Loading ...
Sorry, an error occurred while loading the content.

[Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET]

Expand Messages
  • John Wenger
    This worm called Lion attacks DNS that is not up to date. ... Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET Date: Fri, 23 Mar 2001
    Message 1 of 1 , Mar 23, 2001
    • 0 Attachment
      This worm called "Lion" attacks DNS that is not up to date.


      -------- Original Message --------
      Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
      Date: Fri, 23 Mar 2001 7:57:29 -0700 (MST)
      From: The SANS Institute <securityalert@...>
      To: John Wenger (SD439051) <JohnWenger@...>

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

      March 23, 2001 7:00 AM

      Late last night, the SANS Institute (through its Global Incident
      Analysis Center) uncovered a dangerous new worm that appears to be
      spreading rapidly across the Internet. It scans the Internet looking
      for Linux computers with a known vulnerability. It infects the
      vulnerable machines, steals the password file (sending it to a
      China.com site), installs other hacking tools, and forces the newly
      infected machine to begin scanning the Internet looking for other
      victims.

      Several experts from the security community worked through the night
      to
      decompose the worm's code and engineer a utility to help you discover
      if the Lion worm has affected your organization.

      Updates to this announcement will be posted at the SANS web site,
      http://www.sans.org


      DESCRIPTION

      The Lion worm is similar to the Ramen worm. However, this worm is
      significantly more dangerous and should be taken very seriously. It
      infects Linux machines running the BIND DNS server. It is known to
      infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
      8.2.3-betas. The specific vulnerability used by the worm to exploit
      machines is the TSIG vulnerability that was reported on January 29,
      2001.

      The Lion worm spreads via an application called "randb". Randb scans
      random class B networks probing TCP port 53. Once it hits a system, it
      checks to see if it is vulnerable. If so, Lion exploits the system
      using
      an exploit called "name". It then installs the t0rn rootkit.

      Once Lion has compromised a system, it:

      - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
      network settings to an address in the china.com domain.
      - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
      protection afforded by tcp wrappers.
      - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp
      (via
      inetd, see /etc/inetd.conf)
      - - Installs a trojaned version of ssh that listens on 33568/tcp
      - - Kills Syslogd , so the logging on the system can't be trusted
      - - Installs a trojaned version of login
      - - Looks for a hashed password in /etc/ttyhash
      - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
      overwritten with a trojaned version of ssh.

      The t0rn rootkit replaces several binaries on the system in order to
      stealth itself. Here are the binaries that it replaces:

      du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
      ps, pstree, top

      - - "Mjy" is a utility for cleaning out log entries, and is placed in
      /bin
      and /usr/man/man1/man1/lib/.lib/.
      - - in.telnetd is also placed in these directories; its use is not
      known
      at this time.
      - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x

      DETECTION AND REMOVAL

      We have developed a utility called Lionfind that will detect the Lion
      files on an infected system. Simply download it, uncompress it, and
      run lionfind. This utility will list which of the suspect files is on
      the system.

      At this time, Lionfind is not able to remove the virus from the
      system.
      If and when an updated version becomes available (and we expect to
      provide one), an announcement will be made at this site.

      Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz


      REFERENCES

      Further information can be found at:

      http://www.sans.org/current.htm
      http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
      CA-2001-02,
      Multiple Vulnerabilities in BIND
      http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
      overflow
      in transaction signature (TSIG) handling code
      http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
      The following vendor update pages may help you in fixing the original
      BIND
      vulnerability:

      Redhat Linux RHSA-2001:007-03 - Bind remote exploit
      http://www.redhat.com/support/errata/RHSA-2001-007.html
      Debian GNU/Linux DSA-026-1 BIND
      http://www.debian.org/security/2001/dsa-026
      SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
      http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
      Caldera Linux CSSA-2001-008.0 Bind buffer overflow
      http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
      http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt

      This security advisory was prepared by Matt Fearnow of the SANS
      Institute and William Stearns of the Dartmouth Institute for Security
      Technology Studies.

      The Lionfind utility was written by William Stearns. William is an
      Open-Source developer, enthusiast, and advocate from Vermont, USA. His
      day job at the Institute for Security Technology Studies at Dartmouth
      College pays him to work on network security and Linux projects.

      Also contributing efforts go to Dave Dittrich from the University of
      Washington, and Greg Shipley of Neohapsis

      Matt Fearnow
      SANS GIAC Incident Handler

      If you have additional data on this worm or a critical quetsion
      please
      email lionworm@...
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.0.4 (BSD/OS)
      Comment: For info see http://www.gnupg.org

      iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
      ek+YCliAS832nnMIzP28ezM=
      =E1SG
      -----END PGP SIGNATURE-----
    Your message has been successfully submitted and would be delivered to recipients shortly.