"Lion" worm stalks Linux machines

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-200-5234726.html?tag=tp_pr

By Cecily Barnes
Staff Writer, CNET News.com
March 23, 2001, 1:15 p.m. PT

A dangerous worm that can steal passwords from Linux servers is
rapidly spreading across the Internet and infecting other machines,
researchers said Friday.

Dubbed the "Lion" worm, the self-spreading program attacks servers
running specific versions of BIND (Berkeley Internet Name Domain)
server software. Because it can be so difficult to remove, victims may
have to wipe out their entire hard disks.

"We think it's going to cause people, unless they are brilliant, to
nuke the machine, erase everything on the disk, install the entire
operating system against hope (their) back-up files work," said Alan
Paller, director of research at the The System Administration,
Networking and Security (SANS) Institute. "We don't believe it can be
cleaned out."

BIND server software gives instructions to domain name system (DNS)
servers to translate Web addresses, or URLs, into number-based IP
addresses. Those addresses then are read by PCs to direct a user to a
specific Web site.

The SANS Institute said they have had five confirmed reports of worm
infections: four companies and one university.

Linux machines infected with the worm send encrypted administrator
level, or "root," password files to China.com, where hackers can
potentially decrypt the password and use the information to gain
access to various areas of a company's system. The worm also creates
"back doors," which provide administrator-level access to hackers.

The worm appears to be mutation of the Ramen worm that was discovered
in January and infects only servers running Red Hat's version of
Linux.

"If they gain access through one of these back doors, they have
unrestricted access to the machine," said John Green, director of
information security for the SANS Institute. "This includes deleting
software, installing software, gaining proprietary information,
altering trust relationships, anything."

Despite the potential problems the worm could cause, little serious
damage has been detected so far.

"To my knowledge, no one has recorded that they have been breached by
an attack. They simply noted that the worm infected them and they're
looking to get rid of it," said Elias Levy, Chief Technical Officer of
SecurityFocus.com.

The "Lion" worm attempts to protect itself from detection by
installing a "root kit" on infected machines, which hides the presence
of hacker tools. As a result, IT administrators checking an infected
machine may not immediately see it.

As a remedy, SANS has created a program called Lionfind that IT
administrators can use to determine if their machines are infected.

Levy said a patch for this vulnerability has been available from the
Internet Software Consortium for several months. "The only machines
that are becoming infected are machines that haven't been kept up to
date with security patches," Levy said.

SANS' Paller warned that the worm could easily mutate to infect other
Unix-based machines, including Solaris, AIX and HPIX.

"The change to make this worm work on other versions of Unix is
trivial," Paller said. "There's no reason to think you're safe if you
run Solaris or another Unix box."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".