On Tuesday, a file of 8,800 Internet addresses was sent to security site Attrition.org. The list appears to be an authentic account of servers compromised by the worm, said Brian Martin, a staff member with the site.
"It looks real," he said, adding that other members of Attrition.org were able to verify that--of the 300 out of 600 sites that could be reached--about half had been defaced. "We know that the worm had been floating around for a couple of weeks, so this looks possible."
The worm is called sadmind/IIS for the two vulnerabilities it exploits--one in the Solstice sadmind administration program for Sun Microsystems' Solaris version of the Unix operating system and the other in Microsoft's Internet Information Server (IIS) for Windows NT. The worm first infects Solaris systems and then uses the compromised systems to scan the Internet for new Solaris systems to infect as well as Windows NT Web servers to deface. Both flaws are well-known: Sun announced a fix for the Sadmind vulnerability more than 2 years ago, while Microsoft fixed the IIS flaw almost a year ago.
When it finds a vulnerable Windows IIS server, it posts an anti-American Web page similar to those used during last week's online graffiti battle between pro-China and pro-United States vandals.
The worm also carries a list of the addresses of all defaced pages and compromised Solaris systems. The file from one of the compromised servers is thought to have been the one handed over to Attrition.org.
Of the 8,800 addresses in the list, only a quarter could be traced back to a functioning site. The other 75 percent may have been down to clean out the worm's files or may not have been publicly listed servers, Martin said.
"A lot of the machines we tried to get at were unreachable," he said. "The list has been out there for a few days or a week, so a lot of the boxes may have been taken down."
Over the past two days, a survey by Martin and others at Attrition.org revealed that almost 40 percent of the sites seem to be personal Web pages.
Moreover, Martin pointed out that 8,800 may actually be only a fraction of the total number of servers compromised by the worm. The 8,800 IP addresses are only the ones found by a single worm.
That makes it a real possibility that there could be 50 or 100 other worms with similar lists of Internet addresses, Martin said.