Update: Behind the Lion worm
An "unusually destructive" computer worm is winding through the networkconduits of Linux computers, capable of massively compromising servers by exploiting
a known vulnerability, security researchers said Friday.
The "Lion" worm uses infected servers to randomly scan for TCP port-53
connections, which mark a computer on the network and not a printer, fax machine
or other device, said Greg Shipley, director of security for Neohapsis Inc.,
an information security consulting firm in Chicago.
When it penetrates a vulnerable system, the worm then steals the user name
and password files for all the accounts on the system, e-mailing them along
with the computer's system-configuration data to an address at China.com. It
rewrites several programs on the computer, transforming them into "Trojan
horse," back-doors into the system. It launches more probes along the network.
And it covers its tracks in system logs, figuratively wiping up the glass shards
after punching out a window in the system.
"It turns your system into Swiss cheese. It really rips through you,"
said Shipley. "None of the stuff that the worm does is new. I've just never
seen it packaged all together. I've seen all the components … but I've
never seen anything that kicks in your door, and eats all of your food, and
squats on your rug, and steals all of your jewelry, and, and, and ..."
It looks for servers running Linux and the BIND domain name system server program.
Versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas of Bind may have
the vulnerability. The worm can penetrate the network of any company that has
a vulnerable server connected to the Internet. Although the worm currently only
affects Linux-based servers, it's very likely that it will be modified to attack
Unix servers in general, said Alan Paller, director of research for the SANS
Institute.
Researchers from the institute, a security research organization in Bethesda,
Maryland, discovered the worm after noticing a 500 to 600 percent increase in
the number of port-53 scans reported in a two-day period. The Global Incident
Analysis Center (GIAC) at the SANS Institute gathers network-intrusion data
from anyone willing to provide it, and distributes that processed data for free,
to any who asks for it.
The combination of the automated attack, the package of damaging tools, and
the exploit used, make the worm unusually dangerous, said Paller. Because virtually
all servers run BIND -- an application used to translate the string of numbers
used for domain-name registration into the words commonly used to surf to a
Web site -- the sheer number of potential targets make the worm more dangerous.
"It's the meanest piece of code I've seen," Paller said. "It's
what hackers do manually when they break into a system ... You don't need to
do anything for it to spread, making it much more dangerous."
Even if a system administrator discovers the worm, upgrades the BIND version,
and patches the secret back-doors into the system, the hacker who received the
passwords could still use them to invade the system again. For systems like
those used by Internet service providers serving thousands of users, it could
take a long time to issue new passwords and regain security.
Both Paller and Shipley said the worm wouldn't be able to spread if system
administrators updated their systems as soon as a serious vulnerability is made
public. This particular vulnerability was reported at the end of January. BIND
is considered a vulnerable spot in a network, because system administrators
hesitate to modify the program for fear of taking down their network.
"When the dust settles from this, I'm going to use this as a point to
convince CIO's (chief information officers) that everyone is a target,"
Shipley said, still groggy from working through the night uncovering the secrets
of the worm. "It's scanning random networks. It doesn't care if it's a
.com., .net. or .mil."
System administrators may download detection tools from http://www.sans.org/y2k/lionfind-0.1.tar.gz.
ITworld.com
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
