The CERT Coordination Center at Carnegie Mellon University Tuesday issued a warning about new worm code that it said can infect computers running Sun Microsystems's Solaris operating system and then use the machines to attack Web servers based on Microsoft's software.
The self-propagating worm, which has been given the name "sadmind/IIS," takes advantage of known security flaws in both Solaris and Microsoft's Internet Information Services (IIS) Web server software to compromise unprotected systems and deface Web pages, according to the CERT advisory.
Chad Dougherty, an Internet security analyst at CERT, said the Pittsburgh-based security research and information service has received "a very large number of reports of systems being compromised by the worm." The reports began coming in early yesterday from both Solaris and IIS users, he added.
The attacks reported to CERT yesterday alone involve up to 50 Solaris systems and hundreds of IIS-based machines, Dougherty said, noting that a single compromised Solaris box could propagate the worm to numerous Web servers. The worm also gives attackers root-level access to infected Solaris servers, he said.
"The Web defacements are just one outcome of these particular worms," Dougherty said. "The systems that are being used to propagate the worm are [completely] compromised." Root-level access gives an attacker the ability to do anything that a systems administrator could do on a computer, such as altering or deleting data.
CERT said the worm enters a Solaris system by using a 2-year-old buffer overflow vulnerability and then targets IIS-based Web servers via a security hole that was uncovered seven months ago. Software patches that are supposed to fix the problems have long been available from both Sun and Microsoft.
But servers could still be vulnerable to the worm if the patches haven't been applied. Once infected, Dougherty said, a system needs to have all of its software reloaded from trusted media. He described sadmind/IIS as a new package of existing attack tools that have been set up to spread the worm "in a very automated fashion."
Systems that have been hit show certain characteristics, CERT said in its advisory. On infected Solaris servers, for example, a directory called "/dev/cuc" will contain tools that the worm uses to propagate itself. An IIS machine will show modified Web pages displaying a rant against the U.S. government and a Chinese e-mail address, according to CERT.
Despite CERT's warning, Denis Zenkin, a spokesman at Moscow-based antivirus software vendor Kaspersky Lab International Ltd., Tuesday said he wasn't aware of any incidents involving the sadmind/IIS worm. The worm could turn out to be "merely another entry in CERT's virus encyclopedia," he added. But there's also the possibility that it's "really something very dangerous and has the opportunity to become widespread," Zenkin said.
If the worm is dangerous, Zenkin charged, CERT's approach to issuing its advisory could be classified as "unethical" because the organization didn't first contact security vendors such as Kaspersky. "CERT didn't share the virus sample with developers of antivirus programs to allow them to provide their customers with an emergency update," Zenkin said.
But CERT's Dougherty said he saw no harm in not alerting the antivirus vendors prior to Tuesday's release of the warning. "This is not something that traditional antivirus software would protect against," he said, noting the existence of the Sun and Microsoft patches. And, he added, CERT acted quickly "because we were seeing this worm propagate rapidly."