‘Dangerous’ Linux worm in the wild

A dangerous worm is spreading across the Internet and infecting Linux servers that are running vulnerable domain name server software, the SANS Institute and other security analysts warned Friday.

Called Lion, the worm steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack, SANS said. The Bethesda, Md.-based research organization for systems administrators and security managers added that the worm might also have the potential to attack Unix servers.

Lion takes advantage of a vulnerability in the Internet Software Consortium’s Berkeley Internet Name Domain (BIND) server that was disclosed in January. BIND allows Domain Name System (DNS) servers to translate text-based Web addresses, such as Computerworld.com, into appropriately numbered IP addresses that can be used by computers to direct traffic on the Net.

The only defense against the worm is to upgrade vulnerable versions of BIND, SANS said. However, according to officials at the organization, many systems administrators have yet to perform the upgrade, despite the warning issued in January.

“Data I have says that 20 per cent of the Internet is vulnerable to this, and that’s a huge, huge percentage of the BIND servers,” said Alan Paller, director of security research at SANS. And while Lion has currently been found infecting Linux systems, Paller said he sees “no reason why it won’t skip to other Unix versions.” The worm is “the meanest piece of code I’ve seen,” he said.

Security experts worked through Thursday night to create a utility for Linux systems that detects whether a server is infected. The Lionfile utility can be downloaded directly from the SANS Web site at www.sans.org/y2k/lionfind-0.1.tar.gz. In addition, SANS said it would be posting more information about the worm as it becomes available on its site.

William Stearns, a senior research engineer at the federally funded Institute for Security Technology Studies housed at Dartmouth College, and chief author of the Lionfind utility, urged Linux system administrators to download the free code and ensure that their machines aren’t infected.

While it’s still unclear whether Lion will be as widespread as Ramen, another worm that affected Linux systems in January, Stearns said Lion is substantially more destructive. “This opens additional security holes” that other malicious hackers could then exploit, he added.

Stearns said, he hopes to start working with other experts to find a way to expand the utility to remove most of the worm’s damage from infected systems. However, he noted, there’s a limit to how much a utility can fix once attackers have gained root access to a machine. “We’ve done our best, but you’re still hosed, is probably the final word,” Stearns said.

Greg Shipley, the acting director for security services at Chicago-based network and security consulting firm Neohapsis Inc., said the worm is particularly dangerous because it grabs a copy of the password list file on an infected system and then e-mails it to an address in China. “That’s kind of a big problem,” Shipley said, “because even if you patch the code . . . your password file made it out the door.”

For companies with large password lists, such as Internet service providers (ISPs), that could bring major headaches because of the difficulty of getting a large number of users to set up new passwords. “Any ISP that got hit by this thing is going to be having a huge nightmare,” said Shipley, who like Stearns tracked the worm all last night. The worm can also steal username files and system configuration data, he added.

In the last two days, Shipley said, computers hosting the worm have sent out more than 50,000 automated port scans in an effort to find vulnerable Linux machines that haven’t had BIND updates. The scans have been coming from several sources, including one system in Brazil that has been used to send out up to 40,000 of them, according to Shipley.

There currently are no reliable estimates of how widespread the worm itself is at this point. But Lion is “definitely the most active vulnerability on the Net right now,” Shipley said. “When the dust settles from this, I’m going to use this as a point to convince CIOs that everyone is a target.”

(George A. Chidi Jr. of the IDG News Service contributed to this report.)