|
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== A U S C E R T A L E R T AL-2001.05 -- AUSCERT ALERT SANS Institute ALERT - New Bind worm: 1i0n 26 March 2001 =========================================================================== AusCERT Alert Summary --------------------- Product: bind 8.2 bind 8.2-P1 bind 8.2.1 bind 8.2.2-Px bind 8.2.3-betas Vendor: ISC Impact: Execute Arbitrary Code/Commands Root Compromise Access Required: Remote Ref: AA-2001.01 Summary: The message included below is an alert issued by the SANS Institute regarding a new bind worm "1i0n". AusCERT has received reports of compromises involving this worm which exploits particular bind vulnerabilities outlined in AUSCERT Advisory AA-2001.01 - ISC BIND Vulnerability released 31 January 2001. AusCERT is issuing this external security bulletin as an AusCERT Alert to emphasize the significance of the potential impact of the 1i0n worm and the vulnerabilities outlined in AA-2001.01. For details on detection and removal, refer to the SANS Alert included below. More information about these vulnerabilities and the availability of updated vendor software packages is available in recent AusCERT External Security Bulletins and Advisories: AusCERT Alert AA-2001.01 - ISC BIND Vulnerability ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2001.01 CERT Advisory CA-2001-02 - Multiple Vulnerabilities in BIND ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.037 RHSA-2001:007-03 - Updated bind packages available ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.038 Internet Security Systems Security Alert - Remote Vulnerabilities in BIND versions 4 and 8 ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.039 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET March 23, 2001 7:00 AM Late last night, the SANS Institute (through its Global Incident Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a China.com site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims. Several experts from the security community worked through the night to decompose the worm's code and engineer a utility to help you discover if the Lion worm has affected your organization. Updates to this announcement will be posted at the SANS web site, http://www.sans.org DESCRIPTION The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously. It infects Linux machines running the BIND DNS server. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001. The Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit. Once Lion has compromised a system, it: - - - Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain. - - - Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers. - - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf) - - - Installs a trojaned version of ssh that listens on 33568/tcp - - - Kills Syslogd , so the logging on the system can't be trusted - - - Installs a trojaned version of login - - - Looks for a hashed password in /etc/ttyhash - - - /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh. The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces: du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top - - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/. - - - in.telnetd is also placed in these directories; its use is not known at this time. - - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x DETECTION AND REMOVAL We have developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system. At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site. Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz REFERENCES Further information can be found at: http://www.sans.org/current.htm http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. The following vendor update pages may help you in fixing the original BIND vulnerability: Redhat Linux RHSA-2001:007-03 - Bind remote exploit http://www.redhat.com/support/errata/RHSA-2001-007.html Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026 SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt Caldera Linux CSSA-2001-008.0 Bind buffer overflow http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies. The Lionfind utility was written by William Stearns. William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects. Also contributing efforts go to Dave Dittrich from the University of Washington, and Greg Shipley of Neohapsis Matt Fearnow SANS GIAC Incident Handler If you have additional data on this worm or a critical quetsion please email lionworm@sans.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (BSD/OS) Comment: For info see http://www.gnupg.org iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/ ek+YCliAS832nnMIzP28ezM= =E1SG - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOr8uiyh9+71yA2DNAQG0iwP/aRbnhZBpCrmb5jY/1sq8KLvtphSgfK38 YW9L7MOePXEH/qPcjk9Iuz3ibuY1SaOobAJlnwcJYlYLg0pVoxOzHndeS/v73qab UA1qlJdRTvYweR9jY6Al6F6pQM9qyrMoS4OaoN3Dir2NOIONUNGgIsOpA7ZEQgAn UPwZbcEkvl0= =XqnN -----END PGP SIGNATURE-----