Lion Worm
I'm using Debian stable (Debian 2.2 upgraded with current upgrades using
dselect over apt-get).
This new "Lion Worm" is spreading rapidly over the internet and appears
to successfully attack all Linux systems running certain versions of
BIND, both old and relatively new. BIND 8.2.2, (the Debian stable
version of BIND?), is listed as one of the affected versions in this
security advisory:
http://www.sans.org/y2k/lion.htm
Can anybody tell me if Debian's BIND is in danger from the Lion Worm?
The exact BIND version listed in dselect is 8.2.2p7-1. This package is
described here:
http://packages.debian.org/stable/net/bind.html
What little BIND security info I found on the Debian website is here:
http://lists.debian.org/debian-security-announce-01/msg00019.html
http://lists.debian.org/debian-user-0101/msg05121.html
I'm attaching a copy of the security advisory below.
Shawn Yarbrough
shawn@nailstorm.com
http://www.sans.org/y2k/lion.htm
Description
Please note that this is a preliminary, and currently
incomplete, characterization of the Lion worm. We are making this
version available to
provide at least some notice about the worm. Please check back over the
next few days as the
information is made more complete.
Lion is a new worm, that is very similar to the Ramen worm. However,
this worm is much more
dangerous and should be taken seriously. It infects Linux machines with
the BIND DNS server
running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1,
8.2.2-Px, and all 8.2.3-betas. The
bind vulnerability is the TSIG vulnerability that was reported back on
January 29, 2001.
The Lion worm spread via an application called randb. randb scans
random class B networks
probing TCP port 53. Once it hits a system, it then checks to see if
that system is vulnerable. If
so it then exploits the system using the exploit called name. It then
installs the t0rn rootkit.
Once it has entered the system, it sends off the contents of
/etc/passwd, /etc/shadow, and some
network settings to an address in the china.com domain. It deleted
/etc/hosts.deny, lowering
some of the built-in protection afforded by tcp wrappers. Ports
60008/tcp and 33567/tcp get a
backdoor root shell (via inetd, see /etc/inetd.conf), and a trojaned
version of ssh gets placed on
33568/tcp. Syslogd is killed, so the logging on the system can't be
trusted.
A trojaned version of login is installed. It looks for a hashed
password in /etc/ttyhash.
/usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned
version of ssh.
The t0rn rootkit replaces several binaries on the system in order to
hide itself. Here are the
binaries that it replaces:
du
find
ifconfig
in.telnetd
in.fingerd
login
ls
mjy
netstat
ps
pstree
top
Mjy, a utility for cleaning out log entries, is placed in /bin and
/usr/man/man1/man1/lib/.lib/.
in.telnetd is also placed in these directories; its use is not known at
this time. A setuid shell is
placed in /usr/man/man1/man1/lib/.lib/.x
Detection
We have developed a utility called Lionfind that will detect the Lion
files on an infected system.
Simply download it, uncompress it, and run lionfind. it will list which
of the suspect files is on the
system.
Snort rule to detect lion:
activate udp any any -> any 53 (msg:"Bind Tsig Overflow Attempt";
content:
"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; tag: host, 300,
seconds,
src;)
Removal
At this time, Lionfind is not able to remove the virus from the system.
If and when an updated
version becomes available (and we expect to provide one), an
announcement will be made at
this site.
Download Lionfind Here!
References
Further information can be found at:
http://www.sans.org/current.htm
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
CA-2001-02, Multiple
Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
overflow in transaction
signature (TSIG) handling code
http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original
BIND vulnerability:
Reply to: