IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

ADVISORY 01-005

"Lion Internet Worm" DDoS Targeting Unix Systems
March 23, 2001, Updated May 05, 2001

The NIPC has received reports of an Internet worm named "Lion" that is infecting computers and installing distributed denial of service (DDoS) tools on various computer systems. Illegal activity of this nature typically is designed to create large networks of hosts capable of launching coordinated packet flooding denial of service attacks. Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks.

Description:

Access to these systems has been accomplished primarily through compromises exploiting the bind vulnerabilities in versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, as well as the 8.2.3 betas. To read more about the bind vulnerabilities, please refer to the CERT/CC advisory at http://www.cert.org/advisories/CA-2001-02.html. Once infected, the Lion worm scans random class B networks on port 53 looking for systems running the vulnerable bind versions listed above. Once compromised, the system will send the contents of the /etc/password and /etc/shadow files to a remote computer. The worm also contacts coollion.51.net (211.100.18.56) and downloads a copy of the worm along with several hacking tools, including the "t0rn" rootkit, and Tribe Flood Network client (tfn2k). Additionally, a compromised system will have its /etc/hosts.deny file deleted thereby eliminating the host-based perimeter protection afforded by tcp wrappers.

In addition to the above listed toolkit, the Lion worm installs several backdoor compromises along with what NIPC analysis confirms is a password sniffer, thereby giving the hacker a network of machines from which to launch an attack in the future. This initial activity appears to be the precursor to a larger DDoS attack. These backdoor compromises provide root access to the victim systems, thereby making security more difficult. Systems administrators who detect such a compromise should take all appropriate steps to reestablish the integrity of their computers and networks.

Recommendations:

• NIPC recommends that all computer network owners and organizations examine their systems for evidence of this worm and associated DDoS tools. Specific technical instructions for detection of the Lion worm are available from the SANS web site http://www.sans.org/y2k/lion.htm This site also includes a tool called "Lionfind" which is provided to identify the files that the worm is using, however, this program does not remove those files.

• Users running affected versions of bind can go to http://www.cert.org/advisories/CA-2001-02.html and download the most recent patch.

• The NIPC continues to make available on its web site a software application (find_ddos) that can be used to detect the presence of the tfn2k client program.

Tool Description:

The tool (find_ddos) is available for Solaris on Sparc or Intel platforms and Linux on Intel platforms. It has been designed to detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht client, stachelddraht demon and tfn-rush client.

The latest version (3.3) should solve some out-of-memory errors, prevent self-detection, and support process scanning on Solaris 2.5.1. Consult the readme file for more information.
This download is for Solaris 2.5.1, 2.6, and Solaris 7 on the Sparc or Intel platforms, and Linux on Intel platforms.

This tool will not work on a Windows 95, Windows 98, and Windows NT - based PC.

· Readme (http://www.nipc.gov/warnings/alerts/1999/README)

· Solaris on Sparc Executable File (tar, compressed format) version 4.2
(http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_sparc.tar.Z)

· Linux on Intel Executable File (tar, compressed format) version 4.2 (http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_linux.tar.Z)

· Solaris on Intel Executable File (tar, compressed format) version 4.2 (http://www.nipc.gov/warnings/alerts/1999/find_ddos_v42_intel.tar.Z)

· Checksums (The MD5 Checksums are provided to verify the integrity of the files.) (http://www.nipc.gov/warnings/alerts/1999/checksums)

Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or nipc.watch@fbi.gov.

Update As of May 05, 2001

The NIPC has received information concerning a new version of the "lion" worm that has been reported to be attempting to infect computers. This new version appears to be similar to past versions, with the exception that it retrieves a rootkit from a new address. A "strings" search on the worm indicates the following address and port as the potential download site:

http://61.143.121.159:27374

Additionally, the newly-distributed version of the worm installs a back door program on port 10008/tcp, and e-mails system password and configuration information to huckit@china.com.

Systems & network administrators are advised to inspect their networks for traffic to/from the listed IP address/ports and e-mail address. Systems passing traffic to the listed addresses should be examined carefully for worm activity.