New 'Lion' virus on the loose

Computer security experts have unearthed a new worm that they say is spreading rapidly on the Internet and is capable of changing network settings, stealing passwords and eliminating some security measures, setting up the infected machine for further attacks. Known as the Lion worm, the virus spreads through an application called "randb," which infects Linux machines running version 8 of the BIND DNS software, one of several iterations that are known to have numerous security vulnerabilities. Lion scans random networks, probing TCP port 53, looking for potential targets. Once the application finds a vulnerable machine, it uses an exploit called "name" and then installs the t0rn rootkit, which enables the attacker to wreak havoc on the compromised machine, according to an alert posted Friday morning by the SANS Institute. The worm then performs several operations, including sending a password file and some network settings to a mail address with the chin.com domain, deleting a file called /etc/hosts.deny, which eliminates the host-based perimeter protection, installing backdoor root shells on two TCP ports, installing a "trojaned" version of the secure shell, killing the system log and searching for a hashed password. SANS has developed a utility that will detect -- but not remove -- the worm. Lion exploits the transaction signature buffer-overflow vulnerability in BIND (Berkeley Internet Name Domain) version 8, which is one of four weaknesses found in January in the open-source DNS software. Fixes are available for all of the BIND flaws. After the Lion worm finishes its work, it then forces the compromised machine to scan the Internet for other vulnerable servers.