Published:
02 April 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.133 -- CIAC BULLETIN L-064 The Lion Internet Worm DDOS Risk 3 April 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: bind 8.2 bind 8.2-P1 bind 8.2.1 bind 8.2.2-Px bind 8.2.3-betas Vendor: ISC Impact: Execute Arbitrary Code/Commands Root Compromise Access Required: Remote Ref: AL-2001.05 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_ / \___ __|__ / \___ __________________________________________________________ INFORMATION BULLETIN The Lion Internet Worm DDOS Risk April 2, 2001 18:00 GMT Number l-064 ______________________________________________________________________________ PROBLEM: Further analysis of the Lion Internet worm by the NIPC indicates that it has the potential for causing much more damage than originally expected. In addition to automatically propagating itself, the worm installs multiple backdoors and the Tribe Flood Network (tfn2k) distributed denial of service (DDOS) tool. A second version of the worm simply propagates and installs a single backdoor. PLATFORM: Linux on x86 platforms with unpatched BIND services but could be expanded to other UNIX platforms. Affected versions of BIND include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta. Unaffected versions of BIND include: 8.2.3-REL and 9. DAMAGE: The original version of the worm installs a rootkit to hide itself, replacing many system utilities. Infected systems need to be reinstalled to assure that all affected files are replaced. Should the tfn2k tool be activated, all infected machines could be used to perform a large scale distributed denial of service attack. SOLUTION: Users with affected versions of BIND should update immediately. Network operators should watch for outgoing e-mails to china.com and for incoming connections to ports 1008, 60008, 33567, 33568 (ssh). System owners should check for infections by using the SANS tool (lionfind) or by examining the contents of /dev/.lib for the worm's files and they should scan for tfn2k using the NIPC tool (find_ddos). Users with infected systems need to reinstall those systems. ______________________________________________________________________________ VULNERABILITY Risk is Medium. The worm is in the wild, however the web site ASSESSMENT: coollion.51.net is no longer providing the worm's files. The result is that currently infected systems can still attack and compromise other systems, install backdoors, and send mail to china.com but cannot install the rootkit, DDOS tools, or the infection tools. The potential for a large scale distributed denial of service attack is high from systems infected before coollion.51.net stopped providing files (sometime before 3/30/01). There is also the risk that a new variant will appear that uses a different website to get its tools. ______________________________________________________________________________ The following advisory was posted on the NIPC website on March 30, 2001. See the NIPC website for the latest version of this advisory: http://www.nipc.gov/warnings/advisories/2001/01-005.htm - - -------------------Start of NIPC Advisory------------------- http://www.ciac.org/ciac/bulletins/l-064.shtml - - -------------------End of NIPC Advisory-------------------- - -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOsjwKrnzJzdsy3QZAQH+9AQA9PwvEWOCjUiLt/dpPpsCMVZZCdFqhvcZ gbM55Wb81N8IxnFjEURiov88vHYKXPOAjH766xNvpBXH2pdna4BCG8nkNtm3BDQJ liSnHhftxCgz/58iO4sv4RuOgQFLmhNhukmM7Rqsm5Z1qBjD45dbehrENnbnrD99 KGKvEwmj7dc= =T7Vc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOsnVoSh9+71yA2DNAQHk8QP8CkGMKFdvvpnlMp2yz0Lc1ABuEkRn5HAX zGNldb0Q3oTwsFpDgRe4J9QXbid19eXfRMAJIuJefyFAojwXDs2kFWxJOqr3RQrl zFC5pNFeHjU21pqaoyzqucBCnlFNlOWBvJlIBpqC7eYK8aFx4ubSXnef+czzwPSp yeJGHIpxzT4= =uuDC -----END PGP SIGNATURE-----