seek other servers to attack, SANS said. The Bethesda, Md.-based
research organization for systems administrators and security managers
added that the worm may also have the potential to attack Unix servers.
Lion takes advantage of a vulnerability in the Internet Software
Consortium's Berkeley Internet Name Domain (BIND) server that was
disclosed in January (see story). BIND allows Domain Name System
(DNS) servers to translate text-based Web addresses, such as Computerworld.com,
into appropriately numbered IP addresses that can be used by computers
to direct traffic on the Net.
The only defense against the worm is to upgrade vulnerable versions
of BIND, SANS said. However, according to officials at the organization,
many systems administrators have yet to perform the upgrade, despite
the warning issued in January.
"Data I have says that 20% of the Internet is vulnerable to
this, and that's a huge, huge percentage of the BIND servers,"
said Alan Paller, director of security research at SANS. And while
Lion has currently been found infecting Linux systems, Paller said,
he sees "no reason why it won't skip to other Unix versions."
Security experts worked through the night last night to create
a utility for Linux systems that detects whether a server is infected.
The Lionfile utility can be downloaded directly from the SANS Web
site at www.sans.org/y2k/lionfind-0.1.tar.gz. In addition, SANS
said it will be posting more information about the worm as it becomes
available on its site.
William Stearns, a senior research engineer at the federally funded
Institute for Security Technology Studies housed at Dartmouth College,
and chief author of the Lionfind utility, urged Linux system administrators
to download the free code and ensure that their machines aren't
infected.
While it's still unclear whether Lion will be as widespread as
Ramen, another worm that affected Linux systems in January (see
story), Stearns said Lion is substantially more destructive. "This
opens additional security holes" that other malicious hackers
could then exploit, he added.
Later today, Stearns said, he hopes to start working with other
experts to find a way to expand the utility to remove most of the
worm's damage from infected systems. However, he noted, there's
a limit to how much a utility can fix once attackers have gained
root access to a machine. "We've done our best, but you're
still hosed, is probably the final word," Stearns said.
|
