Skip to main content /TECH with /TECH

Bulletin: 'Dangerous' Linux worm in the wild


(IDG) -- A dangerous worm is spreading across the Internet and infecting Linux servers running vulnerable domain name software, the SANS Institute warned Friday.

Called Lion, the worm steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack, SANS said. The Bethesda, Md.-based research organization for systems administrators and security managers added that the worm may also have the potential to attack Unix servers.

Related Stories
Visit an IDG site search

Lion takes advantage of a vulnerability in the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server that was disclosed in January (see story). BIND allows Domain Name System (DNS) servers to translate text-based Web addresses, such as, into appropriately numbered IP addresses that can be used by computers to direct traffic on the Net.

The only defense against the worm is to upgrade vulnerable versions of BIND, SANS said. However, according to officials at the organization, many systems administrators have yet to perform the upgrade, despite the warning issued in January.

"Data I have says that 20% of the Internet is vulnerable to this, and that's a huge, huge percentage of the BIND servers," said Alan Paller, director of security research at SANS. And while Lion has currently been found infecting Linux systems, Paller said, he sees "no reason why it won't skip to other Unix versions."

Security experts worked through the night last night to create a utility for Linux systems that detects whether a server is infected. The Lionfile utility can be downloaded directly from the SANS Web site at In addition, SANS said it will be posting more information about the worm as it becomes available on its site.

William Stearns, a senior research engineer at the federally funded Institute for Security Technology Studies housed at Dartmouth College, and chief author of the Lionfind utility, urged Linux system administrators to download the free code and ensure that their machines aren't infected.

While it's still unclear whether Lion will be as widespread as Ramen, another worm that affected Linux systems in January (see story), Stearns said Lion is substantially more destructive. "This opens additional security holes" that other malicious hackers could then exploit, he added.

Later today, Stearns said, he hopes to start working with other experts to find a way to expand the utility to remove most of the worm's damage from infected systems. However, he noted, there's a limit to how much a utility can fix once attackers have gained root access to a machine. "We've done our best, but you're still hosed, is probably the final word," Stearns said.

Ramen Linux worm seen in wild
January 29, 2001
'Ramen' worm hits some Red Hat Linux servers
January 19, 2001
Security firm warns of Red Hat Piranha 'back door'
April 27, 2000
IT pros debate security of Linux and Unix
June 8, 2000
Linux users unscathed by ILOVEYOU
May 9, 2000
Wireless Net, Linux, Win2000 to take center stage
February 16, 2000
Network Associates unleashes VIPER
December 22, 1999

New 'Injustice' virus spreads political message
(Network World Fusion)
Opinion: Sending out virus alerts
(Network World Fusion)
Magistr worm emerges, scarce but deadly
Norton AntiVirus puts a lock on e-mail
Naked Wife exposed as minor threat
McAfee releases anti-virus software for handhelds
Opinion : How to avoid antivirus software and survive
Virus proves users, systems still vulnerable, security experts say

Lionfile Utility

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top