Sun and Microsoft may compete bitterly in the Internet server marketplace,
but to eradicate a new and rapidly spreading malicious worm, Sun Solaris
and Microsoft IIS administrators will have to cooperate closely, security
experts said Tuesday.
The CERT Coordination Center Tuesday
warned of a new self-propagating program, which it has dubbed the sadmind/IIS worm.
Using a well-known vulnerability in each operating system, the worm turns a
Sun Solaris server into a robot which silently sniffs out Windows NT or
2000 systems running IIS and defaces their home pages.
CERT’s Shawn Hernan said that by mid-day Monday, more than 30 Solaris
system operators had reported being infected by the worm, which exploits a
buffer-overflow bug
in a Solstice component known as sadmind to gain root-level control of the
server. Initially unbeknownst to their operators, the infected Sun machines
had run a script which uses a well-known vulnerability known as Unicode
to compromise more than 2,000 remote IIS servers. Using log files created
by the worm on the Solaris host, the Internet security reporting center has
begun contacting system administrators of the compromised Windows systems.
The sadmind/IIS worm propagates from an infected Solaris machine by probing
port 80 on a random Class B set of IP addresses, looking for the signature
of other Solaris or IIS web servers. Should it find another vulnerable
Solaris machine, the worm will upload its attack tool, root.exe, and infect
the server.
If it finds an unpatched system running Microsoft’s IIS 4.0 or IIS 5.0, the
worm defaces the server, replacing its index.html file with three lines of
text that reads: “fuck USA Government. fuck PoizonBOx.
contact:sysadmcn@yahoo.com.cn.” After defacing 2,000 IIS systems, the worm
will deface its Solaris host with the same message.
The sadmind/IIS worm doesn’t destroy data on either the Solaris host or IIS
victims, but CERT’s Hernan said the worm could open Solaris systems to
subsequent attacks. According to Hernan, the quick spread of the worm
suggests many Solaris systems have not applied the patch released by Sun on
December 29, 1999.
“We’re a little surprised at the number of systems that are being
compromised by this. But you can imagine it would be easy for Solaris
administrators to overlook that patch given all the Y2K concerns at the
time. So that might explain the fact that it’s 18 months old but hasn’t
been addressed widely.”
CERT’s advisory lists several ways that Solaris administrators can
determine whether their systems have been infected with the worm, such as
the existence of suspicious processes and directories created by the worm.
The security center urges operators to attempt to contact operators of IIS
servers listed in the log file stored in the directory /dev/cub.
Similarly, admins of compromised IIS web servers should attempt to identify
and contact the operator of the Solaris host which propagated the worm by
reviewing their IIS log files for GET requests for the file root.exe,
according to CERT.
“We encourage administrators to contact the other sites that have been
involved. That’s the fundamental advice we give people,” said Hernan.