| A new worm targeting Linux machines running the BIND DNS server is rapidly making its way across the Internet and has the potential to create serious damage, according to the SANS Institute's Global Incident Analysis Center (GIAC).
Turning Worms: Some Thoughts on Liabilities for Spreading Computer ::
File Format: PDF/Adobe Acrobat - View as HTMLresearcher, viruses and worms targeting Microsoft sys-. is. Little case law pertains. that a clearer liability regime would cause resources to be
http://cjlt.dal.ca/vol3_no1/pdfarticles/owens.pdfHOME |
The GIAC team uncovered the worm -- which may have originated with a hacking crew in China -- late Thursday. The team has logged in the neighborhood of 49,000 scans for vulnerable BIND servers in the past two days.
The worm has been dubbed Lion, and has similarities to the Ramen worm which burrowed into machines running Red Hat 6.2 and 7.0 in January.
"However, this worm is significantly more dangerous and should be taken very seriously," the SANS GIAC team wrote in its alert Friday.
In part, that is because Lion e-mails password and config files to an account at the china.com domain.
"By sending back those files, the attacker has yet another way to break back into the system in addition to the security breaches that were made by the worm when it first attacked the system," said William Stearns, a research engineer at the Institute for Security Technology Studies at Dartmouth College. "This is how it differs from the Ramen worm. Ramen actually was very nice about closing the security holes behind itself as it attacked the system. This one leaves those security holes open and opens up new ones, to the point that if you're affected by this [worm] we're not 100 percent sure that it's worth trying to salvage the system. It may very well be more reasonable to try to take off your data and reformat the drive."
The virus threat to Linux::
If the user has a dual boot system and picked to use the DOS file system a Windows-based virus could potentially damage the Linux files but we don't see a
http://www.desktoplinux.com/articles/AT3307459975.htmlHOME |
Year of the Worm | CNET News.com::
"The worm would quickly load its program into (the computer); The Linux Ramen worm, formed of several hacking tools, spreads much like the Cornell
http://news.cnet.com/Year-of-the-Worm/2009-1001_3-254061.htmlHOME |
The worm can infect BIND 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, using the TSIG vulnerability exposed by the Computer Emergency Response Team (CERT) Coordination Center on Jan. 29.
More Bang For the Bug: An Account of 2003's Attack Trends::
Even in the most benign cases, worms caused significant damage due to the network attackers could gain full control of the Linux distribution site,
http://doi.ieeecomputersociety.org/10.1109/MSECP.2004.1264858HOME |
Virus wars: fewer attacks, new threats - Computer::
worm to other users. Although Benja-. min did not damage victims’ comput- the first to cause problems, could. become a concern in the future.
http://ieeexplore.ieee.org/iel5/2/24324/01106172.pdfHOME |
Lion spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it finds a system it checks for the vulnerability, and, if the system is vulnerable, it attacks the system using an exploit called "name." It then installs the t0rn rootkit and proceeds to:
- Send the contents of the /etc/passwd, /etc/shadow, and some network settings to an address in the china.com domain
- Delete /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers
- Install backdoor root shells on ports 60008/tcp and 33567/tcp
- Install a trojaned version of ssh that listens on 33568/tcp
-
A Worst-Case Worm::
File Format: PDF/Adobe Acrobat - View as HTMLor more in direct damage—and with difficult-to-estimate. but quite possibly large additional indirect damages—. would cause serious harm to the U.S. economy
http://www.dtc.umn.edu/weis2004/weaver.pdfHOME |
A Preliminary Investigation of Worm Infections in a Bluetooth ::
File Format: PDF/Adobe Acrobat - View as HTMLgeneous population, a worm infection could cause a larger degree. of damage in a homogeneous population. Unfortunately, our traces do not reveal the types
http://www.cs.toronto.edu/~stefan/publications/worm/2006/bt.pdfHOME |
Kill Syslogd so the logging on the system can't be trusted
- Install a trojaned version of login
- Look for a hashed password in /etc/ttyhash
- Overwrite /usr/sbin/nscd (the option Name Service Caching daemon) with a trojaned version of ssh.
The t0rn rootkit also replaces a number of binaries on the system -- including du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, and top -- in order to stealth itself. Mjy, a utility for cleaning out log entries, is placed in /bin and /usr/man/man1/man1/lib/.lib/. For unknown reasons, in.telnetd is also placed in those directories. Also, a setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.
One bug tracker pointed to a portion of one of the shell scripts -- "#removed this patching since this kit is not going to be used with the # wuftpd/statd worms..." -- which he said indicated that the creators were at least thinking about using the worm for other exploits.
Once the machine is fully infiltrated, Lion forces the machine to begin scanning the Internet for other victims.
Stearns has written a script called Lionfind, which can detect if a system has been infiltrated by Lion. The utility is available here. Lionfind is not currently able to remove the worm from an infected system.
Stearns also noted that fewer systems will be affected by Lion than were affected by Ramen -- simply because fewer systems run their own name servers -- but the costs to those affected are likely to be considerably higher.
 DoubleClick Admits Servers Were Hacked
 Forget About the Academy...Meet The Real OSCAR |
