Lion
Lion
Type Internet worm
Creator 1i0n
Date Discovered 2001.03.23
Place of Origin China
Source Language Shell Script
Platform Linux
File Type(s) .tgz, .sh, ELF
Infection Length 860,160 bytes
Reported Costs

Lion is a Linux worm that caused some minor havoc in early 2001. Its third variant is somewhat similar to Ramen. Some antivirus experts suspect a possible link between the Lion and Slammer worms.

Behavior

On a system already infected with Lion, the worm will scan for random class B IP networks on port 53 for systems with a Transaction Signiture (TSIG) buffer overflow vulnerability in the Berkeley Internet Name Domain Service (BIND DNS). The worm can only work with BIND DNS versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. When a vulnerable machine has been found, it sends the exploit code to that machine.

When the new system has been compromised, it creates a directory called /dev/.lib (the period before the name means it will be hidden). Lion then downloads the file crew.tgz from the website http://coollion.51.net/, which contains the main body of the Lion worm. The file will be downloaded and extracted to /.lib. The tgz archive has one main directory named /lib with two directories under it named /lib and /scan. The higher /lib directory also contains the file 1i0n.sh. The two directories contain the following files and directories:

In /lib:

  • /dev (directory)
  • 1i0n.sh
  • du
  • find
  • getip.sh
  • ifconfig
  • in.fingerd
  • in.telnetd
  • login
  • ls
  • mjy
  • name
  • netstat
  • pg
  • ps
  • pstree
  • ssh.tgz
  • sush
  • sz
  • t0rnp
  • t0rns
  • t0rnsb
  • tfn
  • top

In /scan:

  • 1i0n.sh
  • bind
  • bindname.log
  • bindx.sh
  • hack.sh
  • pscan
  • randb
  • scan.sh
  • star.sh

The ssh.tgz file in /lib contains a folder named /.torn ans the files:

  • sharsed
  • shdcf2
  • shhk
  • shhk.pub
  • shrs

After the contents are extracted, the component that scans for new systems to infect is executed.

It then sends the files shadow and passwd (both in the /etc directory) as well as the output of the command ifconfig to the email address 1i0nsniffer@china.com. The worm will then add an entry to the inetd.conf file in /etc and restart the inetd daemon, which opens a shell that listens for commands on port 1008, and removes the hosts.deny file.

This worm installs the t0rn rootkit. The rootkit disables the syslogd daemon. It adds two entries to the inetd.conf file which create a shell listening for commands on ports 33567 and 60008. It then restarts the inetd daemon in order to activate the changes. It then creates a trojanized ssh daemon named nscd in the /usr/sbin directory and adds an entry for it in the file '/etc/rc.d/rc.sysinit'. This daemon will listen to port 33568.

It replaces many system executables with functional but trojanized versions.

In the /bin directory, it replaces the following files:

  • ls
  • netstat
  • ps

In the /usr/bin directory:

  • du
  • find
  • top

In /usr/sbin it replaces in.fingerd and in /sbin it replaces ifconfig. It also creates two new files in the /bin directory, in.telnetd and mjy. These files open backdoors to the system and hide backdoor processes.

The rootkit places its configuration data in the following directories:

  • /usr/man/man1/man1/lib/.lib/
  • /usr/man/man1/man1/lib/.lib/.backup/
  • /usr/src/.puta/
  • /usr/info/.t0rn/

It creates the root shell with the file '/usr/man/man1/man1/lib/.x'.

Lion.png
A page defaced by Lion.C

Variants

Lion.B

The second variant of the Lion worm uses an updated version of the BIND exploit. It contains no rootkit.

Lion.C

The third variant of the Lion worm is very similar to the Ramen worm, with the exception that it uses the BIND exploits. The worm body does not rely on the server in China, but rather is downloaded from the previously infected computer. It replaces all "index.html" files with its own html page that contains an anti-Japanese message.

Origin

The Lion worm was created by a hacker who goes by the name "Lion", the founder of the Honker Union of China. He claimed that the worm was created to show Chinese anger at Japan for a textbook that allegedly attempts to downplay Japanese atrocities committed before and during the Second World War. Some researchers have expressed suspicion of this claim, as no message was attached to the worm until variant C, and the worm attacked the whole internet rather than just IP addresses in Japan. The HUC claimed that they did not know the correct IP address ranges for Japan, but those are publicly available.

The entire worm was not writt en by 1i0n himself. The BIND exploit was released by a Polish hacker group named Last Stage of Delirium (LSD) in 2001 February. The t0rn rootkit was created by a London, UK resident, who was arrested in 2002. Some of the code in the third variant was ripped from the Ramen worm.

Mikko Hypponen, a virus researcher at F-Secure believed that the Slammer worm may have been created by the Lion worm creator. Lion's creator had apperantly discussed a theoretical Slammer-like worm on some message boards.

Sources

Max Vision. Whitehats, Lion Internet Worm Analysis

F-Secure Antivirus, F-Secure Virus Descriptions : Lion

McAfee Antivirus, Linux/Lion.worm

Sophos Security Analysis, Linux/Lion Linux worm (Troj/t0rn-kit)

Mary Landesman. Antivirus, About.com, Lion worm

-. -, -, "Linux Users Beware the Lion"

Xuxian Jiang, Dongyan Xu. Dept. of Information and Software Engineering George Mason University, CERIAS and Dept. of Computer Science Purdue University, Profiling Self-Propogating Worms via Behavioral Footprinting.

John Jenkinson. SANS Institute, Malware FAQ: Multiple Vulnerabilities in BIND in year 2001

Nick Farrell. Vnunet, T0rn creator arrested. 2002.09.19

Martyn Williams, Paul Roberts, and Joris Evers, IDG News Service. PCWorld, Spread of Slammer Worm Slows. 2003.01.27

Anatomy of Lion Internet Worm

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License