[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Lion Worm

I'm using Debian stable (Debian 2.2 upgraded with current upgrades using
dselect over apt-get).

This new "Lion Worm" is spreading rapidly over the internet and appears
to successfully attack all Linux systems running certain versions of
BIND, both old and relatively new.  BIND 8.2.2, (the Debian stable
version of BIND?), is listed as one of the affected versions in this
security advisory:

Can anybody tell me if Debian's BIND is in danger from the Lion Worm?

The exact BIND version listed in dselect is 8.2.2p7-1.  This package is
described here:

What little BIND security info I found on the Debian website is here:

I'm attaching a copy of the security advisory below.

Shawn Yarbrough


 Please note that this is a preliminary, and currently
 incomplete, characterization of the Lion worm. We are making this
version available to
 provide at least some notice about the worm. Please check back over the
next few days as the
 information is made more complete.

 Lion is a new worm, that is very similar to the Ramen worm. However,
this worm is much more
 dangerous and should be taken seriously. It infects Linux machines with
the BIND DNS server
 running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1,
8.2.2-Px, and all 8.2.3-betas. The
 bind vulnerability is the TSIG vulnerability that was reported back on
January 29, 2001. 

 The Lion worm spread via an application called randb. randb scans
random class B networks
 probing TCP port 53. Once it hits a system, it then checks to see if
that system is vulnerable. If
 so it then exploits the system using the exploit called name. It then
installs the t0rn rootkit. 

 Once it has entered the system, it sends off the contents of
/etc/passwd, /etc/shadow, and some
 network settings to an address in the china.com domain. It deleted
/etc/hosts.deny, lowering
 some of the built-in protection afforded by tcp wrappers. Ports
60008/tcp and 33567/tcp get a
 backdoor root shell (via inetd, see /etc/inetd.conf), and a trojaned
version of ssh gets placed on
 33568/tcp. Syslogd is killed, so the logging on the system can't be

 A trojaned version of login is installed. It looks for a hashed
password in /etc/ttyhash.
 /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned
 version of ssh. 

 The t0rn rootkit replaces several binaries on the system in order to
hide itself. Here are the
 binaries that it replaces:

 Mjy, a utility for cleaning out log entries, is placed in /bin and
 in.telnetd is also placed in these directories; its use is not known at
this time. A setuid shell is
 placed in /usr/man/man1/man1/lib/.lib/.x 

 We have developed a utility called Lionfind that will detect the Lion
files on an infected system.
 Simply download it, uncompress it, and run lionfind. it will list which
of the suspect files is on the

 Snort rule to detect lion:
 activate udp any any -> any 53 (msg:"Bind Tsig Overflow Attempt";
 "|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; tag: host, 300,

 At this time, Lionfind is not able to remove the virus from the system.
If and when an updated
 version becomes available (and we expect to provide one), an
announcement will be made at
 this site.

 Download Lionfind Here! 

 Further information can be found at:
 http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
CA-2001-02, Multiple
 Vulnerabilities in BIND
 http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
overflow in transaction
 signature (TSIG) handling code
 http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. 
 The following vendor update pages may help you in fixing the original
BIND vulnerability:

Reply to: