CERT warns of worm that infects Solaris servers
(IDG) -- A new Internet worm that can infect Web servers running Sun Microsystems' Solaris operating system and Microsoft's Internet Information Server (IIS) has been discovered. The worm first attacks the Solaris server and then sets it up to attack the systems running IIS, the Computer Emergency Response Team (CERT) said Tuesday.
The worm takes advantage of known security flaws in both servers' software to compromise systems and deface Web pages, according to CERT, which has named the malicious code the "sadmind/IIS worm."
CERT, at Pittsburgh's Carnegie Mellon University, said the worm has been found in the wild.
"We have received a very large number of reports of systems being compromised by the worm, both Solaris and IIS systems," said Chad Dougherty, Internet security analyst at CERT. "We started receiving reports early on Monday."
The Solaris system is entered by using a 2-year-old buffer overflow vulnerability. Then a security hole that was uncovered seven months ago is used to break into the IIS system. Once infected the Solaris system is used to scan and compromise other Solaris systems and IIS systems, CERT said.
Software patches from Sun and Microsoft have long been available to fix the problems. However, as not every Web site administrator is diligent in plugging holes, servers could still be vulnerable.
"None of the anti-virus vendors have reported the discovery of, or any incidents with, this malicious program [the sadmind/IIS worm]," said Denis Zenkin, spokesman for Kaspersky Lab, an anti-virus vendor. Kaspersky is a member of various international organizations that are comprised of the world's leading anti-virus companies, he added.
This being the first report could mean one of two things, Zenkin said.
"Either the worm has bugs and will never appear in the wild, in which case it is merely another entry in CERT's virus encyclopedia. This is certainly not the very first malicious program that attacks IIS servers. Or the worm is really something very dangerous and has the opportunity to become widespread," Zenkin said.
If the sadmind/IIS worm is a danger, CERT's attitude towards anti-virus vendors can be classified as "unethical," Zenkin said.
"CERT didn't share the virus sample with developers of anti-virus programs to allow them to provide their customers with an emergency update," Zenkin said.
CERT's Dougherty said he saw no harm in not alerting the anti-virus vendors.
"This is not something that traditional anti-virus software would protect against. We put the advisory out because we were seeing this worm propagate rapidly," he said.
Systems that have been hit show certain characteristics. On the Solaris system a directory called "/dev/cuc" will contain tools that the worm uses to operate, for example. The IIS machine will show modified Web pages displaying a rant against the U.S. government and a Chinese e-mail address.
New worm targets unprotected Linux systems
RELATED IDG.net STORIES:
Ramen Linux worm seen in wild
Study: Gadget sales flat
Protest slams Dell's use of prison labor
Steve Jobs keeps Apple in the limelight
N. Y. plans to heal skyline
Stocks rise on Case departure
Lieberman's presidential announcement today
New arrests may be linked to UK ricin scare
Jordan says farewell for the third time
Shaq could miss playoff game for child's birth
Ex-USOC official says athletes bent drug rules
|Back to the top|