From: Robert J. Bradbury (bradbury@aeiveos.com)
Date: Fri Mar 23 2001 - 15:46:20 MST
Those of you who are running LINUX should read this. Those not,
just toss it.
The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously. It
infects Linux machines running the BIND DNS server. It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.
The Lion worm spreads via an application called "randb". Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name". It then installs the t0rn rootkit.
[snip - all the bad stuff it does]
DETECTION AND REMOVAL
We have developed a utility called Lionfind that will detect the Lion
files on an infected system. Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
the system.
At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.
Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
REFERENCES
Further information can be found at:
http://www.sans.org/current.htm
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code
http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original BIND
vulnerability:
Redhat Linux RHSA-2001:007-03 - Bind remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.html
Debian GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow
http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.
The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.
Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis
Matt Fearnow
SANS GIAC Incident Handler
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 08:06:38 MST