'Worm' targets Sun Solaris Telnet flaw

Article

'Worm' targets Sun Solaris Telnet flaw

Bill Brenner, Senior News Writer
It isn't expected to become a monster like Windows-based malware of the past, but security experts say an apparent worm exploiting a recently patched Sun Solaris flaw serves as another reminder to disable Telnet.

Sun Microsystems Inc. patched

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

a design flaw in the Telnet daemon of its Solaris 10 and 11 operating systems two weeks ago that attackers could exploit for unauthenticated remote root logins.

Tuesday, researchers at Lexington, Mass.-based Arbor Networks Inc. began to detect hosts scanning for Telnet servers.

"A team member found what appears to a Sun Solaris Telnet worm," Jose Nazario, senior security engineer for Arbor Networks, wrote in the company's blog. "While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to [the] recent Solaris bug."

In my opinion nobody should be running Telnet open to the Internet.
Donald Smith
SANS ISC
The worm attempts to log in to targeted systems as the user's "lp" or "adm" and "execute a bunch of shell commands to set up shop and keep on truckin'," he said. "[It's] very old school."

But, he added, so is Telnet.

"If you haven't patched yet, you should," he said. "Better yet, just disable Telnet. It's 2007, after all."

Joel Esler, a volunteer handler at the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote on the organization's Web site that a IP address range in France appeared to be scanning around for Port 23.

"We checked our data here at the Storm Center and it appears we have similar traffic from the same net ranges," Esler said. This, he added, would appear to back up Arbor Networks' conclusion that a Solaris worm is making the rounds.

For many security experts, the flaw and subsequent exploit serve as a stark reminder that Telnet is easy pickings for the bad guys and should not be used anymore.

The protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Inc.'s Enterprise Linux to Apple Computer Corp.'s Mac OS X. It has long been considered a security risk because user names, passwords and all subsequent commands are transmitted as easily exploitable plaintext.

"In my opinion nobody should be running Telnet open to the Internet," Donald Smith, another volunteer handler at the ISC, said when the Solaris flaw was discovered two weeks ago. He noted that since 1994, the CERT Software Engineering Institute at Pennsylvania's Carnegie Mellon University has recommended using something other than plain text authentication, due to potential network-monitoring attacks.