Editor’s Note: The original SANS advisory, posted today, may
be found at http://www.sans.org/y2k/lion.htm.
In addition to the advisory a script called “lionfind” is available
from the referenced page. Note that while the worm is new, the
exploit involved is not. Please see Related Stories at the bottom
of the article, which contain not only links to stories describing
the exploit, but all of LinuxToday’s links to patches and fixes
submitted by various distributions.
By Thor Olavsrud, InternetNews.com
A new worm targeting Linux machines running the BIND DNS server
is rapidly making its way across the Internet and has the potential
to create serious damage, according to the SANS Institute’s Global
Incident Analysis Center (GIAC).
The GIAC team uncovered the worm — which may have originated
with a hacking crew in China — late Thursday. The team has logged
in the neighborhood of 49,000 scans for vulnerable BIND servers in
the past two days.
The worm has been dubbed Lion, and has similarities to the Ramen
worm which burrowed into machines running Red Hat 6.2 and 7.0 in
January.
“However, this worm is significantly more dangerous and should
be taken v Stearns has written a script called Lionfind, which can
detect if a system has been infiltrated by Lion. The utility is
available here. Lionfind is not currently able to remove the worm
from an infected system. Stearns also noted that fewer systems will
be affected by Lion than were affected by Ramen — simply because
fewer systems run their own name servers — but the costs to those
affected are likely to be considerably higher. ery seriously,” the
SANS GIAC team wrote in its alert Friday.
The worm can infect BIND 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas, using the TSIG vulnerability exposed by the Computer
Emergency Response Team (CERT) Coordination Center on Jan. 29.
Lion spreads via an application called “randb”. Randb scans
random class B networks probing TCP port 53. Once it finds a system
it checks for the vulnerability, and, if the system is vulnerable,
it attacks the system using an exploit called “name.” The worm
e-mails the password and config files to an [email protected] account.
It then installs the t0rn rootkit and proceeds to:
- Send the contents of the /etc/passwd, /etc/shadow, and some
network settings to an address in the china.com domain - Delete /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers - Install backdoor root shells on ports 60008/tcp and
33567/tcp - Install a trojaned version of ssh that listens on
33568/tcp - Kills Syslogd so the logging on the system can’t be
trusted - Installs a trojaned version of login
- Looks for a hashed password in /etc/ttyhash
- Overwrites /usr/sbin/nscd (the option Name Service Caching
daemon) with a trojaned version of ssh.
The t0rn rootkit also replaces a number of binaries on the
system — including du, find, ifconfig, in.telnetd, in.fingerd,
login, ls, mjy, netstat, ps, pstree, and top — in order to stealth
itself. Mjy, a utility for cleaning out log entries, is placed in
/bin and /usr/man/man1/man1/lib/.lib/. For unknown reasons,
in.telnetd is also placed in those directories. Also, a setuid
shell is placed in /usr/man/man1/man1/lib/.lib/.x.
One bug tracker pointed to a portion of one of the shell scripts
— “#removed this patching since this kit is not going to be used
with the # wuftpd/statd worms…” — which he said indicated that
the creators were at least thinking about using the worm for other
exploits.
Once the machine is fully infiltrated, Lion forces the machine
to begin scanning the Internet for other victims.
“Stearns has written a script called
Lionfind, which can detect if a system has been infiltrated by
Lion. Lionfind is not currently able to remove the worm from an
infected system.”
“Stearns also noted that fewer systems will be affected by Lion
than were affected by Ramen — simply because fewer systems run
their own name servers — but the costs to those affected are
likely to be considerably higher.”