Feds warn of new worm threat

Summary:A new malicious program infects previously compromised PCs and seemingly prepares the machines to launch a DoS attack. Security experts are calling the worm 'a medium risk.'

A government Internet watchdog warned companies this past weekend of a new malicious program that spreads to previously compromised PCs and seemingly prepares the infected machines to launch a denial-of-service attack, sources said Monday.

The program, known as W32-Leaves.worm, places additional code on the compromised machines and synchronizes the PCs' internal clocks with the one at the U.S. Naval Observatory, said Vincent Gullotto, director of the antivirus research team at security company Network Associates.

"That may indicate that (the worm) is preparing to do something," he said, but he added that Network Associates has had only three reports of the infection in the past 48 hours. "The government was primarily worried that it could be a denial-of-service attack. Based on their numbers, we decided to give it a medium risk."

On Saturday, the National Infrastructure Protection Center posted an advisory to its Web site warning companies of the worm. "Leaves" takes advantage of computers that have been compromised by the illicit installation of the SubSeven system-administration tool, the NIPC stated in the advisory. SubSeven is the program most commonly used by network intruders to control Windows PCs remotely.

"The full impact of this new Leaves infection and appropriate fixes are currently under investigation," stated the advisory.

Worms--a way to crack the security of thousands of servers at a time--have become the tool of choice for many online vandals. A worm is a self-propagating program that will scan until it finds a vulnerable computer, which it will infect and then start the process all over.

This year several Linux worms, including Ramen, 1i0n, and Adore have hit the Net, along with a worm that infects Solaris systems.

While the NIPC did not expand on the Leaves worm's capabilities, Gullotto said the pesky program was uploading information about compromised PCs to a central Web site. The site has since been taken down.

He added that the worm is unlikely to amount to much.

"If we don't hear anything in the next few days, we will downgrade the threat," Gullotto said, speaking from a conference where antivirus experts gathered to talk about issues to the industry. "No one here is very concerned about this."

Rather than warn against impending attack--a tactic that garners public-relations points for the NIPC--the agency should be telling security administrators what to do to prevent attacks in the first place, said Greg Shipley, director of consulting services for security company Neohapsis.

"Everyone is kind of thinking practical and not thinking strategic," he said.

"The first step is to patch their servers and patch in a timely manner, but that's a tactical problem. The strategic move is to get these vendors taking some liability for the bugs in their servers."

Topics: Malware, Government, Hardware, PCs, Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.