Users login

Create an account »


Users login

Home » Hacking News » Polish Worm Provides Jolt To Unix Operators

Polish Worm Provides Jolt To Unix Operators

by Phiber on September 7th, 2001 A new Internet worm that prompted an FBI warning last month has been confirmed dead. But security experts cautioned that X.C. could be the first in a series of self-propagating worms designed to target a common flaw in Unix systems.

According to source code analysis completed Thursday by SecurityFocus, the spread of the X.C. worm has been halted due to the program's dependency on a file located on a Web server in Poland.

Currently infected systems may still attempt to break into other vulnerable hosts and run the worm's install script. In addition, X.C. may have succeeded in installing "back doors" on numerous systems before the Polish server's operators removed the program code, according to SecurityFocus analysts.

The server, located at , is home of the Web site of Zjazd Radiologow Polskich, the Congress of Polish Radiology Specialists, which is hosted by the Academy of Medical Sciences located in Lublin.

The X.C. worm was the subject of an Aug. 30 advisory from the FBI's National Infrastructure Protection Center. The NIPC provided no details on the worm, except to say that it was exploiting a newly discovered vulnerability in the telnet service running on many Unix systems.

SecurityFocus' subsequent analysis of the worm's source code, provided to the firm by an anonymous contributor, revealed that X.C. was designed to spread automatically to vulnerable Unix systems and establish a back door that allows root-access connections to port 145.

After successfully making a Telnet connection to a randomly generated Internet protocol address, the worm tries to run the "Telnetd" buffer overflow exploit recently published by a hacking group known as Teso Security. If the exploit works, the worm attempts to fetch a copy of the program's source code, a file named "x.c.," from the Polish server and compile it on the victim host.

Operators of the Zjazd Radiologow Polskich server were not immediately available for comment. According to a member of LSD Research Group, a Polish security research team, the medical organization's server was likely targeted by the attacker because of lax security.

"As it is a system belonging to academic organization, it is highly probable that it was indeed insecure," said the LSD member.

During a five-day span beginning Aug. 31, participants in SecurityFocus' ARIS intrusion reporting service observed up to 100 scans per day on TCP Port 145. The security information and consulting firm believes the probes originated from dial-up Internet accounts in Germany and may have been the worm's author checking for infected systems.

According to SecurityFocus, hosts that have been infected by X.C. "may then be easily compromised by anyone."

Records compiled by the intrusion detection service show little activity on port 145 reported by participating sites in recent weeks, according to Dshield operator Johannes Ullrich.

Because the Telnetd exploit used by X.C. worked only on a limited subset of Unix systems - those running code based on BSD - and because the worm had a single point of failure, X.C. never posed a very serious threat. But according to Dave Dittrich, a security expert with the University of Washington, future worms targeting the Telnetd hole could appear soon.
"They could be made much more efficient, much harder to stop, and much more virulent if the exploit used was for a more popular operating system distribution including Telnetd in the default, such as RedHat 7.0 or below, or Solaris/SPARC," said Dittrich.

According to Dittrich, the FBI was right to try to raise awareness of the Telnetd vulnerability.

"Letting the world know that people are starting to exploit Telnetd in worm form is prudent, not alarmist."

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »