LION worm alert
R. David Whitlock
ryandav at u.washington.edu
Fri Mar 23 15:17:14 PST 2001
Good afternoon all,
I know that DaveD is usually the man with those hot, fresh vulnerabily
notifications, but this one seemed important enought to this group to
forward on immediately. The methods used here almost guarantee that there
will be a large number of compromised systems.
If you are running any version of bind ( named ) at home under linux other
than 9.1.0-REL ( or higher ) or 8.2.3-REL please download the infection
scanning software mentioned in the following advisory, and check your
You can check what version of named you are running by issuing the
following command ( as any user ):
$ named -v
named 8.2.3-REL Mon Jan 29 17:18:45 PST 2001
"What you hear isn't necessarily what was said,
what you read isn't necessarily what was written."
---------- Forwarded message ----------
Date: Fri, 23 Mar 2001 12:08:03 -0700 (MST)
From: The SANS Institute <securityalert at sans.org>
Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
March 23, 2001 7:00 AM
Late last night, the SANS Institute (through its Global Incident
Analysis Center) uncovered a dangerous new worm that appears to be
spreading rapidly across the Internet. It scans the Internet looking
for Linux computers with a known vulnerability. It infects the
vulnerable machines, steals the password file (sending it to a
China.com site), installs other hacking tools, and forces the newly
infected machine to begin scanning the Internet looking for other
Several experts from the security community worked through the night to
decompose the worm's code and engineer a utility to help you discover
if the Lion worm has affected your organization.
Updates to this announcement will be posted at the SANS web site,
The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously. It
infects Linux machines running the BIND DNS server. It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
The Lion worm spreads via an application called "randb". Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name". It then installs the t0rn rootkit.
Once Lion has compromised a system, it:
- Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.
- Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)
- Installs a trojaned version of ssh that listens on 33568/tcp
- Kills Syslogd , so the logging on the system can't be trusted
- Installs a trojaned version of login
- Looks for a hashed password in /etc/ttyhash
- /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.
The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:
du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top
- "Mjy" is a utility for cleaning out log entries, and is placed in /bin
- in.telnetd is also placed in these directories; its use is not known
at this time.
- A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
DETECTION AND REMOVAL
We have developed a utility called Lionfind that will detect the Lion
files on an infected system. Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.
Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
Further information can be found at:
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code
http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
he following vendor update pages may help you in fixing the original BIND
Redhat Linux RHSA-2001:007-03 - Bind remote exploit
Debian GNU/Linux DSA-026-1 BIND
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
Caldera Linux CSSA-2001-008.0 Bind buffer overflow
This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.
Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis
SANS GIAC Incident Handler
If you have additional data on this worm or a critical quetsion please
email lionworm at sans.org
More information about the Linux