Security experts associated with the SANS Institute have discovered a dangerous computer worm dubbed "Lion" that spreads through Linux computers.
The worm is capable of scanning the Internet to look for Linux computers with the known vulnerability in the BIND Domain Name Server.
After the worm has infected a machine and installed itself, it steals password files and transmits them to the China.com Web site. It also installs other hacking tools, making the machine available for further compromise. Allan Paller, director of the institute, cautions that although the China.com appears to be receiving stolen passwords, the possibility exists that China.com has been compromised by someone.
Paller says many Linux computers appear to have not yet installed the upgrade fix for the BIND vulnerability detailed last January. Now, two security experts have identified the computer worm that is believed to have infected thousands of Linux-based servers, with the likely potential it will spread to other versions of Unix.
"The Lion worm is dangerous because in essence it represents a major attack," Paller says. "It takes machines over completely and then begins carrying out the attack on other machines."
A detection and removal toolkit is available at www. sans.org. Information on the BIND DNS vulnerability can be found at www.CERT.org/advi sories/CA-2001-02.html.
