A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | Encyclopedia Home
Also see: Hoax Encyclopedia | Repair Center | News Briefs | Glossary | Infected Attachments | Prevention Center
|
Lion
According to reports from William Stearns, Senior Research Engineer, Institute for Security Technology Studies, Research wing of Darmouth College, Lion exhibits the following characteristics:
Type: Buffer Overflow Worm
According to William Stearns, Senior Research Engineer of the Dartmouth Institute for Security Technology Studies, the worm takes advantage of a known vulnerability. "The machines attacked today were attacked because the administrators failed to update their systems when the TSIG vulnerability was discovered and patches were released," Stearns said. "Unlike the Ramen worm which affected default Red Hat Linux versions 6.2 and 7.0 only, the Lion worm takes advantage of a known vulnerability that
affects Linux machines running several versions of the BIND DNS server. This TSIG
vulnerability was discovered in early January, when someone realized there
was a way to cause a BIND DNS server to run arbitrary commands outside of
that server. For example, a legitimate request might be a domain name in
which case the DNS would return the valid IP address. However, the
vulnerabilty allows someone to send something other than a name request and
instead sends the name server a wrong string of characters. In this case, a
carefully constructed string of characters can run arbitrary commands, known
as a buffer overflow attack. By coming up with a buffer overflow attack like
the one found in the Lion worm, additional holes can be opened up on
hundreds of thousands of systems. As part of the process, attacked
machines also become the attackers."
The SANS/GIAC alert advises that "the Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit."
The SANS alert cautions that once Lion has compromised a system, it:
Additionally, the t0rn rootkit replaces several binaries on the system in order to
stealth itself: du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top
The original SANS alert with further details can be viewed at http://www.sans.org/y2k/lion.htm. Additionally, William Sterns has developed a LionFind utility that alerts administrators to Lion infected files. A removal tool is currently being developed. The LionFind tool and further details on the worm can be found at the Dartmouth ISTS website. Note that while the current description states LionFind is a removal tool, the author, William Stearns, clarified that it is not.
Aliases:
Systems Affected: Linux machines with the BIND DNS server running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas
Payload: Buffer overflow, password and security compromises
ITW: Yes
Origin:
Description: The Lion worm affects Linux machines running the BIND DNS server, versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas.