"Lion Internet Worm" DDoS Targeting Unix Systems
The NIPC has received reports of an Internet worm named "Lion" that is infecting computers and installing distributed denial of service (DDoS) tools on various computer systems. Illegal activity of this nature typically is designed to create large networks of hosts capable of launching coordinated packet flooding denial of service attacks. Possible motives for this malicious activity include exploit demonstration, exploration and reconnaissance, or preparation for widespread denial of service attacks.
In addition to the above listed toolkit, the Lion worm installs several backdoor compromises along with what NIPC analysis confirms is a password sniffer, thereby giving the hacker a network of machines from which to launch an attack in the future. This initial activity appears to be the precursor to a larger DDoS attack. These backdoor compromises provide root access to the victim systems, thereby making security more difficult. Systems administrators who detect such a compromise should take all appropriate steps to reestablish the integrity of their computers and networks.
NIPC recommends that all computer network
owners and organizations examine their systems for evidence of this worm
and associated DDoS tools. Specific technical instructions for detection
of the Lion worm are available from the SANS web site http://www.sans.org/y2k/lion.htm This
site also includes a tool called "Lionfind" which is provided to
identify the files that the worm is using, however, this program does not
remove those files.
The tool (find_ddos) is available for Solaris
on Sparc or Intel platforms and Linux on Intel platforms. It has been designed
to detect tfn2k client, tfn2k daemon, trinoo daemon, trinoo master, tfn daemon,
tfn client, stacheldraht master, stacheldraht client, stachelddraht demon
and tfn-rush client.
Please report computer crime to your local FBI office (www.fbi.gov/contact/fo/fo.htm) or the NIPC, and to other appropriate authorities. Incidents may be reported online at www.nipc.gov/incident/cirr.htm. The NIPC Watch and Warning Unit also can be reached at (202) 323-3204/3205/3206, or email@example.com.
Update As of May 05, 2001
The NIPC has received information concerning a new version of the "lion" worm that has been reported to be attempting to infect computers. This new version appears to be similar to past versions, with the exception that it retrieves a rootkit from a new address. A "strings" search on the worm indicates the following address and port as the potential download site:
Additionally, the newly-distributed version of the worm installs a back door program on port 10008/tcp, and e-mails system password and configuration information to firstname.lastname@example.org.
Systems & network administrators are advised
to inspect their networks for traffic to/from the listed IP address/ports
and e-mail address. Systems passing traffic to the listed addresses should
be examined carefully for worm activity.