Operating System:


02 April 2001

Protect yourself against future threats.


             AUSCERT External Security Bulletin Redistribution

                    ESB-2001.133 -- CIAC BULLETIN L-064
                     The Lion Internet Worm DDOS Risk
                               3 April 2001


        AusCERT Security Bulletin Summary

Product:                bind 8.2
                        bind 8.2-P1
                        bind 8.2.1
                        bind 8.2.2-Px
                        bind 8.2.3-betas
Vendor:                 ISC
Impact:                 Execute Arbitrary Code/Commands
                        Root Compromise
Access Required:        Remote

Ref:                    AL-2001.05

- --------------------------BEGIN INCLUDED TEXT--------------------



                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___

                              INFORMATION BULLETIN

                        The Lion Internet Worm DDOS Risk

April 2, 2001 18:00 GMT                                           Number l-064
PROBLEM:       Further analysis of the Lion Internet worm by the NIPC 
               indicates that it has the potential for causing much more 
               damage than originally expected. In addition to automatically 
               propagating itself, the worm installs multiple backdoors and 
               the Tribe Flood Network (tfn2k) distributed denial of service 
               (DDOS) tool. A second version of the worm simply propagates and 
               installs a single backdoor. 
PLATFORM:      Linux on x86 platforms with unpatched BIND services but could 
               be expanded to other UNIX platforms. Affected versions of BIND 
               include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta. 
               Unaffected versions of BIND include: 8.2.3-REL and 9. 
DAMAGE:        The original version of the worm installs a rootkit to hide 
               itself, replacing many system utilities. Infected systems need 
               to be reinstalled to assure that all affected files are 
               replaced. Should the tfn2k tool be activated, all infected 
               machines could be used to perform a large scale distributed 
               denial of service attack. 
SOLUTION:      Users with affected versions of BIND should update immediately. 
               Network operators should watch for outgoing e-mails to 
               china.com and for incoming connections to ports 1008, 60008, 
               33567, 33568 (ssh). System owners should check for infections 
               by using the SANS tool (lionfind) or by examining the contents 
               of /dev/.lib for the worm's files and they should scan for 
               tfn2k using the NIPC tool (find_ddos). Users with infected 
               systems need to reinstall those systems. 
VULNERABILITY  Risk is Medium. The worm is in the wild, however the web site
ASSESSMENT:    coollion.51.net is no longer providing the worm's files. The 
               result is that currently infected systems can still attack and 
               compromise other systems, install backdoors, and send mail to 
               china.com but cannot install the rootkit, DDOS tools, or the 
               infection tools. The potential for a large scale distributed 
               denial of service attack is high from systems infected before 
               coollion.51.net stopped providing files (sometime before 
               3/30/01). There is also the risk that a new variant will appear 
               that uses a different website to get its tools. 

The following advisory was posted on the NIPC website on March 30, 2001. See 
the NIPC website for the latest version of this advisory: 


- - -------------------Start of NIPC Advisory------------------- 


- - -------------------End of NIPC Advisory--------------------

Version: 4.0 Business Edition


- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key