Linux/Lion

Linux/Lion is an internet worm written for the Linux operating system. It is similar to Linux/Ramen (i.e. one of the worm files is already detected as Linux/Ramen).

It spreads by scanning random class B IP networks for hosts that are vulnerable to a remote exploit in the Bind name service daemon. Once it has found a candidate for infection it attacks the remote machine and, if successful, downloads and installs a package from coollion.51.net. This package contains a copy of the worm and also the t0rn rootkit. The rootkit is designed to hide the presence of the worm by replacing many of the system binaries with trojaned versions and cleaning the log files. In particular, the following files may be created or changed:

/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find

The following directories may also be created:

/usr/man/man1/man1/lib/.lib
/usr/src/.puta
/usr/info/.t0rn
/dev/.lib

The worm keeps itself active during reboots by appending some lines to /etc/rc.d/rc.sysinit disguised with the comment 'Name Server Cache Daemon..'. It also deletes /etc/hosts.deny and appends lines to /etc/inetd.conf to leave a root shell on port 1008. Finally, it emails the contents of /etc/passwd, /etc/shadow and the output from ifconfig -a, to an address in the china.com domain.

This IDE detects the worm as Linux/Lion and also the rootkit as Troj/t0rn-kit.

Sophos recommends Red Hat Linux users update their systems with the latest security patches. For more information, please consult the Red Hat Linux website.