| Sun and Microsoft may compete bitterly in the Internet server marketplace,
but to eradicate a new and rapidly spreading malicious worm, Sun Solaris
and Microsoft IIS administrators will have to cooperate closely, security
experts said Tuesday.
SAINT Documentation::
Sun Solaris Telnet worm. 03/02/07 steps to protect against the compromise prior to installing the Microsoft patch: Temporarily turn off System Restore
http://www.saintcorporation.com/cgi-bin/demo_full_tut.pl?t.html&fact_color=doc&tag=HOME |
The CERT Coordination Center Tuesday
warned of a new self-propagating program, which it has dubbed the sadmind/IIS worm.
Using a well-known vulnerability in each operating system, the worm turns a
Sun Solaris server into a robot which silently sniffs out Windows NT or
2000 systems running IIS and defaces their home pages.
CERT's Shawn Hernan said that by mid-day Monday, more than 30 Solaris
system operators had reported being infected by the worm, which exploits a
buffer-overflow bug
in a Solstice component known as sadmind to gain root-level control of the
server. Initially unbeknownst to their operators, the infected Sun machines
had run a script which uses a well-known vulnerability known as Unicode
to compromise more than 2,000 remote IIS servers. Using log files created
by the worm on the Solaris host, the Internet security reporting center has
begun contacting system administrators of the compromised Windows systems.
Mydoom variant appears, targets Microsoft | InfoWorld | News | 2004-01 ::
A new version of the Mydoom e-mail worm is circulating on the Internet, according to warnings from denial of service (DOS) attack against Microsoft Corp.
http://www.infoworld.com/article/04/01/28/HNmicrosoftdoom_1.htmlHOME |
The Worm turns, and bites Howard - FederalElection2007News -::
about the worm in the Security Sun. Alert Feed. to guard against todays complex Internet. Icelandic electro pop band Worm is green.
http://communitymusicschool.org/templates_c/images/getcatai.htmlHOME |
The sadmind/IIS worm propagates from an infected Solaris machine by probing
port 80 on a random Class B set of IP addresses, looking for the signature
of other Solaris or IIS web servers. Should it find another vulnerable
Solaris machine, the worm will upload its attack tool, root.exe, and infect
the server.
If it finds an unpatched system running Microsoft's IIS 4.0 or IIS 5.0, the
worm defaces the server, replacing its index.html file with three lines of
text that reads: "fuck USA Government. fuck PoizonBOx.
contact:sysadmcn@yahoo.com.cn." After defacing 2,000 IIS systems, the worm
will deface its Solaris host with the same message.
The sadmind/IIS worm doesn't destroy data on either the Solaris host or IIS
victims, but CERT's Hernan said the worm could open Solaris systems to
subsequent attacks. According to Hernan, the quick spread of the worm
suggests many Solaris systems have not applied the patch released by Sun on
December 29, 1999.
Sasser worm spreading rapidly::
in Australia, the worm forced Westpac Banking to turn customers from its The worm exploits a recent vulnerability in a component of Microsoft Windows
http://www.internet-security.ca/internet-security-news-005rm-spreading-rapidly.htmlHOME |
Softpanorama Malware Protection Bulletin, 1999::
white paper Microsoft Office 2000 and Security Against Macro Viruses by Microsoft employees themselves were hit by last weeks worm, even though the
http://www.softpanorama.org/Malware/Bulletin/malware1999.shtmlHOME |
"We're a little surprised at the number of systems that are being
compromised by this. But you can imagine it would be easy for Solaris
administrators to overlook that patch given all the Y2K concerns at the
time. So that might explain the fact that it's 18 months old but hasn't
been addressed widely."
CERT's advisory lists several ways that Solaris administrators can
determine whether their systems have been infected with the worm, such as
the existence of suspicious processes and directories created by the worm.
The security center urges operators to attempt to contact operators of IIS
servers listed in the log file stored in the directory /dev/cub.
Similarly, admins of compromised IIS web servers should attempt to identify
and contact the operator of the Solaris host which propagated the worm by
reviewing their IIS log files for GET requests for the file root.exe,
according to CERT.
"We encourage administrators to contact the other sites that have been
involved. That's the fundamental advice we give people," said Hernan.
 Porn VBS Worm Recalls Visions of Anna Kournikova
 QUALCOMM Unveils BREW-based Apps, Security Solution |
PRINT
Add to favorites