Home & Office

New Unix worm could be the next Code Red

X.C is continuing the trend for worms that look for unpatched systems rather than clueless individuals
Written by Wendy McAuliffe, Contributor

A new Internet worm designed to attack a common flaw in Unix systems has been confirmed dead, but security experts are warning that the self-propagating worm could be the next Code Red.

The X.C worm exploits a newly discovered hole in the telnet service that is run on most Unix systems. Antivirus companies are concerned that crackers will have learnt from the success of the Code Red worm and its variants, and will be encouraged by the length of time that it takes system administrators to patch machines against publicised vulnerabilities.

"This is going to go along the same lines as Code Red, as virus writers will know that a lot of machines will be vulnerable," said Mark Read, systems security analyst for computer security company MIS Corporate Defence Solutions. "This is definitely the way forward with viruses, as it removes the need for humans to double click on attachments in order for the worm to spread, and instead looks for servers that have not been patched."

The FBI's National Infrastructure Protection Centre (NIPC) issued an alert on the X.C worm on 30 August, and analysts at SecurityFocus have now confirmed that the spread of the virus has been contained due to the program's dependency on a file located on a Web server in Poland. But infected systems will still be able to break into other vulnerable hosts, and might have succeeded in installing "back doors" on previously attacked systems.

The X.C worm can affect Solaris, SGI IRIX and Open BSD. It targets a buffer overflow exploit in the Telnetd system, and attempts to fetch a copy from the program's source code named "x.c." from the Polish server and replicate it on the victim host.

"Telnetd is very insecure when you are connecting to a Unix box from a remote station, as everything is sent across the network. If someone is using a packet sniffer, it is easy to find out a person's username and password," said Read.

X.C never posed a serious threat, as it only targeted a limited number of Unix systems. "This could have been a test version, or was programmed incorrectly," said Read. But security firms are warning that the next version is likely to be as virulent as Code Red, attacking more popular operating systems such as RedHat 7.0 that include Telnetd in the default.

See the Viruses and Hacking News Section for the latest headlines.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And <="" p="">

Editorial standards