The worm was identified early last week as reports of certain types of heightened network activity began to be seen, according to Kevin Houle, the artifacts analysis team leader at the Computer Emergency Response Team Coordination Center (CERT/CC). CERT/CC has issued an incident note about the worm.
Lion attacked Linux servers running a vulnerable version of BIND, the Berkeley Internet Name Domain server, stealing passwords and installing and hiding hacking tools on systems it infected. Systems compromised by Lion are open to attack at port 10008. A port is an address on an Internet host typically dedicated to handling a particular communications protocol. HTTP (hypertext transfer protocol) uses port 80 and FTP (file transfer protocol) uses port 21, for instance. A machine infected with Lion is available for use in further attacks.
Cheese scans computers looking for a vulnerability at port 10008 and enters in the same way. Once in the system, however, Cheese changes a number of files and attempts to close the hole, or backdoor, left by Lion, Houle said.
The attempt to close the backdoor "is very simplistic and won't be successful in all cases," though it might succeed in some, he said.
This is not the first worm that has attempted to clean up after other worms and close the doors they have left, Houle said. Worms have attempted to shut backdoors so as to protect compromised machines for the original attacker, keeping them from being taken over by others, since the advent of easy-to-use worm-writing kits, he said.
In addition to patching holes, Cheese leaves a file on servers it infects, which says it makes changes "to stop pesky haqz0rs (hackers) messing up your box even worse than it is already. This code was not written with malicious intent. In fact, it was written to try and do some good," according to a reader of the Incidents mailing list, where much early discussion of the worm took place.
Whether system administrators ought to be thankful for this attempt at beefing up their security is another matter.
Using one worm to patch backdoors left by another "may seem like a good idea, but it's not," Houle said.
"Anything that makes unauthorised access into a system and changes system files and uses it to (in essence) attack another system" should not be welcome by any systems administrator, he said. "While it might be an interesting thought, it's really not a good solution."
A better solution, Houle said, is for systems administrators to keep up to date on security issues regarding the systems they use and patch their machines as soon as bug fixes are released. Rather than truly fixing the problem, the presence of Cheese on a system is only a symptom, he said. If Cheese is present, that is an indication that the server is vulnerable to the sort of attack these worms exploit and ought to be patched immediately, he said.