Sun has confirmed that a worm targeted a legacy application running under its Solaris operating system, earlier this month.
Analysed by security vendor Arbor Networks some weeks ago on its Atlas exploit scanning system, the worm affects Solaris versions 10 and 11 running on x86 or SPARC, and attempts to use a remote exploit flaw in the telnet application noted by US-CERT on February 15th, making the time-to-exploit remarkably swift.
If successful, the exploit would allow an attacker admin control of the affected machine, but the attack is believed to be a low-incidence threat despite its potentially serious nature. Arbor has released details of the attack in a blog by the company’s Jose Nazario, also a noted worm aficionado, who comments on its old fashioned nature, whch matches the ancient telnet protocl.
“[it’s] very old school, reminds me of the old ADM worms I saw back in the late 90’s that got me interested in self-propagating malware in the first place,” comments Nazario in his blog.
The unusual worm event – rare on the platform - has now been patched by Sun, with updates available from its website.
Worms on Solaris - and other non Win32 platforms - are far from unheard of, but are still rare and mysterious creatures. They tend not to get much coverage and are not always carefully documented when they do occur. One of the last prominent examples on Solaris was in 2001, when a worm attacked websites running both Microsoft’s IIS and Solaris. The interesting fact about the latter attack was that it exploited a two-year old flaw in the Sun software, an age that would be considered remarkable by today’s standards.