TUCoPS :: Malware :: ciacl064.txt

CIAC L-064 - The Lion Internet Worm DDoS Risk


                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                              INFORMATION BULLETIN

                        The Lion Internet Worm DDOS Risk

April 2, 2001 18:00 GMT                                           Number l-064
PROBLEM:       Further analysis of the Lion Internet worm by the NIPC 
               indicates that it has the potential for causing much more 
               damage than originally expected. In addition to automatically 
               propagating itself, the worm installs multiple backdoors and 
               the Tribe Flood Network (tfn2k) distributed denial of service 
               (DDOS) tool. A second version of the worm simply propagates and 
               installs a single backdoor. 
PLATFORM:      Linux on x86 platforms with unpatched BIND services but could 
               be expanded to other UNIX platforms. Affected versions of BIND 
               include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta. 
               Unaffected versions of BIND include: 8.2.3-REL and 9. 
DAMAGE:        The original version of the worm installs a rootkit to hide 
               itself, replacing many system utilities. Infected systems need 
               to be reinstalled to assure that all affected files are 
               replaced. Should the tfn2k tool be activated, all infected 
               machines could be used to perform a large scale distributed 
               denial of service attack. 
SOLUTION:      Users with affected versions of BIND should update immediately. 
               Network operators should watch for outgoing e-mails to 
               china.com and for incoming connections to ports 1008, 60008, 
               33567, 33568 (ssh). System owners should check for infections 
               by using the SANS tool (lionfind) or by examining the contents 
               of /dev/.lib for the worm's files and they should scan for 
               tfn2k using the NIPC tool (find_ddos). Users with infected 
               systems need to reinstall those systems. 
VULNERABILITY  Risk is Medium. The worm is in the wild, however the web site
ASSESSMENT:    coollion.51.net is no longer providing the worm's files. The 
               result is that currently infected systems can still attack and 
               compromise other systems, install backdoors, and send mail to 
               china.com but cannot install the rootkit, DDOS tools, or the 
               infection tools. The potential for a large scale distributed 
               denial of service attack is high from systems infected before               coollion.51.net stopped providing files (sometime before 
               3/30/01). There is also the risk that a new variant will appear 
               that uses a different website to get its tools. 

The following advisory was posted on the NIPC website on March 30, 2001. See 
the NIPC website for the latest version of this advisory: 


-------------------Start of NIPC Advisory------------------- 


"Lion Internet Worm" DDOS Targeting Unix Systems 
Issued 03/23/2001, Updated March 30, 2001

The NIPC has received reports of an Internet worm named "Lion" that is 
infecting computers and installing distributed denial of service (DDOS) tools 
on various computer systems. Illegal activity of this nature typically is 
designed to create large networks of hosts capable of launching coordinated 
packet flooding denial of service attacks. Possible motives for this malicious 
activity include exploit demonstration, exploration and reconnaissance, or 
preparation for widespread denial of service attacks.


Access to these systems has been accomplished primarily through compromises 
exploiting the bind vulnerabilities in versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, 
as well as the 8.2.3 betas. To read more about the bind vulnerabilities, please 
refer to the CERT/CC advisory at http://www.cert.org/advisories/CA-2001-
02.html. Once infected, the Lion worm scans random class B networks on port 53 
looking for systems running the vulnerable bind versions listed above. Once 
compromised, the system will send the contents of the /etc/password and 
/etc/shadow files to a remote computer. The worm also contacts coollion.51.net 
( and downloads a copy of the worm along with several hacking 
tools, including the "t0rn" rootkit, and Tribe Flood Network client (tfn2k). 
Additionally, a compromised system will have its /etc/hosts.deny file deleted 
thereby eliminating the host-based perimeter protection afforded by tcp 

In addition to the above listed toolkit, the Lion worm installs several 
backdoor compromises along with what NIPC analysis confirms is a password 
sniffer, thereby giving the hacker a network of machines from which to launch 
an attack in the future. This initial activity appears to be the precursor to a 
larger DDOS attack. These backdoor compromises provide root access to the 
victim systems, thereby making security more difficult. Systems administrators 
who detect such a compromise should take all appropriate steps to reestablish 
the integrity of their computers and networks.


 NIPC recommends that all computer network owners and organizations examine 
their systems for evidence of this worm and associated DDOS tools. Specific 
technical instructions for detection of the Lion worm are available from the 
SANS website http://www.sans.org/y2k/lion.htm This site also includes a tool 
called "Lionfind" which is provided to identify the files that the worm is 
using, however, this program does not remove those files.

 Users running affected versions of bind can go to 
http://www.cert.org/advisories/CA-2001-02.html and download the most recent 

 The NIPC continues to make available on its website a software application 
(find_ddos) that can be used to detect the presence of the tfn2k client 

Tool Description:

The tool (find_ddos) is available for Solaris on Sparc or Intel platforms and 
Linux on Intel platforms. It has been designed to detect tfn2k client, tfn2k 
daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht 
master, stacheldraht client, stachelddraht demon and tfn-rush client.

The latest version (3.3) should solve some out-of-memory errors, prevent self-
detection, and support process scanning on Solaris 2.5.1. Consult the readme 
file for more information.
This download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or Intel 
platforms, and Linux on Intel platforms.

This tool will not work on a Windows 95/98/NT-based PC.

 Readme (http://www.nipc.gov/warnings/alerts/1999/README) 

 Solaris on Sparc Executable File (tar, compressed format) version 4.2

 Linux on Intel Executable File (tar, compressed format) version 4.2 

 Solaris on Intel Executable File (tar, compressed format) version 4.2 

 Checksums (The MD5 Checksums are provided to verify the integrity of the 
files.) (http://www.nipc.gov/warnings/alerts/1999/checksums)

Please report computer crime to your local FBI office 
(www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate 
authorities. Incidents may be reported online at 
www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be 
reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.

Update As of March 30, 2001

The NIPC has confirmed two versions of the Lion worm in the wild. Upon further 
analysis of the original Lion worm, the NIPC has determined that the 
daemon/zombie portion of tfn2k is installed on a victim system once 
compromised. Further, the tfn2k daemon is launched once it is installed and 
also upon reboot. This creates a widespread zombie network that is ready to 
receive commands and launch an attack.

Additionally, it appears that the Lion worm specifically targets Linux systems, 
contrary to the what the title of this advisory originally indicated. However, 
the code could be modified to target other flavors of Unix. Also, because the 
worm overwrites systems files, it is not easily removed from an infected 
computer. Therefore, the NIPC believes that reinstalling the operating system 
(or at a minimum, reinstalling specific system files) may be the only way to 
ensure the integrity of the system.

A newer version of the Lion worm does not have the t0rn rootkit or tfn2k as 
part of it's code. As a result, the new Lion worm is roughly 1/30th the size of 
the original. 

Both versions of Lion email user and password information of systems that are 
successfully compromised. In addition, both propagate by targeting systems 
running the vulnerable versions of bind.

Technical Observations:

Original Lion (1i0n) makes the following system modifications:

1) Creates directory /dev/.lib, and installs lion files into that directory

2) Deletes the following files:
*) /.bash_history
*) /etc/hosts.deny
*) /root/.bash_history
*) /var/log/messages
*) /var/log/maillog

3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit to ensure that 
the worm will continue to attempt to propagate after a reboot

4) Appends the following to /etc/inetd.conf
*) 1008 stream tcp nowait root /bin/sh sh
*) 60008 stream tcp nowait root /bin/sh sh
*) 33567 stream tcp nowait root /bin/sh sh

5) Creates file /etc/ttyhash with encrypted backdoor password

6) Creates directory /usr/src/.puta, and copies root kit configuration files 
*) /usr/src/.puta/t0rnp -- linsniff password extractor
*) /usr/src/.puta/t0rnsb -- system log file wiper

7) Creates directory /usr/info/.torn, and installs secure shell configuration 

8) Installs and runs secure shell server in /usr/sbin/nscd

9) Installs and runs tfn2k in /bin/in.telnetd

10) Installs system log wiper into /bin/mjy

11) Creates /usr/man/man1/man1/lib/.lib, and copies the following:
*) /bin/mjy (system log wiper)
*) /bin/in.telnetd (tfn2k)
*) /bin/sh, with setuid/setgid privileges added

12) Appends the following lines to /etc/rc.d/rc.sysinit:
*) # Name Server Cache Daemon..
*) /usr/sbin/nscd -q
*) /bin/in.telnetd
*) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

13) Overwrites the following executables with trojans:
*) /usr/sbin/in.fingerd -- Back door
*) /bin/ps
*) /sbin/ifconfig
*) /usr/bin/du
*) /bin/netstat
*) /usr/bin/top
*) /bin/ls
*) /usr/bin/find

14) Modifies /etc/inetd.conf to run the finger service as root

New Version of Lion (1i0n) makes the following system modifications:

1) Creates directory /dev/.lib, and installs lion files into that directory

2) Deletes the following files:
*) /.bash_history
*) /var/log/messages
*) /var/log/maillog

3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit (this is not 
the correct location of the "star.sh" file, so the worm will not continue to 
propagate after a reboot)

4) Appends the following to /etc/inetd.conf
*) 1008 stream tcp nowait root /bin/sh sh

-------------------End of NIPC Advisory------------------- 


CIAC wishes to acknowledge the contributions of The National Infrastructure 
Protection Center (NIPC) for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-053: Cisco IOS Software TCP Initial Sequence Number Improvements
L-054: Microsoft IIS and Exchange Malformed URL Denial of Service
L-055: pcAnywhere Denial of Service, abnormal server connection
L-056: The Naked Wife (W32.Naked@mm) Trojan
L-057: Kerberos /tmp Root Vulnerability
L-058: HPUX Sec. Vulnerability asecure
L-059: Microsoft IIS WebDAV Denial of service Vulnerability
L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH