Thursday, November 10, 2005
Depending on what news sources you follow, you may or may not have heard about the latest and greatest Linux worm. Here is a quick summary to catch everyone up. On November 6 a new worm began spreading that attempted to brute force a series of URLs associated with three vulnerabilities found on Unix related systems. If vulnerable versions of the software were running, an ELF executable was downloaded from a single IP address into the Web server's /tmp folder, and then it was executed starting the cycle anew. As with many previous worms, both on Windows and *nix systems, some configuration changes would have stopped this worm in it's tracks, even if the systems were wide open with vulnerable software.I can't say that it's the most elegant worm ever, it's certainly not the fastest spreading, and I suspect that it is one of the easier ones for the Internet-Powers-That-Be to stop spreading completely -- turn off the IP address that the worm is downloading its code from. Sure, we end up with a cycle where the author moves to another IP and re-releases the worm. But eventually even the most stubborn virus author will get bored with that game.What's with all the reporting about this worm? Is it just the novelty of a bi-annual Linux worm compared to the systems coming out of Redmond? Or is there more here than meets the eye? I think there is a warning buried here, and maybe we should pay a little attention to it. OK, it's a Linux worm but we didn't saw a lot of these in the wild. But you never know, it could be a warning of what could come...
<< Home