[wplug] Virius alert. (linux)

stewart stewart at penn.com
Fri Mar 23 18:49:23 EST 2001


------------------ Virus Alert ------------------

Lion Worm (Linux)
The SANS Institute's Global Incident Analysis Center has issued an alert

warning of a Linux worm similar to the Ramen virus but significantly
more
dangerous. The Lion worm affects Linux machines running the BIND DNS
server,
versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas.

According to William Stearns, Senior Research Engineer of the Dartmouth
Institute for Security Technology Studies, the worm takes advantage of a

known vulnerability. "The machines attacked today were attacked because
the
administrators failed to update their systems when the TSIG
vulnerability
was discovered and patches were released," Stearns said. "Unlike the
Ramen
worm which affected default Red Hat Linux versions 6.2 and 7.0 only, the

Lion worm takes advantage of a known vulnerability that affects Linux
machines running several versions of the BIND DNS server. This TSIG
vulnerability was discovered in early January, when someone realized
there
was a way to cause a BIND DNS server to run arbitrary commands outside
of
that server. For example, a legitimate request might be a domain name in

which case the DNS would return the valid IP address. However, the
vulnerabilty allows someone to send something other than a name request
and
instead sends the name server a wrong string of characters. In this
case, a
carefully constructed string of characters can run arbitrary commands,
known
as a buffer overflow attack. By coming up with a buffer overflow attack
like
Lion worm, hundreds of thousands of additional holes can be opened up on

systems. As a result, attacked machines also become the attackers."

In short, the Lion worm acts in much the same way as an email worm that
relies on the infected machines to infect others. In this instance,
however,
the infected machines are subject to security compromises. Full details
can
be found at:
http://antivirus.about.com/library/weekly/aa032301a.htm

    I just received this email. /Ed




More information about the wplug mailing list