Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTER…

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Rusty Carruth
Date:  
Subject: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
In case nobody has posted this yet:

If you've not updated your bind/dns - do so NOW.

Also, if you run bsd there is a chance the problem is there also.

>Date: Fri, 23 Mar 2001 9:40:03 -0700 (MST)
>From: The SANS Institute <>
>Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
>Sender:
>To: John Driggers (SD512389) <>
>X-LDAP-Alias: V 1.0rc5. Sent to resolving to
>
>
>
>ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
>
>March 23, 2001 7:00 AM
>
>Late last night, the SANS Institute (through its Global Incident
>Analysis Center) uncovered a dangerous new worm that appears to be
>spreading rapidly across the Internet. It scans the Internet looking
>for Linux computers with a known vulnerability. It infects the
>vulnerable machines, steals the password file (sending it to a
>China.com site), installs other hacking tools, and forces the newly
>infected machine to begin scanning the Internet looking for other
>victims.
>
>Several experts from the security community worked through the night to
>decompose the worm's code and engineer a utility to help you discover
>if the Lion worm has affected your organization.
>
>Updates to this announcement will be posted at the SANS web site,
>http://www.sans.org
>
>
>DESCRIPTION
>
>The Lion worm is similar to the Ramen worm. However, this worm is
>significantly more dangerous and should be taken very seriously. It
>infects Linux machines running the BIND DNS server. It is known to
>infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
>8.2.3-betas. The specific vulnerability used by the worm to exploit
>machines is the TSIG vulnerability that was reported on January 29,
>2001.
>
>The Lion worm spreads via an application called "randb". Randb scans
>random class B networks probing TCP port 53. Once it hits a system, it
>checks to see if it is vulnerable. If so, Lion exploits the system using
>an exploit called "name". It then installs the t0rn rootkit.
>
>Once Lion has compromised a system, it:
>
>- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
>network settings to an address in the china.com domain.
>- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
>protection afforded by tcp wrappers.
>- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
>inetd, see /etc/inetd.conf)
>- - Installs a trojaned version of ssh that listens on 33568/tcp
>- - Kills Syslogd , so the logging on the system can't be trusted
>- - Installs a trojaned version of login
>- - Looks for a hashed password in /etc/ttyhash
>- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
>overwritten with a trojaned version of ssh.
>
>The t0rn rootkit replaces several binaries on the system in order to
>stealth itself. Here are the binaries that it replaces:
>
>du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
>ps, pstree, top
>
>- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
>and /usr/man/man1/man1/lib/.lib/.
>- - in.telnetd is also placed in these directories; its use is not known
>at this time.
>- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
>
>DETECTION AND REMOVAL
>
>We have developed a utility called Lionfind that will detect the Lion
>files on an infected system. Simply download it, uncompress it, and
>run lionfind. This utility will list which of the suspect files is on
>the system.
>
>At this time, Lionfind is not able to remove the virus from the system.
>If and when an updated version becomes available (and we expect to
>provide one), an announcement will be made at this site.
>
>Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
>
>
>REFERENCES
>
>Further information can be found at:
>
>http://www.sans.org/current.htm
>http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
>Multiple Vulnerabilities in BIND
>http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
>in transaction signature (TSIG) handling code
>http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
>The following vendor update pages may help you in fixing the original BIND
>vulnerability:
>
>Redhat Linux RHSA-2001:007-03 - Bind remote exploit
>http://www.redhat.com/support/errata/RHSA-2001-007.html
>Debian GNU/Linux DSA-026-1 BIND
>http://www.debian.org/security/2001/dsa-026
>SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
>http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
>Caldera Linux CSSA-2001-008.0 Bind buffer overflow
>http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
>http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
>
>This security advisory was prepared by Matt Fearnow of the SANS
>Institute and William Stearns of the Dartmouth Institute for Security
>Technology Studies.
>
>The Lionfind utility was written by William Stearns. William is an
>Open-Source developer, enthusiast, and advocate from Vermont, USA. His
>day job at the Institute for Security Technology Studies at Dartmouth
>College pays him to work on network security and Linux projects.
>
>Also contributing efforts go to Dave Dittrich from the University of
>Washington, and Greg Shipley of Neohapsis
>
>Matt Fearnow
>SANS GIAC Incident Handler
>
>If you have additional data on this worm or a critical quetsion please
>email
>


Rusty Carruth          Email:      or 
Voice: (480) 345-3621  SnailMail: Schlumberger ATE
FAX:   (480) 345-8793             7855 S. River Parkway, Suite 116
Ham: N7IKQ @ 146.82+,pl 162.2     Tempe, AZ 85284-1825
ICBM: 33 20' 44"N   111 53' 47"W