New worm targets unprotected Linux systems

Security analysts warned this week that another worm is hunting the Internet for Linux systems left unprotected against several well-publicised vulnerabilities, including one commonly found in Version 7.0 of Red Hat's Linux release.

Known as Adore, the new worm appears to have begun propagating last Sunday, according to an advisory issued by the SANS Institute, a US-based research organisation for systems administrators and security managers. Adore is the third worm found to be targeting Linux servers since January, following earlier ones called Ramen and Lion.

The newest worm is similar to Ramen and Lion in the way it acts, SANS said. Adore creates back doors in computers based on the open-source Linux software, then automatically transmits configuration data and other identifying information about the compromised systems to four e-mail addresses.

At risk, SANS said, are Linux systems that haven't been protected against vulnerabilities known as rpc-statd, wu-ftpd, LPRng and the Berkeley Internet Name Domain (BIND) software. LPRng is installed by default on servers running Red Hat 7.0, according to SANS, while BIND refers to a series of holes in the US-based Internet Software Consortium's BIND server software.

All of those vulnerabilities are well-known and can be blocked by readily available patches. But Adore and other worms like it can easily find exposed systems because IT managers frequently don't have time to install every security patch and bug fix that's released, said Eric Hemmendinger, an analyst at Aberdeen Group.

"We can stand up and tell people they ought to be keeping up-to-date with patches, but in the real world, that's not particularly useful advice," Hemmendinger said. "There are just so many of them." A better tack for buys users is to install -- and routinely run -- virus-filtering products on Internet gateways, he added.

SANS said William Stearns, a senior research engineer at the US federally-funded Institute for Security Technology Studies at Dartmouth College in Hanover, N.H., has written a utility that's supposed to be able to detect the Adore worm's presence on infected systems. The script, called Adorefind, can be downloaded from Dartmouth's Web site.

Stearns, who created a similar utility called Lionfind after the Lion worm was discovered last month, also helped the SANS Institute prepare its advisory about Adore. SANS said any questions about the advisory or the Adorefind tool can be sent to the following e-mail address: intrusion@sans.org.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email ARN
• Follow ARN on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark