March 23, 2001 1:15 PM PST
'Lion' worm stalks Linux machines
Dubbed the "Lion" worm, the self-spreading program attacks servers running specific versions of BIND (Berkeley Internet Name Domain) server software. Because it can be so difficult to remove, victims may have to wipe out their entire hard disks.
"We think it's going to cause people, unless they are brilliant, to nuke the machine, erase everything on the disk, install the entire operating system against hope (their) back-up files work," said Alan Paller, director of research at the The System Administration, Networking and Security (SANS) Institute. "We don't believe it can be cleaned out."
BIND server software gives instructions to domain name system (DNS) servers to translate Web addresses, or URLs, into number-based IP addresses. Those addresses then are read by PCs to direct a user to a specific Web site.
The SANS Institute said they have had five confirmed reports of worm infections: four companies and one university.
Linux machines infected with the worm send encrypted administrator level, or "root," password files to China.com, where hackers can potentially decrypt the password and use the information to gain access to various areas of a company's system. The worm also creates "back doors," which provide administrator-level access to hackers.
The worm appears to be mutation of the Ramen worm that was discovered in January and infects only servers running Red Hat's version of Linux.
"If they gain access through one of these back doors, they have unrestricted access to the machine," said John Green, director of information security for the SANS Institute. "This includes deleting software, installing software, gaining proprietary information, altering trust relationships, anything."
Despite the potential problems the worm could cause, little serious damage has been detected so far.
"To my knowledge, no one has recorded that they have been breached by an attack. They simply noted that the worm infected them and they're looking to get rid of it," said Elias Levy, Chief Technical Officer of SecurityFocus.com.
The "Lion" worm attempts to protect itself from detection by installing a "root kit" on infected machines, which hides the presence of hacker tools. As a result, IT administrators checking an infected machine may not immediately see it.
As a remedy, SANS has created a program called Lionfind that IT administrators can use to determine if their machines are infected.
Levy said a patch for this vulnerability has been available from the Internet Software Consortium for several months. "The only machines that are becoming infected are machines that haven't been kept up to date with security patches," Levy said.
SANS' Paller warned that the worm could easily mutate to infect other Unix-based machines, including Solaris, AIX and HPIX.
"The change to make this worm work on other versions of Unix is trivial," Paller said. "There's no reason to think you're safe if you run Solaris or another Unix box."