Skip to main content

This website is no longer being updated. Visit Dartmouth Now for all news published after June 7, 2010.

Dartmouth News
>  News Releases >   2001 >   March

One day after "lion" leaves its den, Dartmouth researcher offers way to track it down

Posted 03/28/01

Bill Stearns grabbed 15 minutes of rest in an office beanbag late last Friday morning, the only sleep he'd seen in 30 hours.

A senior research engineer with Dartmouth's Institute for Security Technology Studies (ISTS), Stearns had been up all night making life a little tougher for a nasty little worm.

Lion, a new computer worm, was identified last Thursday morning by an unsuspecting system administrator in the Netherlands who logged on to find that his system was now attacking other computers on the Internet. Less than 24 hours later, Stearns' detection tool was posted on the ISTS web site. System administrators everywhere could download the code and ensure that their machines were not infected.

"The work needed to get done," Stearns said. "There was no sense that I would lose my day job if I didn't stay up all night cracking this thing, and certainly no sense that I was the only person who could do this. It's just that this is the kind of analysis and detection tool that people who run Linux systems really need."

Called Lion, the worm steals passwords and gains immediate access to a system. It is very difficult to detect because one of the things it does is erase the programs used to evaluate whether programs are running normally. A false positive, or message that everything's fine appears even after the worm has infected the system. Once the system is infected, other machines are, in turn, attacked. A system hit with Lion becomes more vulnerable to future attacks.

"Lion is like that old Prell commercial that starts out with one woman shampooing her hair and then, all of a sudden, there are 64 one-inch women telling you how wonderful the shampoo is -- they told two friends who told two friends, and so on, and so on," Stearns said.

Stearns estimated that perhaps 10 percent of Linux systems were vulnerable to Lion.

"The only vulnerable machines were those whose administrators had not kept up with security measures," Stearns said. "A fix for the vulnerability that Lion was able to exploit had been available for a month when it hit."

Stearns advised computer system administrators to check security updates at least once per day.

Dartmouth has television (satellite uplink) and radio (ISDN) studios available for domestic and international live and taped interviews. For more information, call 603-646-3661 or see our Radio, Television capability webpage.

Recent Headlines from Dartmouth News: