Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

Rick Rosinski rick@rickrosinski.com
Fri, 23 Mar 2001 19:14:33 +0000 

Would this effect a Slackware 7.x system?  I noticed that I don't have any 
"bind" in my paths.

On Saturday 24 March 2001 00:38, you wrote:
> Thank you!  I saw something about it, but didn't realize I needed
> to do something about it until now.
>
> 8.2.3-0 would be OK right?  That's the latest one from
> http://security.debian.org
>
> On Fri, Mar 23, 2001 at 12:25:52PM -0700, Rusty Carruth wrote:
> > In case nobody has posted this yet:
> >
> > If you've not updated your bind/dns - do so NOW.
> >
> > Also, if you run bsd there is a chance the problem is there also.
> >
> > >Date: Fri, 23 Mar 2001  9:40:03 -0700 (MST)
> > >From: The SANS Institute <securityalert@sans.org>
> > >Subject: ALERT -  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > >Sender: sans@sans.org
> > >To: John Driggers (SD512389) <driggers@slb.com>
> > >X-LDAP-Alias: V 1.0rc5. Sent to driggers@slb.com resolving to
> > >driggers@austin.apc.slb.com
> > >
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > >ALERT!  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > >
> > >March 23, 2001 7:00 AM
> > >
> > >Late last night, the SANS Institute (through its Global Incident
> > >Analysis Center) uncovered a dangerous new worm that appears to be
> > >spreading rapidly across the Internet.  It scans the Internet looking
> > >for Linux computers with a known vulnerability. It infects the
> > >vulnerable machines, steals the password file  (sending it to a
> > >China.com site), installs other hacking tools, and forces the newly
> > >infected machine to begin scanning the Internet looking for other
> > >victims.
> > >
> > >Several experts from the security community worked through the night to
> > >decompose the worm's code and engineer a utility to help you discover
> > >if the Lion worm has affected your organization.
> > >
> > >Updates to this announcement will be posted at the SANS web site,
> > >http://www.sans.org
> > >
> > >
> > >DESCRIPTION
> > >
> > >The Lion worm is similar to the Ramen worm. However, this worm is
> > >significantly more dangerous and should be taken very seriously.  It
> > >infects Linux machines running the BIND DNS server.  It is known to
> > >infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
> > >8.2.3-betas. The specific vulnerability used by the worm to exploit
> > >machines is the TSIG vulnerability that was reported on January 29,
> > >2001.
> > >
> > >The Lion worm spreads via an application called "randb".  Randb scans
> > >random class B networks probing TCP port 53. Once it hits a system, it
> > >checks to see if it is vulnerable. If so, Lion exploits the system using
> > >an exploit called "name".  It then installs the t0rn rootkit.
> > >
> > >Once Lion has compromised a system, it:
> > >
> > >- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> > >network settings to an address in the china.com domain.
> > >- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> > >protection afforded by tcp wrappers.
> > >- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> > >inetd, see /etc/inetd.conf)
> > >- - Installs a trojaned version of ssh that listens on 33568/tcp
> > >- - Kills Syslogd , so the logging on the system can't be trusted
> > >- - Installs a trojaned version of login
> > >- - Looks for a hashed password in /etc/ttyhash
> > >- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> > >overwritten with a trojaned version of ssh.
> > >
> > >The t0rn rootkit replaces several binaries on the system in order to
> > >stealth itself. Here are the binaries that it replaces:
> > >
> > >du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> > >ps, pstree, top
> > >
> > >- - "Mjy" is a utility for cleaning out log entries, and is placed in
> > > /bin and /usr/man/man1/man1/lib/.lib/.
> > >- - in.telnetd is also placed in these directories; its use is not known
> > >at this time.
> > >- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
> > >
> > >DETECTION AND REMOVAL
> > >
> > >We have developed a utility called Lionfind that will detect the Lion
> > >files on an infected system.  Simply download it, uncompress it, and
> > >run lionfind.  This utility will list which of the suspect files is on
> > >the system.
> > >
> > >At this time, Lionfind is not able to remove the virus from the system.
> > >If and when an updated version becomes available (and we expect to
> > >provide one), an announcement will be made at this site.
> > >
> > >Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
> > >
> > >
> > >REFERENCES
> > >
> > >Further information can be found at:
> > >
> > >http://www.sans.org/current.htm
> > >http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> > > CA-2001-02, Multiple Vulnerabilities in BIND
> > >http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
> > > overflow in transaction signature (TSIG) handling code
> > >http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
> > >The following vendor update pages may help you in fixing the original
> > > BIND vulnerability:
> > >
> > >Redhat Linux RHSA-2001:007-03 - Bind remote exploit
> > >http://www.redhat.com/support/errata/RHSA-2001-007.html
> > >Debian GNU/Linux DSA-026-1 BIND
> > >http://www.debian.org/security/2001/dsa-026
> > >SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
> > >http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> > >Caldera Linux CSSA-2001-008.0 Bind buffer overflow
> > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
> > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
> > >
> > >This security advisory was prepared by Matt Fearnow of the SANS
> > >Institute and William Stearns of the Dartmouth Institute for Security
> > >Technology Studies.
> > >
> > >The Lionfind utility was written by William Stearns. William is an
> > >Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> > >day job at the Institute for Security Technology Studies at Dartmouth
> > >College pays him to work on network security and Linux projects.
> > >
> > >Also contributing efforts go to Dave Dittrich from the University of
> > >Washington, and Greg Shipley of Neohapsis
> > >
> > >Matt Fearnow
> > >SANS GIAC Incident Handler
> > >
> > >If you have additional data on this worm or a critical quetsion  please
> > >email lionworm@sans.org
> > >-----BEGIN PGP SIGNATURE-----
> > >Version: GnuPG v1.0.4 (BSD/OS)
> > >Comment: For info see http://www.gnupg.org
> > >
> > >iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
> > >ek+YCliAS832nnMIzP28ezM=
> > >=E1SG
> > >-----END PGP SIGNATURE-----
> >
> > Rusty Carruth          Email:     rcarruth@Tempe.tt.slb.com or
> > rcarruth@slb.com Voice: (480) 345-3621  SnailMail: Schlumberger ATE
> > FAX:   (480) 345-8793             7855 S. River Parkway, Suite 116
> > Ham: N7IKQ @ 146.82+,pl 162.2     Tempe, AZ 85284-1825
> > ICBM: 33 20' 44"N   111 53' 47"W
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > post to the list quickly and you use Netscape to write mail.
> >
> > Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

-- 
Rick Rosinski
http://rickrosinski.com
rick@rickrosinski.com