New Linux worm 'Adore' arrives

NEWS The third Linux virus in almost as many months hit the Internet this week. Known as the Adore worm, the program is designed to create so-called back doors in the security of Linux systems and send information identifying the compromised systems to four different email addresses hosted on servers in China and the United States. "It seems to be a variant of the Ramen worm, said David Dittrich, security administrator for the University of Washington and an expert on digital forensics and hacking tools. The Ramen worm, which used three well-known security flaws to infect systems using the Red Hat distribution of Linux, hit in mid-January and infected an unknown number of computers. The vulnerabilities exploited by Ramen occur in three programs shipped with most Linux distributions and installed by default. The 1i0n worm, discovered last month by the Systems Administration Networking and Security Institute (SANS), used a fourth flaw to spread among servers that had domain name service, or DNS, software installed. Finding flaws The Adore worm -- also known as the Red worm -- uses all four flaws to automatically break into vulnerable systems. While patches have existed for all the vulnerabilities for at least a few months, most system administrators have not patched their systems, said Matt Fearnow, incident handler for the SANS Global Incident Analysis Center. "The three out of four of these exploits were patched back in August," he said. "We can only get after the system administrators to keep their systems patched." Once in a system, the Adore worm replaces an application known as PS -- used by administrators to list the currently running programs on a system -- with a copy that will list all programs except the worm. Then it will send a copy of several key system files to four email addresses: two in the United States and two in China. Each email uses the username adore9000 or adore9001, hence the worm's name. SANS has released a program called "adorefind" that can detect whether a system has been compromised by the worm. The worm appears to be spreading somewhat quickly and hammering a variety of servers with scans aimed at uncovering telltale signs of the vulnerable programs. On the Bugtraq list moderated by SecurityFocus.com, several administrators raised concerns about aggressive scanning of their systems. "Numerous people are reporting heavy scanning... from a lot of different hosts," wrote one administrator. Another person discovered the worm in one of his Red Hat Linux machines. "One of these (scans) succeeded in breaking into a unpatched Red Hat 6.2 box," he wrote. The online vandals who released the worm appear to be using it as a way to compromise a large number of systems. In addition to its other activities, the worm replaces a basic Internet service, known as ICMP (Internet Control Message Protocol), with an almost identical version. The new version of the program opens up a back door -- bypassing security -- whenever it receives the proper command sequence from the Internet. ICMP is typically used to send error information across from machine to machine. After infecting a machine and sending information about the computer through email, the worm waits until 4:02 a.m. and then deletes all its files, except the backdoor. Is your PC safe? Find out at the Hackers News Special. Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum. Let the editors know what you think in the Mailroom. And read other letters.