__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN The Lion Internet Worm DDOS Risk April 2, 2001 18:00 GMT Number l-064 ______________________________________________________________________________ PROBLEM: Further analysis of the Lion Internet worm by the NIPC indicates that it has the potential for causing much more damage than originally expected. In addition to automatically propagating itself, the worm installs multiple backdoors and the Tribe Flood Network (tfn2k) distributed denial of service (DDOS) tool. A second version of the worm simply propagates and installs a single backdoor. PLATFORM: Linux on x86 platforms with unpatched BIND services but could be expanded to other UNIX platforms. Affected versions of BIND include: 8.2, 8.2-P1, 8.2.1, 8.2.2-Px and 8.2.3-beta. Unaffected versions of BIND include: 8.2.3-REL and 9. DAMAGE: The original version of the worm installs a rootkit to hide itself, replacing many system utilities. Infected systems need to be reinstalled to assure that all affected files are replaced. Should the tfn2k tool be activated, all infected machines could be used to perform a large scale distributed denial of service attack. SOLUTION: Users with affected versions of BIND should update immediately. Network operators should watch for outgoing e-mails to china.com and for incoming connections to ports 1008, 60008, 33567, 33568 (ssh). System owners should check for infections by using the SANS tool (lionfind) or by examining the contents of /dev/.lib for the worm's files and they should scan for tfn2k using the NIPC tool (find_ddos). Users with infected systems need to reinstall those systems. ______________________________________________________________________________ VULNERABILITY Risk is Medium. The worm is in the wild, however the web site ASSESSMENT: coollion.51.net is no longer providing the worm's files. The result is that currently infected systems can still attack and compromise other systems, install backdoors, and send mail to china.com but cannot install the rootkit, DDOS tools, or the infection tools. The potential for a large scale distributed denial of service attack is high from systems infected before coollion.51.net stopped providing files (sometime before 3/30/01). There is also the risk that a new variant will appear that uses a different website to get its tools. ______________________________________________________________________________ The following advisory was posted on the NIPC website on March 30, 2001. See the NIPC website for the latest version of this advisory: http://www.nipc.gov/warnings/advisories/2001/01-005.htm -------------------Start of NIPC Advisory------------------- ADVISORY 01-005 "Lion Internet Worm" DDOS Targeting Unix Systems Issued 03/23/2001, Updated March 30, 2001 The NIPC has received reports of an Internet worm named "Lion" that is infecting computers and installing distributed denial of service (DDOS) tools on various computer systems. Illegal activity of this nature typically is designed to create large networks of hosts capable of launching coordinated packet flooding denial of service attacks. Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks. Description: Access to these systems has been accomplished primarily through compromises exploiting the bind vulnerabilities in versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, as well as the 8.2.3 betas. To read more about the bind vulnerabilities, please refer to the CERT/CC advisory at http://www.cert.org/advisories/CA-2001- 02.html. Once infected, the Lion worm scans random class B networks on port 53 looking for systems running the vulnerable bind versions listed above. Once compromised, the system will send the contents of the /etc/password and /etc/shadow files to a remote computer. The worm also contacts coollion.51.net (211.100.18.56) and downloads a copy of the worm along with several hacking tools, including the "t0rn" rootkit, and Tribe Flood Network client (tfn2k). Additionally, a compromised system will have its /etc/hosts.deny file deleted thereby eliminating the host-based perimeter protection afforded by tcp wrappers. In addition to the above listed toolkit, the Lion worm installs several backdoor compromises along with what NIPC analysis confirms is a password sniffer, thereby giving the hacker a network of machines from which to launch an attack in the future. This initial activity appears to be the precursor to a larger DDOS attack. These backdoor compromises provide root access to the victim systems, thereby making security more difficult. Systems administrators who detect such a compromise should take all appropriate steps to reestablish the integrity of their computers and networks. Recommendations: • NIPC recommends that all computer network owners and organizations examine their systems for evidence of this worm and associated DDOS tools. Specific technical instructions for detection of the Lion worm are available from the SANS website http://www.sans.org/y2k/lion.htm This site also includes a tool called "Lionfind" which is provided to identify the files that the worm is using, however, this program does not remove those files. • Users running affected versions of bind can go to http://www.cert.org/advisories/CA-2001-02.html and download the most recent patch. • The NIPC continues to make available on its website a software application (find_ddos) that can be used to detect the presence of the tfn2k client program. Tool Description: The tool (find_ddos) is available for Solaris on Sparc or Intel platforms and Linux on Intel platforms. It has been designed to detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client. The latest version (3.3) should solve some out-of-memory errors, prevent self- detection, and support process scanning on Solaris 2.5.1. Consult the readme file for more information. This download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or Intel platforms, and Linux on Intel platforms. This tool will not work on a Windows 95/98/NT-based PC. · Readme (http://www.nipc.gov/warnings/alerts/1999/README) · Solaris on Sparc Executable File (tar, compressed format) version 4.2 (http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_sparc.tar.Z) · Linux on Intel Executable File (tar, compressed format) version 4.2 (http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_linux.tar.Z) · Solaris on Intel Executable File (tar, compressed format) version 4.2 (http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_intel.tar.Z) · Checksums (The MD5 Checksums are provided to verify the integrity of the files.) (http://www.nipc.gov/warnings/alerts/1999/checksums) Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov. Update As of March 30, 2001 The NIPC has confirmed two versions of the Lion worm in the wild. Upon further analysis of the original Lion worm, the NIPC has determined that the daemon/zombie portion of tfn2k is installed on a victim system once compromised. Further, the tfn2k daemon is launched once it is installed and also upon reboot. This creates a widespread zombie network that is ready to receive commands and launch an attack. Additionally, it appears that the Lion worm specifically targets Linux systems, contrary to the what the title of this advisory originally indicated. However, the code could be modified to target other flavors of Unix. Also, because the worm overwrites systems files, it is not easily removed from an infected computer. Therefore, the NIPC believes that reinstalling the operating system (or at a minimum, reinstalling specific system files) may be the only way to ensure the integrity of the system. A newer version of the Lion worm does not have the t0rn rootkit or tfn2k as part of it's code. As a result, the new Lion worm is roughly 1/30th the size of the original. Both versions of Lion email user and password information of systems that are successfully compromised. In addition, both propagate by targeting systems running the vulnerable versions of bind. Technical Observations: Original Lion (1i0n) makes the following system modifications: 1) Creates directory /dev/.lib, and installs lion files into that directory 2) Deletes the following files: *) /.bash_history *) /etc/hosts.deny *) /root/.bash_history *) /var/log/messages *) /var/log/maillog 3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit to ensure that the worm will continue to attempt to propagate after a reboot 4) Appends the following to /etc/inetd.conf *) 1008 stream tcp nowait root /bin/sh sh *) 60008 stream tcp nowait root /bin/sh sh *) 33567 stream tcp nowait root /bin/sh sh 5) Creates file /etc/ttyhash with encrypted backdoor password 6) Creates directory /usr/src/.puta, and copies root kit configuration files plus *) /usr/src/.puta/t0rnp -- linsniff password extractor *) /usr/src/.puta/t0rnsb -- system log file wiper 7) Creates directory /usr/info/.torn, and installs secure shell configuration files 8) Installs and runs secure shell server in /usr/sbin/nscd 9) Installs and runs tfn2k in /bin/in.telnetd 10) Installs system log wiper into /bin/mjy 11) Creates /usr/man/man1/man1/lib/.lib, and copies the following: *) /bin/mjy (system log wiper) *) /bin/in.telnetd (tfn2k) *) /bin/sh, with setuid/setgid privileges added 12) Appends the following lines to /etc/rc.d/rc.sysinit: *) # Name Server Cache Daemon.. *) *) /usr/sbin/nscd -q *) /bin/in.telnetd *) *) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 13) Overwrites the following executables with trojans: *) /usr/sbin/in.fingerd -- Back door *) /bin/ps *) /sbin/ifconfig *) /usr/bin/du *) /bin/netstat *) /usr/bin/top *) /bin/ls *) /usr/bin/find 14) Modifies /etc/inetd.conf to run the finger service as root New Version of Lion (1i0n) makes the following system modifications: 1) Creates directory /dev/.lib, and installs lion files into that directory 2) Deletes the following files: *) /.bash_history *) /var/log/messages *) /var/log/maillog 3) Appends "/dev/.lib/lib/scan/star.sh" to /etc/rc.d/rc.sysinit (this is not the correct location of the "star.sh" file, so the worm will not continue to propagate after a reboot) 4) Appends the following to /etc/inetd.conf *) 1008 stream tcp nowait root /bin/sh sh -------------------End of NIPC Advisory------------------- _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of The National Infrastructure Protection Center (NIPC) for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-053: Cisco IOS Software TCP Initial Sequence Number Improvements L-054: Microsoft IIS and Exchange Malformed URL Denial of Service L-055: pcAnywhere Denial of Service, abnormal server connection L-056: The Naked Wife (W32.Naked@mm) Trojan L-057: Kerberos /tmp Root Vulnerability L-058: HPUX Sec. Vulnerability asecure L-059: Microsoft IIS WebDAV Denial of service Vulnerability L-061: Microsoft IE can Divulge Location of Cached Content L-062: Erroneous Verisign-Issued Digital Certificates for Microsoft L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call