Skip to main content /TECH with /TECH

CERT warns of worm that infects Solaris servers


(IDG) -- A new Internet worm that can infect Web servers running Sun Microsystems' Solaris operating system and Microsoft's Internet Information Server (IIS) has been discovered. The worm first attacks the Solaris server and then sets it up to attack the systems running IIS, the Computer Emergency Response Team (CERT) said Tuesday.

The worm takes advantage of known security flaws in both servers' software to compromise systems and deface Web pages, according to CERT, which has named the malicious code the "sadmind/IIS worm."

Related Stories
Visit an IDG site search

CERT, at Pittsburgh's Carnegie Mellon University, said the worm has been found in the wild.

"We have received a very large number of reports of systems being compromised by the worm, both Solaris and IIS systems," said Chad Dougherty, Internet security analyst at CERT. "We started receiving reports early on Monday."

The Solaris system is entered by using a 2-year-old buffer overflow vulnerability. Then a security hole that was uncovered seven months ago is used to break into the IIS system. Once infected the Solaris system is used to scan and compromise other Solaris systems and IIS systems, CERT said.

Software patches from Sun and Microsoft have long been available to fix the problems. However, as not every Web site administrator is diligent in plugging holes, servers could still be vulnerable.

"None of the anti-virus vendors have reported the discovery of, or any incidents with, this malicious program [the sadmind/IIS worm]," said Denis Zenkin, spokesman for Kaspersky Lab, an anti-virus vendor. Kaspersky is a member of various international organizations that are comprised of the world's leading anti-virus companies, he added.

This being the first report could mean one of two things, Zenkin said.

"Either the worm has bugs and will never appear in the wild, in which case it is merely another entry in CERT's virus encyclopedia. This is certainly not the very first malicious program that attacks IIS servers. Or the worm is really something very dangerous and has the opportunity to become widespread," Zenkin said.

If the sadmind/IIS worm is a danger, CERT's attitude towards anti-virus vendors can be classified as "unethical," Zenkin said.

"CERT didn't share the virus sample with developers of anti-virus programs to allow them to provide their customers with an emergency update," Zenkin said.

CERT's Dougherty said he saw no harm in not alerting the anti-virus vendors.

"This is not something that traditional anti-virus software would protect against. We put the advisory out because we were seeing this worm propagate rapidly," he said.

Systems that have been hit show certain characteristics. On the Solaris system a directory called "/dev/cuc" will contain tools that the worm uses to operate, for example. The IIS machine will show modified Web pages displaying a rant against the U.S. government and a Chinese e-mail address.

New worm targets unprotected Linux systems
April 6, 2001
Bulletin: 'Dangerous' Linux worm in the wild
March 23, 2001
Ramen Linux worm seen in wild
January 29, 2001
'Ramen' worm hits some Red Hat Linux servers
January 19, 2001

Ramen Linux worm seen in wild
CERT statistics tell tale of increasing security woes
CERT looks to cash in on security data
(Network World Fusion)
CERT to sell security threat information
Another flaw exposed in TCP
Internet security hole called most serious yet
CERT stepping up disclosures of security holes
CERT urges installing IE patch

Sun Microsystems

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top