Lion worm on the loose

Security advisory website The Sans Institute is warning of a "dangerous new worm", known as Lion, affecting Linux computers.

The worm itself appears to be a variant of the Ramen virus which hit headlines back in January, but other antivirus experts said it may not be as dangerous as Sans is making out.

According to Sans, the Lion worm scans the internet looking for Linux boxes running Bind that haven't been patched for the infamous TSIG Bind vulnerability that cropped up in January.

Once it finds a vulnerable machine, it infects it, steals the password file and sends it to a sub-domain of China.com site. It installs other hacking tools and forces the newly infected machine to begin scanning the internet for other victims.

The Lion worm is similar to the Ramen worm, spreading through an application called Randb, which scans random class B networks probing TCP port 53 and checking for the Bind vulnerability. It then exploits the system using a device called Name, and installs the t0rn rootkit, which compromises the server with backdoors.

Password files on the infected machine are collected and sent off to an address in the China.com domain. The logfile is switched off, so it cannot be assumed to be correct by an administrator.

Graham Cluley, senior technology consultant for Sophos, said there was a lack of evidence showing that Lion was running rampant in the wild. Nevertheless, he said it pays to be aware of viruses, "although the *nix community is often better at keeping up to date with patches because users tend to be more technical," he said. "The spread of this virus may be hampered because most Linux sysadmins will have patched the Bind vulnerability."

If you want to stay on the safe side, the Sans Institute has developed a utility called Lionfind to clean the worm out. Download Lionfind here.

The Sans advisory website is here.