ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
March 23, 2001 7:00 AM
Late last night, the SANS Institute
(through its Global Incident
Analysis Center) uncovered a dangerous new
worm that appears to be
spreading rapidly across the Internet. It
scans the Internet looking
for Linux computers with a known vulnerability.
It infects the
vulnerable machines, steals the password file (sending
it to a
China.com site), installs other hacking tools, and forces the
newly
infected machine to begin scanning the Internet looking for
other
victims.
Several experts from the security community worked
through the night to
decompose the worm's code and engineer a utility to
help you discover
if the Lion worm has affected your
organization.
Updates to this announcement will be posted at the SANS
web site,
http://www.sans.orgDESCRIPTION
The
Lion worm is similar to the Ramen worm. However, this worm is
significantly
more dangerous and should be taken very seriously. It
infects Linux
machines running the BIND DNS server. It is known to
infect bind
version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific
vulnerability used by the worm to exploit
machines is the TSIG
vulnerability that was reported on January 29,
2001.
The Lion worm
spreads via an application called "randb". Randb scans
random class B
networks probing TCP port 53. Once it hits a system, it
checks to see if it
is vulnerable. If so, Lion exploits the system using
an exploit called
"name". It then installs the t0rn rootkit.
Once Lion has
compromised a system, it:
- - Sends the contents of /etc/passwd,
/etc/shadow, as well as some
network settings to an address in the
china.com domain.
- - Deletes /etc/hosts.deny, eliminating the host-based
perimeter
protection afforded by tcp wrappers.
- - Installs backdoor
root shells on ports 60008/tcp and 33567/tcp (via
inetd, see
/etc/inetd.conf)
- - Installs a trojaned version of ssh that listens on
33568/tcp
- - Kills Syslogd , so the logging on the system can't be
trusted
- - Installs a trojaned version of login
- - Looks for a hashed
password in /etc/ttyhash
- - /usr/sbin/nscd (the optional Name Service
Caching daemon) is
overwritten with a trojaned version of ssh.
The
t0rn rootkit replaces several binaries on the system in order to
stealth
itself. Here are the binaries that it replaces:
du, find, ifconfig,
in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top
- -
"Mjy" is a utility for cleaning out log entries, and is placed in /bin
and
/usr/man/man1/man1/lib/.lib/.
- - in.telnetd is also placed in these
directories; its use is not known
at this time.
- - A setuid
shell is placed in /usr/man/man1/man1/lib/.lib/.x
DETECTION AND
REMOVAL
We have developed a utility called Lionfind that will detect
the Lion
files on an infected system. Simply download it, uncompress
it, and
run lionfind. This utility will list which of the suspect
files is on
the system.
At this time, Lionfind is not able to remove
the virus from the system.
If and when an updated version becomes available
(and we expect to
provide one), an announcement will be made at this
site.
Download Lionfind at
http://www.sans.org/y2k/lionfind-0.1.tar.gzREFERENCES
Further
information can be found at:
http://www.sans.org/current.htmhttp://www.cert.org/advisories/CA-2001-02.html,
CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945
ISC BIND 8 contains buffer overflow
in transaction signature (TSIG)
handling code
http://www.sans.org/y2k/t0rn.htm
Information about the t0rn rootkit.
The following vendor update pages may
help you in fixing the original BIND
vulnerability:
Redhat Linux
RHSA-2001:007-03 - Bind remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.htmlDebian
GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026SuSE
Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_
txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow
http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txthttp://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txtThis
security advisory was prepared by Matt Fearnow of the SANS
Institute and
William Stearns of the Dartmouth Institute for Security
Technology
Studies.
The Lionfind utility was written by William Stearns. William
is an
Open-Source developer, enthusiast, and advocate from Vermont, USA.
His
day job at the Institute for Security Technology Studies at
Dartmouth
College pays him to work on network security and Linux
projects.
Also contributing efforts go to Dave Dittrich from the
University of
Washington, and Greg Shipley of Neohapsis
Matt
Fearnow
SANS GIAC Incident Handler
If you have additional data on
this worm or a critical quetsion please
email
[EMAIL PROTECTED]-----BEGIN PGP
SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see
http://www.gnupg.orgiD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
ek+YCliAS832nnMIzP28ezM=
=E1SG
-----END
PGP SIGNATURE-----
