April 05, 2001, 5:47 PM — Security analysts warned this week that another worm is hunting the Internet for Linux systems left unprotected against several well-publicized vulnerabilities, including one commonly found in Version 7.0 of Durham, N.C.-based Red Hat Inc.'s Linux release.
Known as Adore, the new worm appears to have begun propagating last Sunday, according to an advisory issued by the SANS Institute, a Bethesda, Md.-based research organization for systems administrators and security managers. Adore is the third worm found to be targeting Linux servers since January, following earlier ones called Ramen and Lion.
The newest worm is similar to Ramen and Lion in the way it acts, SANS said. Adore creates back doors in computers based on the open-source Linux software, then automatically transmits configuration data and other identifying information about the compromised systems to four e-mail addresses.
At risk, SANS said, are Linux systems that haven't been protected against vulnerabilities known as rpc-statd, wu-ftpd, LPRng and the Berkeley Internet Name Domain (BIND) software. LPRng is installed by default on servers running Red Hat 7.0, according to SANS, while BIND refers to a series of holes in the Redwood City, Calif.-based Internet Software Consortium's BIND server software.
All of those vulnerabilities are well-known and can be blocked by readily available patches. But Adore and other worms like it can easily find exposed systems because IT managers frequently don't have time to install every security patch and bug fix that's released, said Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston.
"We can stand up and tell people they ought to be keeping up-to-date with patches, but in the real world, that's not particularly useful advice," Hemmendinger said. "There are just so many of them." A better tack for buys users is to install -- and routinely run -- virus-filtering products on Internet gateways, he added.
SANS said William Stearns, a senior research engineer at the federally-funded Institute for Security Technology Studies at Dartmouth College in Hanover, N.H., has written a utility that's supposed to be able to detect the Adore worm's presence on infected systems. The script, called Adorefind, can be downloaded from Dartmouth's Web site.
Stearns, who created a similar utility called Lionfind after the Lion worm was discovered last month, also helped the SANS Institute prepare its advisory about Adore. SANS said any questions about the advisory or the Adorefind tool can be sent to the following e-mail address: firstname.lastname@example.org.