A dangerous worm is spreading across the Internet and infecting Linux servers running vulnerable domain name software, the SANS Institute warned this morning.
Called Lion, the worm steals passwords, installs and hides other hacking tools on infected systems, and then uses those systems to seek other servers to attack, SANS said. The Bethesda, Md.-based research organization for systems administrators and security managers added that the worm may also have the potential to attack Unix servers.
Lion takes advantage of a vulnerability in the Internet Software Consortium's Berkeley Internet Name Domain (BIND) server that was disclosed in January (see story). BIND allows Domain Name System (DNS) servers to translate text-based Web addresses, such as Computerworld.com, into appropriately numbered IP addresses that can be used by computers to direct traffic on the Net.
The only defense against the worm is to upgrade vulnerable versions of BIND, SANS said. However, according to officials at the organization, many systems administrators have yet to perform the upgrade, despite the warning issued in January.
"Data I have says that 20 percent of the Internet is vulnerable to this, and that's a huge, huge percentage of the BIND servers," said Alan Paller, director of security research at SANS. And while Lion has currently been found infecting Linux systems, Paller said, he sees "no reason why it won't skip to other Unix versions."
Security experts worked through the night last night to create a utility for Linux systems that detects whether a server is infected. The Lionfile utility can be downloaded directly from the SANS Web site at www.sans.org/y2k/lionfind-0.1.tar.gz. In addition, SANS said it will be posting more information about the worm as it becomes available on its site.
William Stearns, a senior research engineer at the federally funded Institute for Security Technology Studies housed at Dartmouth College, and chief author of the Lionfind utility, urged Linux system administrators to download the free code and ensure that their machines aren't infected.
While it's still unclear whether Lion will be as widespread as Ramen, another worm that affected Linux systems in January (see story), Stearns said Lion is substantially more destructive. "This opens additional security holes" that other malicious hackers could then exploit, he added.
Later today, Stearns said, he hopes to start working with other experts to find a way to expand the utility to remove most of the worm's damage from infected systems. However, he noted, there's a limit to how much a utility can fix once attackers have gained root access to a machine. "We've done our best, but you're still hosed, is probably the final word," Stearns said.