On May 8, 2001, the CERT Division at Carnegie Mellon University issued an alert: A new worm was on the loose. The “sadmind/IIS worm” exploited well-known vulnerabilities in the Sun Microsystems’ Solaris operating system as well as Microsoft’s Internet Information Server (IIS). Once a system was attacked, Sadmind—also known as “PoizonBox”—defaced webpages with vulgar language and tirades against the U.S. government.
CERT Advisory CA-2001-11 did contain a hint of “I told you so” for those network administrators who had been lax about security patches. Sadmind entered the Solaris operating system through a two-year-old buffer overflow vulnerability—and then used a seven-month-old security flaw to enter the IIS environment. Patches addressing each had long been available.
Sadmind heightens international tensions
Sadmind defaced webpages displayed a Chinese email address, lending credence to theories the worm had its origins in tensions between the U.S. and Chinese governments, which had been exacerbated ever since the April 1, 2001, collision of an American spy plane and a Chinese fighter jet. On April 26, 2001, the FBI’s National Infrastructure Protection Center (NIPC) had released its own advisory, advising network administrators to be on the lookout for web defacements between April 30 and May 7, 2001. Several significant dates in the People’s Republic of China occur at this time of year: May Day (May 1), Youth Day (May 4) and the anniversary of the accidental bombing of the Chinese Embassy in Belgrade (May 7).
Within the security community, antivirus providers publicly criticized CERT for not alerting them to Sadmind before going public with the alert. CERT defended itself, stating traditional antivirus software would not have protected against the worm—but that the already-available security patches would have.
Photo: wk1003mike / Shutterstock