From: Robert J. Bradbury (
Date: Fri Mar 23 2001 - 15:46:20 MST

Those of you who are running LINUX should read this. Those not,
just toss it.

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously. It
infects Linux machines running the BIND DNS server. It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,

The Lion worm spreads via an application called "randb". Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name". It then installs the t0rn rootkit.

[snip - all the bad stuff it does]


We have developed a utility called Lionfind that will detect the Lion
files on an infected system. Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
the system.

At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.

Download Lionfind at


Further information can be found at:, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original BIND

Redhat Linux RHSA-2001:007-03 - Bind remote exploit
Debian GNU/Linux DSA-026-1 BIND
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow

This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.

The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.

Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis

Matt Fearnow
SANS GIAC Incident Handler

This archive was generated by hypermail 2b30 : Mon May 28 2001 - 09:59:42 MDT