SANS Institute warns against 'Lion' Linux worm

The SANS Institute said security experts associated with the organization have discovered a dangerous new computer worm dubbed "Lion" that spreads through Linux computers by exploiting the known vulnerability in the BIND Domain Name Server to install itself and then mail system passwords to a Website, China.com.

Allan Paller, director of the SANS Institute, said many Linux computers appear to have not yet installed the upgrade fix for the BIND vulnerability detailed last January. Now, two security experts associated with the SANS Institute have identified a computer worm believed to have infected thousands of Linux-based servers already, and it will likely spread to other versions of Unix as well.

"The Lion worm is dangerous because in essence it represents a major attack," Paller said. "It takes machines over completely and then begins carrying out the attack on other machines."

The Lion worm is capable of scanning the Internet to look for Linux computers with the BIND vulnerability. After it has infected a machine, it steals password files and transmits them to the China.com Website. It also installs other hacking tools, making the machine available for further compromise. Paller cautioned that although China.com appears to be receiving stolen passwords, the possibility exists China.com itself has been compromised by someone.

SANS Institute security expert Matt Fearnow and Dartmouth Institute researcher William Sterns, with help from others, identified the Lion worm and have prepared a detection and removal toolkit for it at www.sans.org.

Information on the BIND DNS vulnerability can be found there.

This story, "SANS Institute warns against 'Lion' Linux worm" was originally published by NetworkWorld.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies