Worm puts Linux servers in a real bind

The "Lion" worm uses infected servers to randomly scan for TCP port-53 connections, which mark a computer on the network and not a printer, fax machine or other device, said Greg Shipley, director of security for Neohapsis, an information security consulting firm.

When it penetrates a vulnerable system, the worm then steals the user name and password files for all the accounts on the system, e-mailing them along with the computer's system-configuration data to an address at China.com. It rewrites several programs on the computer, transforming them into "Trojan horse," back-doors into the system. It launches more probes along the network. And it covers its tracks in system logs, figuratively wiping up the glass shards after punching out a window in the system.

"It turns your system into Swiss cheese. It really rips through you," said Shipley. "None of the stuff that the worm does is new. I've just never seen it packaged all together. I've seen all the components … but I've never seen anything that kicks in your door, and eats all of your food, and squats on your rug, and steals all of your jewellery, and, and, and ..."

It looks for servers running Linux and the BIND domain name system server program. Versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas of Bind may have the vulnerability. The worm can penetrate the network of any company that has a vulnerable server connected to the Internet. Although the worm currently only affects Linux-based servers, it's very likely that it will be modified to attack Unix servers in general, said Alan Paller, director of research for the SANS Institute.

Researchers from the institute discovered the worm after noticing a 500 to 600 per cent increase in the number of port-53 scans reported in a two-day period. The Global Incident Analysis Center (GIAC) at the SANS Institute gathers network-intrusion data from anyone willing to provide it, and distributes that processed data for free, to any who asks for it.

The combination of the automated attack, the package of damaging tools, and the exploit used, make the worm unusually dangerous, said Paller. Because virtually all servers run BIND -- an application used to translate the string of numbers used for domain-name registration into the words commonly used to surf to a Web site -- the sheer number of potential targets make the worm more dangerous.

"It's the meanest piece of code I've seen," Paller said. "It's what hackers do manually when they break into a system ... You don't need to do anything for it to spread, making it much more dangerous."

Even if a system administrator discovers the worm, upgrades the BIND version, and patches the secret back-doors into the system, the hacker who received the passwords could still use them to invade the system again. For systems like those used by Internet service providers serving thousands of users, it could take a long time to issue new passwords and regain security.

Both Paller and Shipley said the worm wouldn't be able to spread if system administrators updated their systems as soon as a serious vulnerability is made public. This particular vulnerability was reported at the end of January. BIND is considered a vulnerable spot in a network, because system administrators hesitate to modify the program for fear of taking down their network.

"When the dust settles from this, I'm going to use this as a point to convince CIO's (chief information officers) that everyone is a target," Shipley said. "It's scanning random networks. It doesn't care if it's a .com., .net. or .mil."

System administrators may download detection tools from http://www.sans.org/y2k/lionfind-0.1.tar.gz.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?