RealTime IT News

Worm Targeting Linux Could Cause Serious Damage

A new worm targeting Linux machines running the BIND DNS server is rapidly making its way across the Internet and has the potential to create serious damage, according to the SANS Institute's Global Incident Analysis Center (GIAC).

The GIAC team uncovered the worm -- which may have originated with a hacking crew in China -- late Thursday. The team has logged in the neighborhood of 49,000 scans for vulnerable BIND servers in the past two days.

The worm has been dubbed Lion, and has similarities to the Ramen worm which burrowed into machines running Red Hat 6.2 and 7.0 in January.

"However, this worm is significantly more dangerous and should be taken very seriously," the SANS GIAC team wrote in its alert Friday.

In part, that is because Lion e-mails password and config files to an account at the china.com domain.

"By sending back those files, the attacker has yet another way to break back into the system in addition to the security breaches that were made by the worm when it first attacked the system," said William Stearns, a research engineer at the Institute for Security Technology Studies at Dartmouth College. "This is how it differs from the Ramen worm. Ramen actually was very nice about closing the security holes behind itself as it attacked the system. This one leaves those security holes open and opens up new ones, to the point that if you're affected by this [worm] we're not 100 percent sure that it's worth trying to salvage the system. It may very well be more reasonable to try to take off your data and reformat the drive."

The worm can infect BIND 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, using the TSIG vulnerability exposed by the Computer Emergency Response Team (CERT) Coordination Center on Jan. 29.

Lion spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it finds a system it checks for the vulnerability, and, if the system is vulnerable, it attacks the system using an exploit called "name." It then installs the t0rn rootkit and proceeds to:

  • Send the contents of the /etc/passwd, /etc/shadow, and some network settings to an address in the china.com domain
  • Delete /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers
  • Install backdoor root shells on ports 60008/tcp and 33567/tcp
  • Install a trojaned version of ssh that listens on 33568/tcp
  • Kill Syslogd so the logging on the system can't be trusted
  • Install a trojaned version of login
  • Look for a hashed password in /etc/ttyhash
  • Overwrite /usr/sbin/nscd (the option Name Service Caching daemon) with a trojaned version of ssh.

The t0rn rootkit also replaces a number of binaries on the system -- including du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, and top -- in order to stealth itself. Mjy, a utility for cleaning out log entries, is placed in /bin and /usr/man/man1/man1/lib/.lib/. For unknown reasons, in.telnetd is also placed in those directories. Also, a setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.

One bug tracker pointed to a portion of one of the shell scripts -- "#removed this patching since this kit is not going to be used with the # wuftpd/statd worms..." -- which he said indicated that the creators were at least thinking about using the worm for other exploits.

Once the machine is fully infiltrated, Lion forces the machine to begin scanning the Internet for other victims.

Stearns has written a script called Lionfind, which can detect if a system has been infiltrated by Lion. The utility is available here. Lionfind is not currently able to remove the worm from an infected system.

Stearns also noted that fewer systems will be affected by Lion than were affected by Ramen -- simply because fewer systems run their own name servers -- but the costs to those affected are likely to be considerably higher.