ALERT [Lion Worm] [t0rn rootkit] Linux exploit

[Bruce F Lucca]

--=====================_985385420==_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

Date: Fri, 23 Mar 2001  9:29:50 -0700 (MST)
From: The SANS Institute <securityalert at sans.org>
Subject: ALERT -  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

ALERT!  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET 

March 23, 2001 7:00 AM

Late last night, the SANS Institute (through its Global Incident
Analysis Center) uncovered a dangerous new worm that appears to be
spreading rapidly across the Internet.  It scans the Internet looking
for Linux computers with a known vulnerability. It infects the
vulnerable machines, steals the password file  (sending it to a
China.com site), installs other hacking tools, and forces the newly
infected machine to begin scanning the Internet looking for other
victims.

Several experts from the security community worked through the night to
decompose the worm's code and engineer a utility to help you discover
if the Lion worm has affected your organization.

Updates to this announcement will be posted at the SANS web site,
<http://www.sans.org>


DESCRIPTION

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously.  It
infects Linux machines running the BIND DNS server.  It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.

The Lion worm spreads via an application called "randb".  Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name".  It then installs the t0rn rootkit.

Once Lion has compromised a system, it:

- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.

- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.

- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)

- - Installs a trojaned version of ssh that listens on 33568/tcp

- - Kills Syslogd , so the logging on the system can't be trusted

- - Installs a trojaned version of login

- - Looks for a hashed password in /etc/ttyhash

- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.

The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:

du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top

- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
and /usr/man/man1/man1/lib/.lib/.

- - in.telnetd is also placed in these directories; its use is not known
at this time.  

- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x

DETECTION AND REMOVAL

We have developed a utility called Lionfind that will detect the Lion
files on an infected system.  Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
the system.

At this time, Lionfind is not able to remove the virus from the system.

If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.

Download Lionfind at <http://www.sans.org/y2k/lionfind-0.1.tar.gz>


REFERENCES

Further information can be found at:

<http://www.sans.org/current.htm>
<http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,>

Multiple Vulnerabilities in BIND
<http://www.kb.cert.org/vuls/id/196945> ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code
<http://www.sans.org/y2k/t0rn.htm> Information about the t0rn rootkit.

The following vendor update pages may help you in fixing the original BIND
vulnerability:

Redhat Linux RHSA-2001:007-03 - Bind remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.html

Debian GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026

SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt

Caldera Linux CSSA-2001-008.0 Bind buffer overflow
http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt

This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.

The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.

Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis

Matt Fearnow
SANS GIAC Incident Handler

If you have additional data on this worm or a critical quetsion  please
email lionworm at sans.org

=======================================================


<http://www.sans.org/y2k/lion.htm>

 Lion Worm 
 William Stearns has written a script to detect the Lion worm. He can be
reached at
 wstearns at pobox.com. This is version 0.1 updated 03/23/01 - 0700 

 Description
 Please note that this is a preliminary, and currently incomplete,
characterization of the Lion
 worm. We are making this version available to provide at least some notice
about the
 worm. Please check back over the next few days as the information is made
more
 complete.

 Lion is a new worm, that is very similar to the Ramen worm. However, this
worm is much
 more dangerous and should be taken seriously. It infects Linux machines
with the BIND DNS
 server running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1,
8.2.2-Px, and all
 8.2.3-betas. The bind vulnerability is the TSIG vulnerability that was
reported back on January
 29, 2001. 

 The Lion worm spread via an application called randb. randb scans random
class B networks
 probing TCP port 53. Once it hits a system, it then checks to see if that
system is vulnerable.
 If so it then exploits the system using the exploit called name. It then
installs the t0rn rootkit. 

 Once it has entered the system, it sends off the contents of /etc/passwd,
/etc/shadow, and
 some network settings to an address in the china.com domain. It deleted
/etc/hosts.deny,
 lowering some of the built-in protection afforded by tcp wrappers. Ports
60008/tcp and
 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and
a trojaned version of
 ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the
system can't be trusted. 

 A trojaned version of login is installed. It looks for a hashed password
in /etc/ttyhash.
 /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten
with a trojaned
 version of ssh. 

 The t0rn rootkit replaces several binaries on the system in order to hide
itself. Here are the
 binaries that it replaces:
 du
 find
 ifconfig
 in.telnetd
 in.fingerd
 login
 ls
 mjy
 netstat
 ps
 pstree
 top

 Mjy, a utility for cleaning out log entries, is placed in /bin and
/usr/man/man1/man1/lib/.lib/.
 in.telnetd is also placed in these directories; its use is not known at
this time. A setuid shell is
 placed in /usr/man/man1/man1/lib/.lib/.x 

 Detection
 We have developed a utility called Lionfind that will detect the Lion
files on an infected
 system. Simply download it, uncompress it, and run lionfind. it will list
which of the suspect files
 is on the system.

 Removal
 At this time, Lionfind is not able to remove the virus from the system. If
and when an updated
 version becomes available (and we expect to provide one), an announcement
will be made at
 this site.

 Download Lionfind Here! 

 References
 Further information can be found at:
 http://www.sans.org/current.htm
 http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple
 Vulnerabilities in BIND
 http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction
 signature (TSIG) handling code
 http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. 
 The following vendor update pages may help you in fixing the original BIND
vulnerability: 
  Vendor
           Description
                                       URL
 Redhat
 Linux
         RHSA-2001:007-03
         - Bind remote
         exploit
                      http://www.redhat.com/support/errata/RHSA-2001-007.html
 Debian
 GNU/Linux
         DSA-026-1 BIND
                      http://www.debian.org/security/2001/dsa-026
 SuSE Linux
         SuSE-SA:2001:03 -
         Bind 8 remote root
         compromise.
                      http://www.suse.com/de/support/security/2001_003_bind8_
                      txt.txt
 Caldera
 Linux
         CSSA-2001-008.0
         Bind buffer overflow
                      http://www.caldera.com/support/security/advisor
                      ies/CSSA-2001-008.0.txt
                      http://www.caldera.com/support/security/advisor
                      ies/CSSA-2001-008.1.txt


 This security advisory was prepared by Matt Fearnow of the SANS Institute
and William
 Stearns of the Dartmouth Institute for Security Technology Studies. 

 The Lionfind utility was written by William Stearns.William is an
Open-Source developer,
 enthusiast, and advocate from Vermont, USA. His day job at the Institute
for Security
 Technology Studies at Dartmouth College pays him to work on network
security and Linux
 projects.

 Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg
 Shipley of Neohapsis.
  

 << Back to GIAC
                               

                 Home  |  Events  |  Publications  |  Security Digests
                 Resources  |  Web-Based Training  |  Contact SANS

                               
        © 2000 SANS Institute  :  Office 301.951.0102  :  Registration
720.851.2220  :  Web Contact scott at sans.org


--=====================_985385420==_
Content-Type: application/octet-stream; name="lionfind-0.1.tar.gz";
 x-mac-type="477A6970"; x-mac-creator="477A6970"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="lionfind-0.1.tar.gz"

H4sIAJkzuzoAA+1XbW/bNhDO1+hXXO0AbYdGL2niAO26LWviwEDmBHHSDZiHQZYoi41MCiQVxfv1
O4qyayu0+6HJhmF6ANnS3fHuyHvRKaOcJZTF+74beDvPA98/9I+PjvC/QvPf3B8fHPV6b4NecLjj
B0Hv2N+Bo2fyZw2FVKEA2BGcq21yX+P/R5Gtxn/x8MQ2/MDfFv/ekd9bxj8IUC54e3iA8fef2A8r
/ufx777wJpR5k1CmzsXgctgfDE8/nV2P8PZDB3Oi4zjdn0PGiHAdEqUcXn5AvISLOlXqZ8P7RIRE
Ouw1NBnuCchI0FyB4iBIzoUClFUpAfJApSIsIsCTiqC1Q8nFrDbaL1QhCNwb/RJKmmXAc4UPYZbN
jVAoopTeEwhZ7HGBJmYcn7Q6qiARfFbdR4UQhCmQczS50P+R53NBp6mCA98P4FdUT8MZjBQJBZob
f19Kc/tTzif8wY34bPzDG7P2mmQklCSGgsVEVDbOh7dwTvDMwgyuiklGI9xRRJgkMH51fnUxfl3b
vc3jUOHS5cZm4RwmBBKOyiBUWpuRHDCpqCqU5gkYEdwGVXO4QSbjGZ/O0dkipkSCkR+/SpXK33le
WZYunq5041CoGS9U6pK48AbXgxPvjvEyI/GU/InxJ57iPJPLJuCmajZ+XW8SzxRGJ8PRul4ZMuly
MfXmB3fVOrPGdbr9wW+/nME+BkEqjpEgSDM7luGUQEqyfLFXPlEhZXgIJVUpjDt7Puyn447rOJf9
/tnwdDA87w8uzkYfOp0vlNPBdUVwRrejq8HHweXtqBZyqnymzFUkY0TF5nn2ee54hRTeLGT6CsxP
Rieeq3++xl/Vt0XMfXC8mNybB33JCAUD6jMX68vCSsPobgML3Y5tdIGxmNgY+meDrlz/Wtdg89ti
/2ELj4UYVcy8Bt++WX3h6aE5ZeFUhCCMY7GRiYb+2sjMBY82MhOaEQtT+VjOtkWFhZjZJCsNzUjo
K98knVvoyeMwVwmXRLoMm6dbqbcRpUxdZT0ixW1mpU0UD5k206TOfnRzSoTN080Bz6USxHb2q9X0
iFmV4mN/C6sJldj81alpIU+Jonnlqi5hyhLuudidsArS7wxNishz80KFy3RsUk02NakmAZvUKmf1
C3TRDY2E7kdMRvGiAWZkGmbuaisz3W1lB43NWPa2If1txdt01NbR4MmxqW/+M1bcJzW1/R0wwZ5e
5N9urRmnJ3B8o5W6GLBHPY8ZXQZmkrjgEY48ZsITJKvGH11UspoxYipIhDWJg4zruo6edS6HZ/rV
DhTnysbbHt5DzJ1dmsDvsE9gbyH6x3s9ODFnd7c5QuytE5ZLOs5uQp2YM7KwiTXYMKmrcs1iXC3X
ghaDpob31p4X8ivWnO71chQuU5z4ylCa8c91jBUGTa/XlXa+WK8O+CbVM2KW8RJbNmDfzGlEeSHr
U8bdrRwylETU4+a7ev3jI1q15pAMp9jukG/SXHuP3W7KefyiVjrEvS6G+29yrpkBjfgszoBXliY4
fWqrszksR9036x8YQCUML2/Mlwit/ag/DRIK3dHWXf7oGPzbX3EtWrRo0aJFixYtWrRo0aJFixYt
WrRo0aLFOv4GR3gV3gAoAAA=
--=====================_985385420==_--