Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Lion Worm

Lion Worm

by bliixx on March 25th, 2001 AN "UNUSUALLY DESTRUCTIVE" computer worm is winding through the network conduits of Linux computers, capable of massively compromising servers by exploiting a known vulnerability, security researchers said Friday.




The Lion worm uses infected servers to randomly scan for TCP port-53 connections, which mark a computer on the network and not a printer, fax machine, or other device, said Greg Shipley, director of security for Neohapsis, an information security consulting firm in Chicago.

When it penetrates a vulnerable system, the worm then steals user names and password files for all the accounts on the system, e-mailing them along with the computer's system-configuration data to an address at China.com. It rewrites several programs on the computer, transforming them into Trojan horses, or back-doors into the system. It launches more probes along the network. And it covers its tracks in system logs, figuratively wiping up the glass shards after punching out a window in the system.

"It turns your system into Swiss cheese. It really rips through you," said Shipley. "None of the stuff that the worm does is new. I've just never seen it packaged all together. I've seen all the components ... but I've never seen anything that kicks in your door, and eats all of your food, and squats on your rug, and steals all of your jewelry, and, and, and ..."

It looks for servers running Linux and the BIND DNS server program. Versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3 betas of Bind may have the vulnerability. The worm can penetrate the network of any company that has a vulnerable server connected to the Internet. Although the worm currently only affects Linux-based servers, it's very likely that it will be modified to attack Unix servers in general, said Alan Paller, director of research for the System Administration, Networking, and Security (SANS) Institute.

Researchers from the institute, a security research organization in Bethesda, Md., discovered the worm after noticing a 500 percent to 600 percent increase in the number of port-53 scans reported in a two-day period. The Global Incident Analysis Center (GIAC) at the SANS Institute gathers network-intrusion data from anyone willing to provide it and distributes that processed data for free to any who asks for it.

The combination of the automated attack, the package of damaging tools, and the exploit used make the worm unusually dangerous, Paller said. Because virtually all servers run BIND -- an application used to translate the string of numbers used for domain-name registration into the words commonly used to surf to a Web site -- the sheer number of potential targets make the worm more dangerous.

"It's the meanest piece of code I've seen," Paller said. "It's what hackers do manually when they break into a system ... You don't need to do anything for it to spread, making it much more dangerous."

Even if a system administrator discovers the worm, upgrades the BIND version, and patches the secret back doors into the system, the hacker who received the passwords could still use them to invade the system again. For systems like those used by ISPs serving thousands of users, it could take a long time to issue new passwords and regain security.

Both Paller and Shipley said the worm would not be able to spread if system administrators updated their systems as soon as a serious vulnerability is made public. This particular vulnerability was reported at the end of January. BIND is considered a vulnerable spot in a network, because system administrators hesitate to modify the program for fear of taking down their network.

"When the dust settles from this, I'm going to use this as a point to convince CIOs that everyone is a target," Shipley said, still groggy from working through the night uncovering the secrets of the worm. "It's scanning random networks. It doesn't care if it's a .com., .net. or .mil."

System administrators may download detection tools from www.sans.org/y2k/lionfind-0.1.tar.gz.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »