The intrusion appears to be aimed at Internet service providers' Internet Message Access Protocol (IMAP) servers, which manage e-mail systems. Networks running the Linux operating system version 5.0 from Red Hat Software Inc. on Intel Corp.-based machines appear to be particularly susceptible.
The problem was identified in June by the Computer Emergency Response Team at Carnegie Mellon University. Red Hat, as well as other vendors, posted software fixes, but not everyone was aware of the breach; some didn't patch their operating software.
Now, hackers are using the weakness to perpetuate the worm program. The program quietly takes over key components of the root, or central, program and uses the host computer to probe and attack other networks without the systems administrator's knowledge.
"The problem with these things is that once they become known, hackers use the CERT advisories to probe networks," said Daniel Senie, president of Amaranth Networks Inc. Someone tried to break into Senie's network to find the IMAP weak spot, but the firewall held. The hacker left a few clues behind: The attacks came from California Polytechnic State University, the City University of New York and several other schools. But those locations aren't likely to be the hackers' home base. "They've done a reasonable job making it look like the [code] they added was there all along," he said.