‘Dangerous’ Linux worm in the wild

A dangerous worm is spreading across the Internet and infecting Linux servers that are running vulnerable domain name server software, the SANS Institute and other security analysts warned Friday.

Called Lion, the worm steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack, SANS said. The Bethesda, Md.-based research organization for systems administrators and security managers added that the worm might also have the potential to attack Unix servers.

Lion takes advantage of a vulnerability in the Internet Software Consortium’s Berkeley Internet Name Domain (BIND) server that was disclosed in January. BIND allows Domain Name System (DNS) servers to translate text-based Web addresses, such as Computerworld.com, into appropriately numbered IP addresses that can be used by computers to direct traffic on the Net.

The only defense against the worm is to upgrade vulnerable versions of BIND, SANS said. However, according to officials at the organization, many systems administrators have yet to perform the upgrade, despite the warning issued in January.

“Data I have says that 20 per cent of the Internet is vulnerable to this, and that’s a huge, huge percentage of the BIND servers,” said Alan Paller, director of security research at SANS. And while Lion has currently been found infecting Linux systems, Paller said he sees “no reason why it won’t skip to other Unix versions.” The worm is “the meanest piece of code I’ve seen,” he said.

Security experts worked through Thursday night to create a utility for Linux systems that detects whether a server is infected. The Lionfile utility can be downloaded directly from the SANS Web site at www.sans.org/y2k/lionfind-0.1.tar.gz. In addition, SANS said it would be posting more information about the worm as it becomes available on its site.

William Stearns, a senior research engineer at the federally funded Institute for Security Technology Studies housed at Dartmouth College, and chief author of the Lionfind utility, urged Linux system administrators to download the free code and ensure that their machines aren’t infected.

While it’s still unclear whether Lion will be as widespread as Ramen, another worm that affected Linux systems in January, Stearns said Lion is substantially more destructive. “This opens additional security holes” that other malicious hackers could then exploit, he added.

Stearns said, he hopes to start working with other experts to find a way to expand the utility to remove most of the worm’s damage from infected systems. However, he noted, there’s a limit to how much a utility can fix once attackers have gained root access to a machine. “We’ve done our best, but you’re still hosed, is probably the final word,” Stearns said.

Greg Shipley, the acting director for security services at Chicago-based network and security consulting firm Neohapsis Inc., said the worm is particularly dangerous because it grabs a copy of the password list file on an infected system and then e-mails it to an address in China. “That’s kind of a big problem,” Shipley said, “because even if you patch the code . . . your password file made it out the door.”

For companies with large password lists, such as Internet service providers (ISPs), that could bring major headaches because of the difficulty of getting a large number of users to set up new passwords. “Any ISP that got hit by this thing is going to be having a huge nightmare,” said Shipley, who like Stearns tracked the worm all last night. The worm can also steal username files and system configuration data, he added.

In the last two days, Shipley said, computers hosting the worm have sent out more than 50,000 automated port scans in an effort to find vulnerable Linux machines that haven’t had BIND updates. The scans have been coming from several sources, including one system in Brazil that has been used to send out up to 40,000 of them, according to Shipley.

There currently are no reliable estimates of how widespread the worm itself is at this point. But Lion is “definitely the most active vulnerability on the Net right now,” Shipley said. “When the dust settles from this, I’m going to use this as a point to convince CIOs that everyone is a target.”

(George A. Chidi Jr. of the IDG News Service contributed to this report.)

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now