http://news.bbc.co.uk/hi/english/sci/tech/newsid_1344000/1344344.stm
By BBC News Online technology correspondent Mark Ward
A helpful virus is making its way around the web, checking computers for
vulnerabilities and closing them.
This code was not written with malicious intent
Cheesy message
The "cheese worm" targets computers running Linux that have been attacked by
a similar, but malign, program earlier this year.
As it grows in popularity, Linux is increasingly being targeted by virus
writers and malicious hackers.
But the benevolent program has not been welcomed by anti-virus companies, who
say any software that makes unauthorised changes to a computer is potentially
dangerous.
Roaring worm
In March this year, a malicious program known as the Lion worm was infecting
Linux servers and installing backdoors that could be exploited by its
creators. The worm also stole passwords and sent them to those system
crackers using it as an intrusion tool.
The Linux mascot penguin: An increasingly popular target
The backdoors could be used to stage denial-of-service attacks that use a
series of remotely commanded computers to bombard a target server with bogus
requests. Usually, the target is overwhelmed by the stream of useless data
and either crashes, or becomes unreachable by legitimate users.
Although viruses that exploit the weaknesses of Microsoft Windows are by far
the most numerous, some malicious hackers have started to target the
increasingly popular Linux software. This year, four viruses, the Ramen,
lion, Adore and Sadmind/IIS worms, have been written to attack this software.
The cheese worm attempts to repair some of the damage done by the Lion worm.
It scans networks with certain net addresses until it finds one with a back
door, or port, that has been opened by the Lion worm.
Wholly holey
A port is a logical, as opposed to a physical, division within a computer
system. Individual web-aware programs wait for information addressed, or
sent, to different ports. These can be thought of as resembling room numbers
in a skyscraper, where separate companies reside on different floors inside
one physical building.
Mail sent to the building will reach the firm it is addressed to, in the same
way data sent to a server will be directed to a particular program.
If cheese finds a vulnerable computer, it applies a software patch to close
the hole, copies itself, and then uses the healed computer to look for other
networks with the same vulnerability.
The worm may have gone unnoticed but for the zeal with which it scans for
vulnerabilities. System administrators who noticed hundreds of attempts to
scan their machines went looking for the cause and found the cheese worm was
the culprit.
The scanning attempts were reported to the Computer Emergency Response Team,
which issued a security alert.
The program is known as a "worm" because it travels across a network copying
itself as it goes. By contrast a "trojan" is a program that looks benign but
contains a malicious payload.
Comments inside the code for the worm betray its benign intent.
One reads: "This code was not written with malicious intent". The cheese worm
claims to have been created: "to stop pesky haqz0rs (hackers) messing up your
box even worse than it is already".
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 10:00:07 MDT