A Linux-targeted worm called Lion has been spreading since mid-March. Unlike Ramen earlier this year, Lion is quieter and more capable. It exploits the recent BIND 8 TSIG vulnerability and installs a more sophisticated payload.
What Lion does
The propagation vector: a buffer overflow in BIND 8's TSIG record handling. The relevant patch was released in late January. Lion targets hosts that have not applied it.
Once a host is compromised, Lion:
- Installs a backdoor (a modified
inetd.confwith a hidden listener). - Installs the t0rnkit rootkit, which modifies
ls,ps,netstat, and other utilities to hide the worm's files and processes. - Sends
/etc/passwdand/etc/shadowto a fixed email address, exfiltrating credentials for offline cracking. - Begins scanning random IP ranges for the same vulnerability.
What is different from Ramen
Three things.
Rootkit installation. Ramen replaced the web index page; Lion replaces system utilities. The visible signal of compromise is gone; the invisible signal — modified binaries, hidden files — requires off-host analysis to detect.
Credential exfiltration. Ramen did not steal credentials; Lion does.
Pacing. Ramen scanned aggressively; Lion is restrained. The propagation is slower but the detection lifetime is longer.
This is the pattern I described after Ramen: the next Linux worm would be more capable and quieter. The trajectory is shorter than the analogous trajectory on Windows took.
What this teaches about Linux defenders
Off-host detection is now necessary on Linux too. The on-host artefacts of a Lion compromise are systematically tampered with by t0rnkit. The only reliable detection is from outside — file-integrity tools comparing against off-host baselines, structured logs, network monitoring from the firewall.
Patching cycles need to be fast. TSIG was patched at end of January. Lion appeared mid-March. That is a 6-7 week window. Many organisations' patching cadence is longer.
Migration to BIND 9 is operationally urgent. Lion targets BIND 8 specifically. BIND 9 has a different codebase and is not vulnerable.
My secondary nameserver was already on BIND 9; my primary was still on BIND 8. I have moved the primary this week.
What is happening to the population
From Honeynet reports and operator chatter:
- Several thousand Linux hosts compromised by Lion. The actual number is likely larger; the rootkit hides the compromise.
- Exfiltrated credentials from Lion are being used for follow-on access to adjacent hosts.
- Lion-compromised hosts are being used as launching points for further scanning and DDoS infrastructure.
The compromised population is becoming part of the broader cybercrime infrastructure. Each Lion compromise contributes to the substrate of botnet capability.
What I have done
BIND 9 across all hosts. Modified Snort rules to flag the TSIG-overflow patterns. File-integrity monitoring against off-host baselines.
For friends running BIND 8: an urgent note to either patch (8.2.3) or migrate to BIND 9. None should still be running unpatched BIND 8.
Calibration update
The Linux worm prediction was at 55% probability for resolution by end of 2001. Two have appeared in three months. The 55% was clearly under-confident; in retrospect 80% would have been the right calibration.
More as the year develops.