Virus
Alert To Linux Users
Posted
28th Narch 2001
The SANS Institute (through its Global Incident Analysis Center)
uncovered a dangerous new worm that appears to be spreading
rapidly across the Internet. It scans the Internet looking for
Linux computers with a known vulnerability. It infects the vulnerable
machines, steals the password file (sending it to a China.com
site), installs other hacking tools, and forces the newly infected
machine to begin scanning the Internet looking for other victims.
Several experts from the security community worked through the
night to decompose the worm's code and engineer a utility to
help you discover if the Lion worm has affected your organization.
Updates to this announcement will be posted at the SANS
web site
DESCRIPTION
The Lion worm is similar to the Ramen worm. However, this worm
is significantly more dangerous and should be taken very seriously.
It infects Linux machines running the BIND DNS server. It is
known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px,
and all 8.2.3-betas. The specific vulnerability used by the
worm to exploit machines is the TSIG vulnerability that was
reported on January 29, 2001. The Lion worm spreads via an application
called "randb". Randb scans random class B networks probing
TCP port 53. Once it hits a system, it checks to see if it is
vulnerable. If so, Lion exploits the system using an exploit
called "name". It then installs the t0rn rootkit.
Once Lion has compromised a system, it:
- - Sends the contents of /etc/passwd, /etc/shadow, as well
as some network settings to an address in the china.com domain.
- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp
(via inetd, see /etc/inetd.conf) - - Installs a trojaned version
of ssh that listens on 33568/tcp
- - Kills Syslogd , so the logging on the system can't be trusted
-
- Installs a trojaned version of login - - Looks for a hashed
password in /etc/ttyhash
-
- /usr/sbin/nscd (the optional Name Service Caching daemon)
is overwritten with a trojaned version of ssh. The t0rn rootkit
replaces several binaries on the system in order to stealth
itself. Here are the binaries that it replaces: du, find, ifconfig,
in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree,
top
- - "Mjy" is a utility for cleaning out log entries, and is
placed in /bin and /usr/man/man1/man1/lib/.lib/.
- - in.telnetd is also placed in these directories; its use
is not known at this time.
- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.
DETECTION AND REMOVAL
We
have developed a utility called Lionfind that will detect the
Lion files on an infected system. Simply download it, uncompress
it, and run lionfind. This utility will list which of the suspect
files is on the system. At this time, Lionfind is not able to
remove the virus from the system. If and when an updated version
becomes available (and we expect to provide one), an announcement
will be made at this site. Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz.