Worm Turns Sun Servers Into Microsoft Defacement Robots

By Brian McWilliams (Send Email)
Posted May 8, 2001


Sun and Microsoft may compete bitterly in the Internet server marketplace, but to eradicate a new and rapidly spreading malicious worm, Sun Solaris and Microsoft IIS administrators will have to cooperate closely, security experts said Tuesday. Old bugs in two popular web servers provide fertile ground for a new malicious, self-propagating program.

The CERT Coordination Center Tuesday warned of a new self-propagating program, which it has dubbed the . Using a well-known vulnerability in each operating system, the worm turns a Sun Solaris server into a robot which silently sniffs out Windows NT or 2000 systems running IIS and defaces their home pages.

CERT's Shawn Hernan said that by mid-day Monday, more than 30 Solaris system operators had reported being infected by the worm, which exploits a buffer-overflow bug in a Solstice component known as sadmind to gain root-level control of the server. Initially unbeknownst to their operators, the infected Sun machines had run a script which uses a well-known vulnerability known as Unico de to compromise more than 2,000 remote IIS servers. Using log files created by the worm on the Solaris host, the Internet security reporting center has begun contacting system administrators of the compromised Windows systems.

The sadmind/IIS worm propagates from an infected Solaris machine by probing port 80 on a random Class B set of IP addresses, looking for the signature of other Solaris or IIS web servers. Should it find another vulnerable Solaris machine, the worm will upload its attack tool, root.exe, and infect the server.

If it finds an unpatched system running Microsoft's IIS 4.0 or IIS 5.0, the worm defaces the server, replacing its index.html file with three lines of text that reads: "fuck USA Government. fuck PoizonBOx. contact:sysadmcn@yahoo.com.cn." After defacing 2,000 IIS systems, the worm will deface its Solaris host with the same message.

The sadmind/IIS worm doesn't destroy data on either the Solaris host or IIS victims, but CERT's Hernan said the worm could open Solaris systems to subsequent attacks. According to Hernan, the quick spread of the worm suggests many Solaris systems have not applied the patch released by Sun on December 29, 1999.

"We're a little surprised at the number of systems that are being compromised by this. But you can imagine it would be easy for Solaris administrators to overlook that patch given all the Y2K concerns at the time. So that might explain the fact that it's 18 months old but hasn't been addressed widely."

CERT's advisory lists several ways that Solaris administrators can determine whether their systems have been infected with the worm, such as the existence of suspicious processes and directories created by the worm. The security center urges operators to attempt to contact operators of IIS servers listed in the log file stored in the directory /dev/cub.

Similarly, admins of compromised IIS web servers should attempt to identify and contact the operator of the Solaris host which propagated the worm by reviewing their IIS log files for GET requests for the file root.exe, according to CERT.

"We encourage administrators to contact the other sites that have been involved. That's the fundamental advice we give people," said Hernan.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.