Bugtraq List Accidentally Releases Malicious Code

The first program that exploits a newly discovered hole in the popular BIND software has been posted to a public mailing list.

Source code to the program was posted anonymously to the Bugtraq security mailing list Wednesday night, just days after a division of Network Associates Inc. (NAI) warned network administrators of four serious new bugs in BIND, which is used by 80 percent of the domain name servers in use on the Internet.

According to Elias Levy, chief technology officer for SecurityFocus.com, publishers of the Bugtraq list, the program appears to successfully exploit a buffer overflow bug in BIND version 8. But in what appears to be a case of shooting the messenger, the exploit then launches a denial of service attack on a name server owned by Network Associates. For this reason, the program is considered to be a Trojan horse, and Bugtraq subscribers have been warning others on the list not to run the program.

However, Levy said it’s likely that some percentage of the list’s 35,000 subscribers tested the program and unknowingly participated in an attack on the NAI DNS server. But he said the list’s moderator did not err in letting the message with the Trojan go through.

“People when they subscribe to the list, it’s with the caveat that they might be receiving exploits at some point or another, or some information, that is not fully fleshed out yet,” Levy said. “We always recommend that they wait until other people analyze the information or the code itself to make sure it works as the poster claims.”

In fact, Levy said that someone from NAI’s COVERT Labs reviewed the program before it was posted to Bugtraq and failed to notice the section of code that includes the attack on the company’s server. Whether the code has been successful in slowing traffic to NAI’s sites is not clear. Company officials were not available by news time, but the firm’s Web sites appeared to be up at news time.

In any case, the incident illustrates what many feared — that exploits of the BIND DNS bugs would follow closely on the heels of the publication of the bugs. And that means the race is on for system administrators to get their software patched.