March 23, 2001, 3:17 PM — The SANS Institute said security experts associated with the organization have discovered a dangerous new computer worm dubbed "Lion" that spreads through Linux computers by exploiting the known vulnerability in the BIND Domain Name Server to install itself and then mail system passwords to a Website, China.com.
Allan Paller, director of the SANS Institute, said many Linux computers appear
to have not yet installed the upgrade fix for the BIND vulnerability detailed
last January. Now, two security experts associated with the SANS Institute have
identified a computer worm believed to have infected thousands of Linux-based
servers already, and it will likely spread to other versions of Unix as well.
"The Lion worm is dangerous because in essence it represents a major attack,"
Paller said. "It takes machines over completely and then begins carrying
out the attack on other machines."
The Lion worm is capable of scanning the Internet to look for Linux computers
with the BIND vulnerability. After it has infected a machine, it steals password
files and transmits them to the China.com Website. It also installs other hacking
tools, making the machine available for further compromise. Paller cautioned
that although China.com appears to be receiving stolen passwords,
the possibility exists China.com itself has been compromised by someone.
SANS Institute security expert Matt Fearnow and Dartmouth Institute researcher
William Sterns, with help from others, identified the Lion worm and have prepared
a detection and removal toolkit for it at www.sans.org.
Information on the BIND DNS vulnerability can be found there.