Worm Targeting Linux Could Cause Serious DamageMar 24, 2001, 06:29 (24 Talkback[s])
(Other stories by Thor Olavsrud)
Editor's Note: The original SANS advisory, posted today, may be found at http://www.sans.org/y2k/lion.htm. In addition to the advisory a script called "lionfind" is available from the referenced page. Note that while the worm is new, the exploit involved is not. Please see Related Stories at the bottom of the article, which contain not only links to stories describing the exploit, but all of LinuxToday's links to patches and fixes submitted by various distributions.
By Thor Olavsrud, InternetNews.com
A new worm targeting Linux machines running the BIND DNS server is rapidly making its way across the Internet and has the potential to create serious damage, according to the SANS Institute's Global Incident Analysis Center (GIAC).
The GIAC team uncovered the worm -- which may have originated with a hacking crew in China -- late Thursday. The team has logged in the neighborhood of 49,000 scans for vulnerable BIND servers in the past two days.
The worm has been dubbed Lion, and has similarities to the Ramen worm which burrowed into machines running Red Hat 6.2 and 7.0 in January.
"However, this worm is significantly more dangerous and should be taken v Stearns has written a script called Lionfind, which can detect if a system has been infiltrated by Lion. The utility is available here. Lionfind is not currently able to remove the worm from an infected system. Stearns also noted that fewer systems will be affected by Lion than were affected by Ramen -- simply because fewer systems run their own name servers -- but the costs to those affected are likely to be considerably higher. ery seriously," the SANS GIAC team wrote in its alert Friday.
The worm can infect BIND 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, using the TSIG vulnerability exposed by the Computer Emergency Response Team (CERT) Coordination Center on Jan. 29.
Lion spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it finds a system it checks for the vulnerability, and, if the system is vulnerable, it attacks the system using an exploit called "name." The worm e-mails the password and config files to an firstname.lastname@example.org account. It then installs the t0rn rootkit and proceeds to:
The t0rn rootkit also replaces a number of binaries on the system -- including du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, and top -- in order to stealth itself. Mjy, a utility for cleaning out log entries, is placed in /bin and /usr/man/man1/man1/lib/.lib/. For unknown reasons, in.telnetd is also placed in those directories. Also, a setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.
One bug tracker pointed to a portion of one of the shell scripts -- "#removed this patching since this kit is not going to be used with the # wuftpd/statd worms..." -- which he said indicated that the creators were at least thinking about using the worm for other exploits.
Once the machine is fully infiltrated, Lion forces the machine to begin scanning the Internet for other victims.
"Stearns has written a script called Lionfind, which can detect if a system has been infiltrated by Lion. Lionfind is not currently able to remove the worm from an infected system."
"Stearns also noted that fewer systems will be affected by Lion than were affected by Ramen -- simply because fewer systems run their own name servers -- but the costs to those affected are likely to be considerably higher."