Description

Symantec's suite of security products detects the vulnerabilities used by the Lion worm, as well as its presence and activity.

Lion is a worm that exploits a well-known vulnerability in BIND to gain privileged access to Linux systems. Once it has obtained access, Lion runs a "rootkit" to hide its presence, and then proceeds to search for other vulnerable systems. A software update is available for BIND, but many systems remain vulnerable, allowing Lion to spread.

NetProwler, Symantec's network intrusion detection system, can detect Lion's attempts to gain access to systems. Symantec's Intruder Alert, a host-based intrusion detection system, is capable of detecting the "rootkit" used by Lion to hide its activity. Norton Anti-Virus can detect the presence of the worm on a system. Enterprise Security Manager (ESM) and NetRecon, Symantec's vulnerability management and assessment systems, can detect the presence vulnerable BIND versions. Symantec's Raptor Firewall can block attempts to exploit the BIND vulnerability.

Additional Resources