March 23, 2001: The SANS Institute's Global Incident Analysis Center has issued an alert warning of a Linux worm similar to the Ramen virus but significantly more dangerous. The Lion worm affects Linux machines running the BIND DNS server, versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas.

According to William Stearns, Senior Research Engineer of the Dartmouth Institute for Security Technology Studies, the worm takes advantage of a known vulnerability. "The machines attacked today were attacked because the administrators failed to update their systems when the TSIG vulnerability was discovered and patches were released," Stearns said. "Unlike the Ramen worm which affected default Red Hat Linux versions 6.2 and 7.0 only, the Lion worm takes advantage of a known vulnerability that affects Linux machines running several versions of the BIND DNS server. This TSIG vulnerability was discovered in early January, when someone realized there was a way to cause a BIND DNS server to run arbitrary commands outside of that server. For example, a legitimate request might be a domain name in which case the DNS would return the valid IP address. However, the vulnerabilty allows someone to send something other than a name request and instead sends the name server a wrong string of characters. In this case, a carefully constructed string of characters can run arbitrary commands, known as a buffer overflow attack. By coming up with a buffer overflow attack like the one found in the Lion worm, additional holes can be opened up on hundreds of thousands of systems. As part of the process, attacked machines also become the attackers."

The SANS/GIAC alert advises that "the Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit." The SANS alert cautions that once Lion has compromised a system, it:

• Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain.
• Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
• Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
• Installs a trojaned version of ssh that listens on 33568/tcp
• Kills Syslogd , so the logging on the system can't be trusted
• Installs a trojaned version of login
• Looks for a hashed password in /etc/ttyhash
• /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.