Lion virus: How to detect and prevent

The dangerous Lion worm is stalking Linux systems. Worse than the Ramen worm, Lion installs then hides hacker tools on vulnerable systems

Linux system administrators have a new worm to worry about. The SANS Institute is reporting the presence of the Lion worm, which is much more dangerous than the Ramen worm earlier this year. What makes Lion more dangerous is that it can steal passwords, install and hide hacker tools, gain root access of an infected system then attack other vulnerable systems.

It is unclear whether Lion will surpass Ramen in total number of systems infected. It may infect Unix systems as well as Linux systems.

How it works Lion uses an application called randb to scan random class B networks. It probes TCP port 53, then exploits Linux systems that have not already patched the BIND vulnerabilities publicised earlier this year. Lion installs a hacker toolkit called t0rn rootkit. Once installed on a system, Lion sends passwords and some network information to an address ending china.com. Trojan versions of ssh and login are also installed.

Detection and removal William Stearns, of the Institute for Security Technology Studies, has written a script called Lionfind to detect Lion. There is no removal program as yet. As prevention, users of BIND 4.9.8 and 8.2.3 distributions should download the latest patch from ISC. Users of the BIND 9.1 distribution should download this update.

Take me to the Virus Workshop

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.