New 'Lion' worm stalks Linux - News

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

New 'Lion' worm stalks Linux

By Dennis Fisher, eWeek
March 26, 2001
URL: http://www.zdnet.com.au/news/soa/New-Lion-worm-stalks-Linux/0,139023165,120211283,00.htm

Computer security experts have unearthed a new worm that they say is spreading rapidly on the Internet.

It's capable of changing network settings, stealing passwords and eliminating some security measures.

Known as the Lion worm, the virus spreads through an application called "randb," which infects Linux machines running version 8 of the BIND DNS software, one of several iterations that are known to have numerous security vulnerabilities.

Lion scans random networks, probing TCP port 53, looking for potential targets.

Once the application finds a vulnerable machine, it uses an exploit called "name" and then installs the t0rn rootkit, which enables the attacker to wreak havoc on the compromised machine, according to an alert posted Friday morning by the SANS Institute.

The worm then performs several operations, including sending a password file and some network settings to a mail address with the chin.com domain, deleting a file called /etc/hosts.deny, which eliminates the host-based perimeter protection, installing backdoor root shells on two TCP ports, installing a "trojaned" version of the secure shell, killing the system log and searching for a hashed password.

SANS has developed a utility that will detect - but not remove - the worm.

Lion exploits the transaction signature buffer-overflow vulnerability in BIND (Berkeley Internet Name Domain) version 8, which is one of four weaknesses found in January in the open-source DNS software. Fixes are available for all of the BIND flaws.

After the Lion worm finishes its work, it then forces the compromised machine to scan the Internet for other vulnerable servers.

Despite the potential damage that an attacker could do to a compromised machine, security experts say that the new worm is fairly obvious in the way it goes about its business, making it a bit easier to detect.

"It's kind of loud and it does a lot of things, so I would think that any competent Linux administrator should be able to see it," said Dan Ingevaldson, a member of Internet Security Systems' X-Force research team.

He added that even though the BIND vulnerabilities have been well publicised and updated versions of the software are available, many sites still haven't fixed the problem because it involves taking the DNS server offline for a significant period of time.