Last night we received reports of a worm exploiting Solaris machines. The worm attempts to log into Solaris 10 systems by taking advantage of a security hole in its Telnet service, this bug was disclosed earlier this month in the famous security list Full-Disclosure.

According to US-CERT, the Telnet Daemon in Sun Solaris may accept authentication information through the USER environment variable.

The Problem lies in the daemon not being able to properly sanitize information before passing it to the login program, this login program can makes false interpretation of this information.
Because of this, a remote attacker may be able to bypass the login authentication and telnet. The sad thing with this exploit is that it is not need any exploit knowledge to be used for mass attacks.
We have already submitted the sample for detection and we will update you as soon as possible.

Update 03/01/2007 12:10 PM: The malware will be detected as WORM_WANUK.A.

Barely three weeks into the new year, as the storm “Kyrill” ravaged over central Europe, another “storm” brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe’s most severe winter storm since 1999, with subject lines such as “230 dead as storm batters Europe”, among others.
That is how TROJ_SMALL.EDW, arriving as attachment to the said email messages, came to be dubbed the “Storm” malware.

But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack. To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.