Lion
Aliases:

According to reports from William Stearns, Senior Research Engineer, Institute for Security Technology Studies, Research wing of Darmouth College, Lion exhibits the following characteristics:

Type: Buffer Overflow Worm
Systems Affected: Linux machines with the BIND DNS server running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas
Payload: Buffer overflow, password and security compromises
ITW: Yes
Origin:
Description: The Lion worm affects Linux machines running the BIND DNS server, versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas.

According to William Stearns, Senior Research Engineer of the Dartmouth Institute for Security Technology Studies, the worm takes advantage of a known vulnerability. "The machines attacked today were attacked because the administrators failed to update their systems when the TSIG vulnerability was discovered and patches were released," Stearns said. "Unlike the Ramen worm which affected default Red Hat Linux versions 6.2 and 7.0 only, the Lion worm takes advantage of a known vulnerability that affects Linux machines running several versions of the BIND DNS server. This TSIG vulnerability was discovered in early January, when someone realized there was a way to cause a BIND DNS server to run arbitrary commands outside of that server. For example, a legitimate request might be a domain name in which case the DNS would return the valid IP address. However, the vulnerabilty allows someone to send something other than a name request and instead sends the name server a wrong string of characters. In this case, a carefully constructed string of characters can run arbitrary commands, known as a buffer overflow attack. By coming up with a buffer overflow attack like the one found in the Lion worm, additional holes can be opened up on hundreds of thousands of systems. As part of the process, attacked machines also become the attackers."

The SANS/GIAC alert advises that "the Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit." The SANS alert cautions that once Lion has compromised a system, it:

• Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain.
• Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
• Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
• Installs a trojaned version of ssh that listens on 33568/tcp
• Kills Syslogd , so the logging on the system can't be trusted
• Installs a trojaned version of login
• Looks for a hashed password in /etc/ttyhash
• /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.

Additionally, the t0rn rootkit replaces several binaries on the system in order to stealth itself: du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top

The original SANS alert with further details can be viewed at http://www.sans.org/y2k/lion.htm. Additionally, William Sterns has developed a LionFind utility that alerts administrators to Lion infected files. A removal tool is currently being developed. The LionFind tool and further details on the worm can be found at the Dartmouth ISTS website. Note that while the current description states LionFind is a removal tool, the author, William Stearns, clarified that it is not.