BIND worm.

["Scott A. McIntyre" <scott () XS4ALL NL>]

Hi,

I'm wondering how many others have seen sign of what appears to be a
BIND based worm attack that's been passing through here lately.

The kit includes a version of t0rnkit as well as pscan and randb (which
generates semi-random pairs of octets for pscan /16 scanning), a few
shell scripts, and some pre-built linux binaries for doing the BIND
compromise.

It's targetted primarily at:

bind 8.2 8.2.1 8.2.2 8.2.2-PX

TribalFlood is also included, as are some generic footprint clearing
utilities.

Once the pscan obtains a list of valid targets from a given address
range, the BIND exploit is used to perform a series of tasks, including:

o  Insertion of a root shell on port 1008
o  Email the /etc/shadow, /etc/passwd and interface details to a specific
   email address
o  Download a copy of the kit via lynx -dump
o  Untar the kit and run an initialization script

That initialization script does the following:

o Removes /etc/hosts.deny
o Enters a line in rc.sysinit to ensure the scanning script starts
  automatically.
o Fires off the script that starts the scan (and thus the process all
  over again).

For lack of a better name, I've been referring to this as "Lion" as the
name of the initialization script is 3l33tly spelled "1i0n.sh".

It appears that the exploit that is targetted is the Transaction
Signature bug, so popular of late.

I know of a few countries who have been hit by this so far, just
wondering how pervasive it is generally.

Regards,

Scott A. McIntyre
XS4ALL Internet B.V.