This paper provides an introduction to the Lion (1i0n) Worm author and a technical analysis of the Lion Internet Worm. Three unique variations of the Lion Worm have been released on the Internet over the past month. All three versions of . . .
This paper provides an introduction to the Lion (1i0n) Worm author and a technical analysis of the Lion Internet Worm. Three unique variations of the Lion Worm have been released on the Internet over the past month. All three versions of the Lion Worm are unsophisticated unix shellscript worms. They use exploit scripts to scan and compromise Linux servers running BIND that have the transaction signatures buffer overflow vulnerability. The origin, composition, and behavior of each worm is discussed in detail. Then, instructions for prevention, detection, and repair of a worm-infected system are offered. The first two strains of the Lion Worm are now effectively "dead", because each of these relied on a centralized distribution mechanism that is now shut down. The third strain of the Lion Worm is essentially a copy of the Ramen worm and, since it shares Ramen's distribution mechanism, it may still be actively exploiting systems.

The link for this article located at Whitehats.com is no longer available.