A new worm targeting Linux machines running the BIND DNS server is rapidly making its way across the Internet and has the potential to create serious damage, according to the SANS Institute's Global Incident Analysis Center (GIAC).
The GIAC team uncovered the worm -- which may have originated with a hacking crew in China -- late Thursday. The team has logged in the neighborhood of 49,000 scans for vulnerable BIND servers in the past two days.
The worm has been dubbed Lion, and has similarities to the Ramen worm which burrowed into machines running Red Hat 6.2 and 7.0 in January.
"However, this worm is significantly more dangerous and should be taken very seriously," the SANS GIAC team wrote in its alert Friday.
In part, that is because Lion e-mails password and config files to an account at the china.com domain.
"By sending back those files, the attacker has yet another way to break back into the system in addition to the security breaches that were made by the worm when it first attacked the system," said William Stearns, a research engineer at the Institute for Security Technology Studies at Dartmouth College. "This is how it differs from the Ramen worm. Ramen actually was very nice about closing the security holes behind itself as it attacked the system. This one leaves those security holes open and opens up new ones, to the point that if you're affected by this [worm] we're not 100 percent sure that it's worth trying to salvage the system. It may very well be more reasonable to try to take off your data and reformat the drive."
The worm can infect BIND 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, using the TSIG vulnerability exposed by the Computer Emergency Response Team (CERT) Coordination Center on Jan. 29.
Lion spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it finds a system it checks for the vulnerability, and, if the system is vulnerable, it attacks the system using an exploit called "name." It then installs the t0rn rootkit and proceeds to:
- Send the contents of the /etc/passwd, /etc/shadow, and some network settings to an address in the china.com domain
- Delete /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers
- Install backdoor root shells on ports 60008/tcp and 33567/tcp
- Install a trojaned version of ssh that listens on 33568/tcp
- Kill Syslogd so the logging on the system can't be trusted
- Install a trojaned version of login
-
Yahoo Messenger worm turns on Internet Explorer - vnunet.com::
May 21, 2006 A new worm hijacks the Internet Explorer homepage, leading users to a have demonstrated the potential for serious damage by directing
http://www.vnunet.com/vnunet/news/2156523/yahoo-messenger-worm-turns-ieHOME |
Mass-Mailing Worms: Prevention, Detection and Response (A Case Study)::
File Format: PDF/Adobe Acrobat - View as HTMLThe overwhelming majority of mass-mailing worms target Windows systems. mailing worms such as Melissa and LoveLetter [9] did not cause any serious
http://www.sans.org/reading_room/papers/download.php?id=1501&c=89e9fef021ba187460f531b887d9f92eHOME |
Look for a hashed password in /etc/ttyhash
- Overwrite /usr/sbin/nscd (the option Name Service Caching daemon) with a trojaned version of ssh.
The t0rn rootkit also replaces a number of binaries on the system -- including du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, and top -- in order to stealth itself. Mjy, a utility for cleaning out log entries, is placed in /bin and /usr/man/man1/man1/lib/.lib/. For unknown reasons, in.telnetd is also placed in those directories. Also, a setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.
Protect your computer - IT Community::
Once a virus or worm has infected a computer, it would typically infect other do serious harm to computers, either as deliberate, malicious damage or as
http://it.toolbox.com/wiki/index.php/Protect_your_computerHOME |
DNS-based Detection of Scanning Worms in an Enterprise Network::
File Format: PDF/Adobe Acrobat - View as HTMLstructed worm could infect vulnerable systems on the In-. ternet at an even greater speed. on worm target discovery and selection strategies, carrier
http://www.scs.carleton.ca/~kranakis/Papers/whytednswormv3.pdfHOME |
One bug tracker pointed to a portion of one of the shell scripts -- "#removed this patching since this kit is not going to be used with the # wuftpd/statd worms..." -- which he said indicated that the creators were at least thinking about using the worm for other exploits.
Once the machine is fully infiltrated, Lion forces the machine to begin scanning the Internet for other victims.
Stearns has written a script called Lionfind, which can detect if a system has been infiltrated by Lion. The utility is available here. Lionfind is not currently able to remove the worm from an infected system.
Stearns also noted that fewer systems will be affected by Lion than were affected by Ramen -- simply because fewer systems run their own name servers -- but the costs to those affected are likely to be considerably higher.
Pre-Article:DoubleClick Admits Servers Were Hacked
Next-Article:Forget About the Academy...Meet The Real OSCAR
|
