Published:
02 April 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.133 -- CIAC BULLETIN L-064
The Lion Internet Worm DDOS Risk
3 April 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: bind 8.2
bind 8.2-P1
bind 8.2.1
bind 8.2.2-Px
bind 8.2.3-betas
Vendor: ISC
Impact: Execute Arbitrary Code/Commands
Root Compromise
Access Required: Remote
Ref: AL-2001.05
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_ /
\___ __|__ / \___
__________________________________________________________
INFORMATION BULLETIN
The Lion Internet Worm DDOS Risk
April 2, 2001 18:00 GMT Number l-064
______________________________________________________________________________
PROBLEM: Further analysis of the Lion Internet worm by the NIPC
indicates that it has the potential for causing much more
damage than originally expected. In addition to automatically
propagating itself, the worm installs multiple backdoors and
the Tribe Flood Network (tfn2k) distributed denial of service
(DDOS) tool. A second version of the worm simply propagates and
installs a single backdoor.
PLATFORM: Linux on x86 platforms with unpatched BIND services but could
be expanded to other UNIX platforms. Affected versions of BIND
include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta.
Unaffected versions of BIND include: 8.2.3-REL and 9.
DAMAGE: The original version of the worm installs a rootkit to hide
itself, replacing many system utilities. Infected systems need
to be reinstalled to assure that all affected files are
replaced. Should the tfn2k tool be activated, all infected
machines could be used to perform a large scale distributed
denial of service attack.
SOLUTION: Users with affected versions of BIND should update immediately.
Network operators should watch for outgoing e-mails to
china.com and for incoming connections to ports 1008, 60008,
33567, 33568 (ssh). System owners should check for infections
by using the SANS tool (lionfind) or by examining the contents
of /dev/.lib for the worm's files and they should scan for
tfn2k using the NIPC tool (find_ddos). Users with infected
systems need to reinstall those systems.
______________________________________________________________________________
VULNERABILITY Risk is Medium. The worm is in the wild, however the web site
ASSESSMENT: coollion.51.net is no longer providing the worm's files. The
result is that currently infected systems can still attack and
compromise other systems, install backdoors, and send mail to
china.com but cannot install the rootkit, DDOS tools, or the
infection tools. The potential for a large scale distributed
denial of service attack is high from systems infected before
coollion.51.net stopped providing files (sometime before
3/30/01). There is also the risk that a new variant will appear
that uses a different website to get its tools.
______________________________________________________________________________
The following advisory was posted on the NIPC website on March 30, 2001. See
the NIPC website for the latest version of this advisory:
http://www.nipc.gov/warnings/advisories/2001/01-005.htm
- - -------------------Start of NIPC Advisory-------------------
http://www.ciac.org/ciac/bulletins/l-064.shtml
- - -------------------End of NIPC Advisory--------------------
- -----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBOsjwKrnzJzdsy3QZAQH+9AQA9PwvEWOCjUiLt/dpPpsCMVZZCdFqhvcZ
gbM55Wb81N8IxnFjEURiov88vHYKXPOAjH766xNvpBXH2pdna4BCG8nkNtm3BDQJ
liSnHhftxCgz/58iO4sv4RuOgQFLmhNhukmM7Rqsm5Z1qBjD45dbehrENnbnrD99
KGKvEwmj7dc=
=T7Vc
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOsnVoSh9+71yA2DNAQHk8QP8CkGMKFdvvpnlMp2yz0Lc1ABuEkRn5HAX
zGNldb0Q3oTwsFpDgRe4J9QXbid19eXfRMAJIuJefyFAojwXDs2kFWxJOqr3RQrl
zFC5pNFeHjU21pqaoyzqucBCnlFNlOWBvJlIBpqC7eYK8aFx4ubSXnef+czzwPSp
yeJGHIpxzT4=
=uuDC
-----END PGP SIGNATURE-----