• "Lion Internet Worm" DDOS Targeting Unix Systems
  • At http://www.nipc.gov/warnings/advisories/2001/01-005.htm
  • Lion Find: http://www.sans.org/y2k/lion.htm
  • Highly destructive Linux worm mutating: http://www.theregister.co.uk/content/8/17929.html
  • "This one includes a feature similar to one in the Ramen worm, which altered the Web pages of hacked HTTP servers with the message "Hackers looooooooooooove noodles," signed by the "RameN Crew."
    The new Lion worm sets up an HTTP server on port 27374 and erects a page bearing greetz from the Lion crew, Fearnow told us.
    All versions (there are three now) are virtually idiot proof, fire-and-forget tools. Each package contains a scanner which generates random class B addresses searching for an opening on port 53. It then queries the version, and if it finds it's vulnerable, runs a well-known BIND 8 transaction signature (TSIG) handling code exploit, and installs the t0rn rootkit."
  • "We were hasty this week in our initial coverage, where we took a swipe at the FBI's National Infrastructure Protection Center (NIPC) over a Lion advisory bulletin of theirs which we deemed alarmist."
  • "So the NIPC bulletin is a bit gaseous, but not as grossly flatulent as we'd thought."

  ---

• FBI hacker sleuths hint at power-grid disaster
  • At http://www.theregister.co.uk/content/archive/15538.html
  • "The network in question was stupidly configured for anonymous FTP login with read and write privileges, pretty much a welcome mat for anyone in cyberspace to post and retrieve files as they please. Naturally some kids set up a game, with which they managed to gobble up most of the network bandwidth.
    The incident occurred because hopelessly incompetent network administrators essentially left the door open, the lights on, and set out milk and cookies for their anonymous guests. Technically speaking, they left the writable FTP directory and its sub-directories owned by the FTP account rather than by root, which would have reserved write privileges to the network admins."
  • ""Hacked" it most certainly was not. Trespassing is about the worst offence one could claim here; but with no access control whatsoever in place, there isn't, therefore, any digital "No Trespassing" sign in evidence, and one might argue that they had no reason to believe that the owner didn't intend to make his FTP account available for public use. "
  • Redhat worm touts instant noodles ('Ramen' worm): http://www.theregister.co.uk/content/archive/16168.html
  • Hacking Linux BIND servers becomes child's play: http://www.theregister.co.uk/content/8/17864.html
  • BIND holes mean big trouble on the Net: http://www.theregister.co.uk/content/6/16454.html

  • How you hack into Microsoft: a step by step guide: http://www.theregister.co.uk/content/1/14344.html

    ---

    "Barbarians at the gate
    Network security becomes increasingly difficult as point-and-drool cracking tools proliferate. So many painfully easy-to-use appz have been developed in recent years that persistence is now a far more reliable predictor of success than skill: even a newbie cracker can succeed by using pat scripts and casting his nets wide enough"

  • Linux worm attempts to take over insecure servers: http://www.theregister.co.uk/content/8/18117.html

    "The third Linux worm this year, which tries to exploit lax security on Web sites running the open source OS, has been discovered.

    Adore, which is similar to the earlier Ramen and Lion worms, scans Linux hosts on the Internet to determine whether they are vulnerable to well known exploits.

    These include a well publicised vulnerability with BIND, as well as security weaknesses that may be present within Linux services called LPRng, rpc-statd and wu-ftpd (which may be left insecure in default installations).

    On hosts with vulnerabilities, the Adore worm replaces a system binary, called ps, with a Trojaned version which creates backdoor access to compromised host.

    The worm replaces an Internet service, known as ICMP (Internet Control Message Protocol), with a version containing a back door feature that allows a hacker access to systems whenever a properly formatted command sequence is received over the Internet. Adore also attempt to send sensitive system information to four different email addresses. "

From one of the self propelled powers that be - offering moral support and weapons of mass destruction

Date: Thu, 29 Mar 2001 10:00:30 +0100 (BST)
To: Lachlan Cranswick lachlan@ldeo.columbia.edu
Subject: Re: Beware of Geeks - baring electrons



Dear Lachlan,
	I now see the deed that the evil ones have accomplished and I'm
mightely glad that you were not undone by their grotesque act. Have you
any idea where the attack came from so that I can unleash my weapons of
mass destruction the nest time I'm in my secret underground lair?

Date: Thu, 29 Mar 2001 18:21:21 +0100 (BST)
To: Lachlan Cranswick [lachlan@ldeo.columbia.edu]
Subject: Re: Beware of Geeks - baring electrons



Lachlan, when I unleash my weapons of mass destruction they know no
bounds. With the simple press of this here button I can unleash death on
tens of millions on that continent and extreme unpleasantness to two
billion more....

Date: Thu, 29 Mar 2001 18:31:35 +0100 (BST)
To: "L. Cranswick" [lzc@dl.ac.uk]
Subject: Re: Beware of Geeks - baring electrons

Hmmm, I'll have to ponder that a bit and think hard about those thousands
of missiles that are primed ready for your command.

From AusCERT

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                        AL-2001.05  --  AUSCERT ALERT
                 SANS Institute ALERT - New Bind worm: 1i0n
                                26 March 2001

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:                bind 8.2
                        bind 8.2-P1
                        bind 8.2.1
                        bind 8.2.2-Px
                        bind 8.2.3-betas
Vendor:                 ISC
Impact:                 Execute Arbitrary Code/Commands
                        Root Compromise
Access Required:        Remote

Ref:                    AA-2001.01

Summary:

The message included below is an alert issued by the SANS Institute
regarding a new bind worm "1i0n".  AusCERT has received reports of
compromises involving this worm which exploits particular bind
vulnerabilities outlined in AUSCERT Advisory AA-2001.01 - ISC BIND
Vulnerability released 31 January 2001.

AusCERT is issuing this external security bulletin as an AusCERT Alert to
emphasize the significance of the potential impact of the 1i0n worm and
the vulnerabilities outlined in AA-2001.01.  For details on detection and
removal, refer to the SANS Alert included below.  More information about
these vulnerabilities and the availability of updated vendor software
packages is available in recent AusCERT External Security Bulletins and
Advisories:

        AusCERT Alert AA-2001.01 - ISC BIND Vulnerability
        ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2001.01

        CERT Advisory CA-2001-02 - Multiple Vulnerabilities in BIND
        ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.037

        RHSA-2001:007-03 - Updated bind packages available
        ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.038

        Internet Security Systems Security Alert - Remote Vulnerabilities   
        in BIND versions 4 and 8
        ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.039

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ALERT!  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET 

March 23, 2001 7:00 AM

Late last night, the SANS Institute (through its Global Incident
Analysis Center) uncovered a dangerous new worm that appears to be
spreading rapidly across the Internet.  It scans the Internet looking
for Linux computers with a known vulnerability. It infects the
vulnerable machines, steals the password file  (sending it to a
China.com site), installs other hacking tools, and forces the newly
infected machine to begin scanning the Internet looking for other
victims.

Several experts from the security community worked through the night to
decompose the worm's code and engineer a utility to help you discover
if the Lion worm has affected your organization.

Updates to this announcement will be posted at the SANS web site,
http://www.sans.org


DESCRIPTION

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously.  It
infects Linux machines running the BIND DNS server.  It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.

The Lion worm spreads via an application called "randb".  Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name".  It then installs the t0rn rootkit.

Once Lion has compromised a system, it:

- - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.
- - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)
- - - Installs a trojaned version of ssh that listens on 33568/tcp
- - - Kills Syslogd , so the logging on the system can't be trusted
- - - Installs a trojaned version of login
- - - Looks for a hashed password in /etc/ttyhash
- - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.

The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:

du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top

- - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
and /usr/man/man1/man1/lib/.lib/.
- - - in.telnetd is also placed in these directories; its use is not known
at this time.  
- - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x

DETECTION AND REMOVAL

We have developed a utility called Lionfind that will detect the Lion
files on an infected system.  Simply download it, uncompress it, and
run lionfind.  This utility will list which of the suspect files is on
the system.

At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.

Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz


REFERENCES

Further information can be found at:

http://www.sans.org/current.htm
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code
http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original BIND
vulnerability:

Redhat Linux RHSA-2001:007-03 - Bind remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.html
Debian GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow
http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt

This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.

The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.

Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis

Matt Fearnow
SANS GIAC Incident Handler

If you have additional data on this worm or a critical quetsion  please
email lionworm@sans.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
ek+YCliAS832nnMIzP28ezM=
=E1SG
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOr8uiyh9+71yA2DNAQG0iwP/aRbnhZBpCrmb5jY/1sq8KLvtphSgfK38
YW9L7MOePXEH/qPcjk9Iuz3ibuY1SaOobAJlnwcJYlYLg0pVoxOzHndeS/v73qab
UA1qlJdRTvYweR9jY6Al6F6pQM9qyrMoS4OaoN3Dir2NOIONUNGgIsOpA7ZEQgAn
UPwZbcEkvl0=
=XqnN
-----END PGP SIGNATURE-----