__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
The Lion Internet Worm DDOS Risk
April 2, 2001 18:00 GMT Number l-064
______________________________________________________________________________
PROBLEM: Further analysis of the Lion Internet worm by the NIPC
indicates that it has the potential for causing much more
damage than originally expected. In addition to automatically
propagating itself, the worm installs multiple backdoors and
the Tribe Flood Network (tfn2k) distributed denial of service
(DDOS) tool. A second version of the worm simply propagates and
installs a single backdoor.
PLATFORM: Linux on x86 platforms with unpatched BIND services but could
be expanded to other UNIX platforms. Affected versions of BIND
include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta.
Unaffected versions of BIND include: 8.2.3-REL and 9.
DAMAGE: The original version of the worm installs a rootkit to hide
itself, replacing many system utilities. Infected systems need
to be reinstalled to assure that all affected files are
replaced. Should the tfn2k tool be activated, all infected
machines could be used to perform a large scale distributed
denial of service attack.
SOLUTION: Users with affected versions of BIND should update immediately.
Network operators should watch for outgoing e-mails to
china.com and for incoming connections to ports 1008, 60008,
33567, 33568 (ssh). System owners should check for infections
by using the SANS tool (lionfind) or by examining the contents
of /dev/.lib for the worm's files and they should scan for
tfn2k using the NIPC tool (find_ddos). Users with infected
systems need to reinstall those systems.
______________________________________________________________________________
VULNERABILITY Risk is Medium. The worm is in the wild, however the web site
ASSESSMENT: coollion.51.net is no longer providing the worm's files. The
result is that currently infected systems can still attack and
compromise other systems, install backdoors, and send mail to
china.com but cannot install the rootkit, DDOS tools, or the
infection tools. The potential for a large scale distributed
denial of service attack is high from systems infected before coollion.51.net stopped providing files (sometime before
3/30/01). There is also the risk that a new variant will appear
that uses a different website to get its tools.
______________________________________________________________________________
The following advisory was posted on the NIPC website on March 30, 2001. See
the NIPC website for the latest version of this advisory:
http://www.nipc.gov/warnings/advisories/2001/01-005.htm
-------------------Start of NIPC Advisory-------------------
ADVISORY 01-005
"Lion Internet Worm" DDOS Targeting Unix Systems
Issued 03/23/2001, Updated March 30, 2001
The NIPC has received reports of an Internet worm named "Lion" that is
infecting computers and installing distributed denial of service (DDOS) tools
on various computer systems. Illegal activity of this nature typically is
designed to create large networks of hosts capable of launching coordinated
packet flooding denial of service attacks. Possible motives for this malicious
activity include exploit demonstration, exploration and reconnaissance, or
preparation for widespread denial of service attacks.
Description:
Access to these systems has been accomplished primarily through compromises
exploiting the bind vulnerabilities in versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px,
as well as the 8.2.3 betas. To read more about the bind vulnerabilities, please
refer to the CERT/CC advisory at http://www.cert.org/advisories/CA-2001-
02.html. Once infected, the Lion worm scans random class B networks on port 53
looking for systems running the vulnerable bind versions listed above. Once
compromised, the system will send the contents of the /etc/password and
/etc/shadow files to a remote computer. The worm also contacts coollion.51.net
(211.100.18.56) and downloads a copy of the worm along with several hacking
tools, including the "t0rn" rootkit, and Tribe Flood Network client (tfn2k).
Additionally, a compromised system will have its /etc/hosts.deny file deleted
thereby eliminating the host-based perimeter protection afforded by tcp
wrappers.
In addition to the above listed toolkit, the Lion worm installs several
backdoor compromises along with what NIPC analysis confirms is a password
sniffer, thereby giving the hacker a network of machines from which to launch
an attack in the future. This initial activity appears to be the precursor to a
larger DDOS attack. These backdoor compromises provide root access to the
victim systems, thereby making security more difficult. Systems administrators
who detect such a compromise should take all appropriate steps to reestablish
the integrity of their computers and networks.
Recommendations:
• NIPC recommends that all computer network owners and organizations examine
their systems for evidence of this worm and associated DDOS tools. Specific
technical instructions for detection of the Lion worm are available from the
SANS website http://www.sans.org/y2k/lion.htm This site also includes a tool
called "Lionfind" which is provided to identify the files that the worm is
using, however, this program does not remove those files.
• Users running affected versions of bind can go to
http://www.cert.org/advisories/CA-2001-02.html and download the most recent
patch.
• The NIPC continues to make available on its website a software application
(find_ddos) that can be used to detect the presence of the tfn2k client
program.
Tool Description:
The tool (find_ddos) is available for Solaris on Sparc or Intel platforms and
Linux on Intel platforms. It has been designed to detect tfn2k client, tfn2k
daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht
master, stacheldraht client, stachelddraht demon and tfn-rush client.
The latest version (3.3) should solve some out-of-memory errors, prevent self-
detection, and support process scanning on Solaris 2.5.1. Consult the readme
file for more information.
This download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or Intel
platforms, and Linux on Intel platforms.
This tool will not work on a Windows 95/98/NT-based PC.
· Readme (http://www.nipc.gov/warnings/alerts/1999/README)
· Solaris on Sparc Executable File (tar, compressed format) version 4.2
(http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_sparc.tar.Z)
· Linux on Intel Executable File (tar, compressed format) version 4.2
(http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_linux.tar.Z)
· Solaris on Intel Executable File (tar, compressed format) version 4.2
(http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_intel.tar.Z)
· Checksums (The MD5 Checksums are provided to verify the integrity of the
files.) (http://www.nipc.gov/warnings/alerts/1999/checksums)
Please report computer crime to your local FBI office
(www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate
authorities. Incidents may be reported online at
www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be
reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.
Update As of March 30, 2001
The NIPC has confirmed two versions of the Lion worm in the wild. Upon further
analysis of the original Lion worm, the NIPC has determined that the
daemon/zombie portion of tfn2k is installed on a victim system once
compromised. Further, the tfn2k daemon is launched once it is installed and
also upon reboot. This creates a widespread zombie network that is ready to
receive commands and launch an attack.
Additionally, it appears that the Lion worm specifically targets Linux systems,
contrary to the what the title of this advisory originally indicated. However,
the code could be modified to target other flavors of Unix. Also, because the
worm overwrites systems files, it is not easily removed from an infected
computer. Therefore, the NIPC believes that reinstalling the operating system
(or at a minimum, reinstalling specific system files) may be the only way to
ensure the integrity of the system.
A newer version of the Lion worm does not have the t0rn rootkit or tfn2k as
part of it's code. As a result, the new Lion worm is roughly 1/30th the size of
the original.
Both versions of Lion email user and password information of systems that are
successfully compromised. In addition, both propagate by targeting systems
running the vulnerable versions of bind.
Technical Observations:
Original Lion (1i0n) makes the following system modifications:
1) Creates directory /dev/.lib, and installs lion files into that directory
2) Deletes the following files:
*) /.bash_history
*) /etc/hosts.deny
*) /root/.bash_history
*) /var/log/messages
*) /var/log/maillog
3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit to ensure that
the worm will continue to attempt to propagate after a reboot
4) Appends the following to /etc/inetd.conf
*) 1008 stream tcp nowait root /bin/sh sh
*) 60008 stream tcp nowait root /bin/sh sh
*) 33567 stream tcp nowait root /bin/sh sh
5) Creates file /etc/ttyhash with encrypted backdoor password
6) Creates directory /usr/src/.puta, and copies root kit configuration files
plus
*) /usr/src/.puta/t0rnp -- linsniff password extractor
*) /usr/src/.puta/t0rnsb -- system log file wiper
7) Creates directory /usr/info/.torn, and installs secure shell configuration
files
8) Installs and runs secure shell server in /usr/sbin/nscd
9) Installs and runs tfn2k in /bin/in.telnetd
10) Installs system log wiper into /bin/mjy
11) Creates /usr/man/man1/man1/lib/.lib, and copies the following:
*) /bin/mjy (system log wiper)
*) /bin/in.telnetd (tfn2k)
*) /bin/sh, with setuid/setgid privileges added
12) Appends the following lines to /etc/rc.d/rc.sysinit:
*) # Name Server Cache Daemon..
*)
*) /usr/sbin/nscd -q
*) /bin/in.telnetd
*)
*) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
13) Overwrites the following executables with trojans:
*) /usr/sbin/in.fingerd -- Back door
*) /bin/ps
*) /sbin/ifconfig
*) /usr/bin/du
*) /bin/netstat
*) /usr/bin/top
*) /bin/ls
*) /usr/bin/find
14) Modifies /etc/inetd.conf to run the finger service as root
New Version of Lion (1i0n) makes the following system modifications:
1) Creates directory /dev/.lib, and installs lion files into that directory
2) Deletes the following files:
*) /.bash_history
*) /var/log/messages
*) /var/log/maillog
3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit (this is not
the correct location of the "star.sh" file, so the worm will not continue to
propagate after a reboot)
4) Appends the following to /etc/inetd.conf
*) 1008 stream tcp nowait root /bin/sh sh
-------------------End of NIPC Advisory-------------------
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of The National Infrastructure
Protection Center (NIPC) for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-053: Cisco IOS Software TCP Initial Sequence Number Improvements
L-054: Microsoft IIS and Exchange Malformed URL Denial of Service
L-055: pcAnywhere Denial of Service, abnormal server connection
L-056: The Naked Wife (W32.Naked@mm) Trojan
L-057: Kerberos /tmp Root Vulnerability
L-058: HPUX Sec. Vulnerability asecure
L-059: Microsoft IIS WebDAV Denial of service Vulnerability
L-061: Microsoft IE can Divulge Location of Cached Content
L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft
L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
