Skip to main content /TECH with IDG.net
CNN.com /TECH
CNN TV
EDITIONS

Bulletin: 'Dangerous' Linux worm in the wild

Computerworld

(IDG) -- A dangerous worm is spreading across the Internet and infecting Linux servers running vulnerable domain name software, the SANS Institute warned Friday.

Called Lion, the worm steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack, SANS said. The Bethesda, Md.-based research organization for systems administrators and security managers added that the worm may also have the potential to attack Unix servers.

MESSAGE BOARD
 
IDG.net INFOCENTER
IDG.net
Related IDG.net Stories
Features
Visit an IDG site


IDG.net search



Lion takes advantage of a vulnerability in the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server that was disclosed in January (see story). BIND allows Domain Name System (DNS) servers to translate text-based Web addresses, such as Computerworld.com, into appropriately numbered IP addresses that can be used by computers to direct traffic on the Net.

The only defense against the worm is to upgrade vulnerable versions of BIND, SANS said. However, according to officials at the organization, many systems administrators have yet to perform the upgrade, despite the warning issued in January.

"Data I have says that 20% of the Internet is vulnerable to this, and that's a huge, huge percentage of the BIND servers," said Alan Paller, director of security research at SANS. And while Lion has currently been found infecting Linux systems, Paller said, he sees "no reason why it won't skip to other Unix versions."

Security experts worked through the night last night to create a utility for Linux systems that detects whether a server is infected. The Lionfile utility can be downloaded directly from the SANS Web site at www.sans.org/y2k/lionfind-0.1.tar.gz. In addition, SANS said it will be posting more information about the worm as it becomes available on its site.

William Stearns, a senior research engineer at the federally funded Institute for Security Technology Studies housed at Dartmouth College, and chief author of the Lionfind utility, urged Linux system administrators to download the free code and ensure that their machines aren't infected.

While it's still unclear whether Lion will be as widespread as Ramen, another worm that affected Linux systems in January (see story), Stearns said Lion is substantially more destructive. "This opens additional security holes" that other malicious hackers could then exploit, he added.

Later today, Stearns said, he hopes to start working with other experts to find a way to expand the utility to remove most of the worm's damage from infected systems. However, he noted, there's a limit to how much a utility can fix once attackers have gained root access to a machine. "We've done our best, but you're still hosed, is probably the final word," Stearns said.



RELATED STORIES:
Ramen Linux worm seen in wild
January 29, 2001
'Ramen' worm hits some Red Hat Linux servers
January 19, 2001
Security firm warns of Red Hat Piranha 'back door'
April 27, 2000
IT pros debate security of Linux and Unix
June 8, 2000
Linux users unscathed by ILOVEYOU
May 9, 2000
Wireless Net, Linux, Win2000 to take center stage
February 16, 2000
Network Associates unleashes VIPER
December 22, 1999

RELATED IDG.net STORIES:
New 'Injustice' virus spreads political message
(Network World Fusion)
Opinion: Sending out virus alerts
(Network World Fusion)
Magistr worm emerges, scarce but deadly
(PCWorld.com)
Norton AntiVirus puts a lock on e-mail
(IDG.net)
Naked Wife exposed as minor threat
(IDG.net)
McAfee releases anti-virus software for handhelds
(IDG.net)
Opinion : How to avoid antivirus software and survive
(IDG.net)
Virus proves users, systems still vulnerable, security experts say
(Computerworld)

RELATED SITES:
Lionfile Utility



Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


 Search   





MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 













Back to the top