[plug] OT: latest worm affecting bind

Jon Miller jlmiller at mmtnetworks.com.au
Wed Mar 28 16:26:37 WST 2001 

Thought I would pass this along.

The latest buzz in the computing world is the dreaded and dangerous new 
worm called the Lion. Similar to the Ramen worm, the Lion worm scans 
the Internet looking for Linux computers with BIND vulnerabilities -- 
more than 20% of servers on the Internet. The Lion worm infects the 
vulnerable machines, steals the password file and sends it to a site in 
China, installs a few more goodies, scans the Internet looking for 
other victims, and then tries to replicate itself.  Unfortunately, this 
worm is far more dangerous than Ramen and should be taken very 
seriously.

Lion infects Linux machines running BIND versions 8.2, 8.2-P1, 8.2.1, 
8.2.2-Px, and all 8.2.3-betas through the TSIG vulnerability we all 
know and love. The Lion worm spreads via an application called "randb", 
which scans random class B networks probing TCP port 53. Once it hits a 
system, Lion checks for vulnerabilities. Once found, Lion exploits the 
system using an exploit called "name" and then installs the t0rn 
rootkit.

Here is a fairly complete list of what is affected (according the SANS 
Institute):

    * Sends the contents of /etc/passwd, /etc/shadow, and some network 
      settings to an address in the china.com domain;
    * Deletes /etc/hosts.deny, eliminating the host-based perimeter 
      protection afforded by tcp wrappers;
    * Installs backdoor root shells on ports 60008/tcp and 33567/tcp 
      (via inetd, see /etc/inetd.conf);
    * Installs a Trojan version of ssh that listens on 33568/tcp; 
    * Kills Syslogd, so the logging on the system can't be trusted;
    * Installs a Trojan version of login;
    * Looks for a hashed password in /etc/ttyhash;
    * /usr/sbin/nscd is overwritten with a Trojan version of ssh;
    * The t0rn rootkit replaces several system binaries in order to     
      stealth itself including: du, find, ifconfig, in.telnetd, 
      in.fingerd, login, ls, mjy, netstat, ps, pstree and top;
    * "Mjy", a utility for cleaning out log entries, is placed in /bin 
      and /usr/man/man1/man1/lib/.lib/;
    * in.telnetd is also placed in these directories, but its use is 
      not known at this time;
    * A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.

Thankfully, SANS has developed a utility called Lionfind that will 
detect the infected system. This utility lists files on the system are 
suspect; however, it is not able to remove the virus at this time. 
Download Lionfind at: http://www.sans.org/y2k/lionfind-0.1.tar.gz


Jon L. Miller, MCNE ASE
Director/Sr Systems Consultant
MMT Networks Pty Ltd
http://www.mmtnetworks.com.au
PH: +61 8 9242 8600
FX: +61 8 9242 8611
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20010328/5876d00d/attachment.htm>

More information about the plug mailing list