Worm attacks Sun Solaris flaw

The flaw, which could allow a malicious user access to a Solaris host, exists in versions 10 and 11, according to researchers at the SANS Internet Storm Center.

The organisation advised network administrators to turn off telnet access.

The flaw is caused by an error in in.telnetd when invoking the login program, according to a Secunia advisory released earlier this month. The notification ranked the flaw as "moderately critical."

Arbor Networks, which reported the worm to the Internet Storm Center, advised administrators to patch their networks or disable telnet access. Jose Nazario, senior software and security engineer at Arbor Networks, said in a weblog posting that the worm is a throwback to malware of nearly a decade ago.

"The worm attempts to log into your systems as the users 'lp' or 'adm' and execute a bunch of shell commands to set up shop and keep on truckin,’" he said. "(It’s) very old school; reminds me of the old ADM worms I saw back in the late 90s that got me interested in self-propagating malware in the first place."

Internet Storm Center handler Joel Esler said on the organisation’s weblog that the worm had a high number of targets but few sources.

A Sun advisory released today contained a "worm clean up" script, and advised users to disable telnet service.

Ralph Thomas, director of malcode operations at VeriSign iDefense, said today that he does not expect infection to become widespread.

"The Solaris telnet worm targets both x86 and SPARC platforms of Sun’s OS. Only the telnet service of Solaris version 10 is affected," he said. "Even though probing for the telnet service is prevalent, internet facing vulnerable telnet services are limited in number and will not allow for widespread propagation."

attacksflawsecuritysolarissunworm