A new Linux worm discovered by the System Administration, Networking, and Security (SANS) Institute is reported to be spreading rapidly through the Internet, and has been tagged as dangerous. This follows another spate of Linux- and Windows-based worms hitting the global network.
The Lion worm scans for machines vulnerable to a certain BIND DNS exploit, infects the vulnerable machines, steals the password file and sends it to a China.com site, installs various hacking tools, and starts scanning the Internet for more machines to infect from the infected machine.
SANS warns that while Lion is similar to the Ramen worm, Lion is "significantly more dangerous and should be taken very seriously".
Symantec rates the worm's damage as "medium", and reports incidents in the wild as still "low", although ITWeb did monitor port scans on port 53 over the weekend - a possible sign of the worm.
The Lion worm first hit the Internet in early February, but due to its limited nature at the time, it was not detected. The exploit was discovered in January, and was utilised by the Ramen worm. There may be two variants of the worm: one installs the t0rn root toolkit, and one uses the tfn rootkit. The rootkit deletes certain files on the Linux box to disguise the virus.
A detection utility called "Lionfind" (which can be downloaded here) will detect the virus, but cannot remove it at this point.
The two other big virus outbreaks this month were the Anna Kournikova and the Naked virus, both of which used users' gullibility, rather than good technology, to spread themselves on the Internet.
Both of these Windows-based worms e-mail themselves to every contact in the victim's address book, with the Naked virus (also known as the Naked Wife, W32.Naked@mm, and W32.HLLW.JibJab@mm) causing significant damage and usually resulting in a re-install of Windows.
The W95.Hybris.gen (aka Snow White) worm is the most common virus worldwide, while the Anna Kournikova virus is already in the top 10 on the European virus hit parade, despite its recent arrival.
External links:
The SANS Institute
Share