Michael Leone on Fri, 23 Mar 2001 14:30:24 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Fw: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET


FW: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNETMore things to
worry about, in case someone hasn't heard yet ...

> ALERT!  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
>
> March 23, 2001 7:00 AM
>
> Late last night, the SANS Institute (through its Global Incident
> Analysis Center) uncovered a dangerous new worm that appears to be
> spreading rapidly across the Internet.  It scans the Internet looking
> for Linux computers with a known vulnerability. It infects the
> vulnerable machines, steals the password file  (sending it to a
> China.com site), installs other hacking tools, and forces the newly
> infected machine to begin scanning the Internet looking for other
> victims.
>
> Several experts from the security community worked through
> the night to
> decompose the worm's code and engineer a utility to help you discover
> if the Lion worm has affected your organization.
>
> Updates to this announcement will be posted at the SANS web site,
> http://www.sans.org
>
>
> DESCRIPTION
>
> The Lion worm is similar to the Ramen worm. However, this worm is
> significantly more dangerous and should be taken very seriously.  It
> infects Linux machines running the BIND DNS server.  It is known to
> infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
> 8.2.3-betas. The specific vulnerability used by the worm to exploit
> machines is the TSIG vulnerability that was reported on January 29,
> 2001.
>
> The Lion worm spreads via an application called "randb".  Randb scans
> random class B networks probing TCP port 53. Once it hits a system, it
> checks to see if it is vulnerable. If so, Lion exploits the
> system using
> an exploit called "name".  It then installs the t0rn rootkit.
>
> Once Lion has compromised a system, it:
>
> - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> network settings to an address in the china.com domain.
> - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> protection afforded by tcp wrappers.
> - - Installs backdoor root shells on ports 60008/tcp and
> 33567/tcp (via
> inetd, see /etc/inetd.conf)
> - - Installs a trojaned version of ssh that listens on 33568/tcp
> - - Kills Syslogd , so the logging on the system can't be trusted
> - - Installs a trojaned version of login
> - - Looks for a hashed password in /etc/ttyhash
> - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> overwritten with a trojaned version of ssh.
>
> The t0rn rootkit replaces several binaries on the system in order to
> stealth itself. Here are the binaries that it replaces:
>
> du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> ps, pstree, top
>
> - - "Mjy" is a utility for cleaning out log entries, and is
> placed in /bin
> and /usr/man/man1/man1/lib/.lib/.
> - - in.telnetd is also placed in these directories; its use
> is not known
> at this time.
> - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
>
> DETECTION AND REMOVAL
>
> We have developed a utility called Lionfind that will detect the Lion
> files on an infected system.  Simply download it, uncompress it, and
> run lionfind.  This utility will list which of the suspect files is on
> the system.
>
> At this time, Lionfind is not able to remove the virus from
> the system.
> If and when an updated version becomes available (and we expect to
> provide one), an announcement will be made at this site.
>
> Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
>
>
> REFERENCES
>
> Further information can be found at:
>
> http://www.sans.org/current.htm
> http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> CA-2001-02,
> Multiple Vulnerabilities in BIND
> http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains
> buffer overflow
> in transaction signature (TSIG) handling code
> http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
> The following vendor update pages may help you in fixing the
> original BIND
> vulnerability:
>
> Redhat Linux RHSA-2001:007-03 - Bind remote exploit
> http://www.redhat.com/support/errata/RHSA-2001-007.html
> Debian GNU/Linux DSA-026-1 BIND
> http://www.debian.org/security/2001/dsa-026
> SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
> http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> Caldera Linux CSSA-2001-008.0 Bind buffer overflow
> http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
> http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
>
> This security advisory was prepared by Matt Fearnow of the SANS
> Institute and William Stearns of the Dartmouth Institute for Security
> Technology Studies.
>
> The Lionfind utility was written by William Stearns. William is an
> Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> day job at the Institute for Security Technology Studies at Dartmouth
> College pays him to work on network security and Linux projects.
>
> Also contributing efforts go to Dave Dittrich from the University of
> Washington, and Greg Shipley of Neohapsis
>
> Matt Fearnow
> SANS GIAC Incident Handler
>
> If you have additional data on this worm or a critical
> quetsion  please
> email lionworm@sans.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (BSD/OS)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
> ek+YCliAS832nnMIzP28ezM=
> =E1SG
> -----END PGP SIGNATURE-----
>


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug