SUMMARY: In the past week, ASSIST has received information about dramatic increases in reports of Internet intruders monitoring network traffic using root-compromised systems supporting a promiscuous network interface. The reports indicate that tens of thousands of systems connected to the Internet are involved, including a number of Milnet systems. The information collected by the intruders has the potential to compromise systems that any user in the domain has accessed while the intruders' network monitor was running. This includes local systems and systems accessed outside the domain. The scope of this incident is such that ASSIST believes all network sites connected to the Milnet are at risk risk from this attack.
The current attacks involve a network monitoring tool that uses the promiscuous mode of a specific network interface, /dev/nit, to capture host and user authentication information on all newly opened ftp, tftp, telnet, and rlogin sessions. Immediate action required is:
A. ALL USERS OF SYSTEMS THAT OFFER REMOTE ACCESS MUST CHANGE
PASSWORDS IMMEDIATELY.
B. In addition, systems that support the /dev/nit interface
should disable this feature if it is not used or attempt to prevent unauthorized access if the feature is necessary. Systems known to support the /dev/nit interface are SunOS 4.X, and Solborne systems. Sun Solaris systems do not support the /dev/nit interface. While the current attack is specific to /dev/nit, this short-term workaround does not constitute a complete solution.
C. Determine if the network monitoring tool is running on your
hosts that support a promiscuous network interface and notify ASSIST immediately if the tool is detected
BACKGROUND: Root-compromised systems that support a promiscuous network interface are being used by intruders to collect host and user authentication information visible on the network. The intruders first penetrate a system and gain root access through an unpatched vulnerability. The intruders then run a network monitoring tool that captures up to the first 128 keystrokes of all newly opened ftp, tftp, telnet, and rlogin sessions visible within the compromised system's domain. These keystrokes usually contain host, account, and password information for user accounts on other systems, and are logged for later retrieval. The intruders typically install trojan horse programs to support subsequent access to the compromised system and to hide their network monitoring process.
IMPACT: All connected network sites that use the network to access remote systems are at risk from this attack. All user account and password information derived from ftp, tftp, telnet, and rlogin sessions and passing through the same network as the compromised host could be disclosed.
DETECTION: The network monitoring tool can be run under a variety of process names and log to a variety of files. Thus, the best method for detecting this network monitoring tool is to look for:
* Trojan horse programs commonly used in conjunction
with this attack,
* Any suspect processes running on the system * The unauthorized use of /dev/nit.
A. Trojan horse programs: the intruders has been found to replace one or more of the following programs with a trojan horse version in conjunction with this attack:
/usr/etc/in.telnetd and
/bin/login - used to provide back-door access to the
intruders to retrieve the information
process
because the intruders install trojan horse variations of commands such as the standard Unix sum(1) or cmp(1) until these programs can be restored from distribution cd-rom), or verified using cryptographic checksum In addition to the possibility of having the checksum programs mentioned above may have been engineered to produce the same standard checksum as the legitimate are not sufficient to determine whether the programs have been replaced.
B. Suspect processes: although the name of the network monitoring tool can vary from attack to attack, it is possible to detect a suspect process running as root ps command should not be relied upon since a trojan horse monitoring process. Some process names that have arguments to the process also provide an indication of on the process, the filename following indicates the authentication information for later retrieval by the monitoring tool is currently running on your system, it is possible to detect this by checking for unauthorized use of the /dev/nit interface. The Computer Emergency Response Team (CERT) has created a tool for this purpose. The source code for this tool is available via anonymous ftp from assist.ims.disa.mil (ip 137.130.234.30) in /pub/tools/cpm.1.0.tar.Z. Filename standard unix sum system v sum
PREVENTION: There are two actions that are effective in preventing this attack. A long-term solution requires eliminating transmission of clear text passwords on the network. For this specific attack, however, a short-term workaround exists. Both of these are described below.
A. Long-term prevention: assist recognizes that the only effective long-term solution to preventing these attacks is to eliminate the transmission of clear-text passwords during remote logins.
B. Short-term workaround: regardless of whether the network monitoring software is detected on your system, assist recommends that all sites take action to prevent unauthorized network monitoring on their systems. You can do this either by removing the interface, if it is not used on the system, or attempting to prevent the misuse of this interface. For systems other than Sun and Solborne, contact your vendor to find out if promiscuous mode network access is supported and, if so, what is the recommended method to disable this feature. For SunOS 4.X and Solborne systems, the promiscuous interface to the network can be eliminated by removing the /dev/nit capability from the kernel. The procedure for doing so can be obtained from the ASSIST office, ASSIST bbs, and ASSIST anonymous ftp site.
SCOPE AND RECOVERY: If you detect the network monitoring software at your site contact ASSIST immediately. Additional information on recovery from Unix root compromise (/pub/general.info/rrecover.txt), one time password generation (/pub/general.info/onepass.txt), and the check for network interfaces promiscuous mode (cpm) tool (/pub/general.info/cpm.txt), can be found in electronic form on the ASSIST bbs which can be reached at 703-756-7993/4 dsn 289, or the assist.ims.disa.mil (IP 137.130.234.30) anonymous ftp site. Note: assist.ims.disa.mil accepts connections from Milnet systems only.
APPENDICES: The rrecover.txt (APPENDIX A), onepass.txt (APPENDIX B), and cpm.txt (APPENDIX C) files are also attached as appendices to this bulletin.
ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins are available on the ASSIST bbs (see below), and through anonymous ftp from assist.ims.disa.mil.
ASSIST contact information:
PHONE: 703-756-7974, DSN 289, duty hours are 06:30 to 17:00 Monday
through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999" and ASSIST will return your call within 5 minutes. ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: 703-756-7993/4, DSN 289, leave a message for the "sysop".
Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key
encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future.
APPENDIX A: rrecover.txt
RECOVERING FROM A UNIX ROOT COMPROMISE
A. Immediate recovery technique
1) Disconnect from the network or operate the system in
single- user mode during the recovery. This will keep users and intruders from accessing the system.
2) Verify system binaries and configuration files against the
vendor's media (do not rely on timestamp information to provide an indication of modification). Do not trust any verification tool such as cmp(1) located on the compromised system as it, too, may have been modified by the intruder. In addition, do not trust the results of the standard UNIX sum(1) program as we have seen intruders modify system files in such a way that the checksums remain the same. Replace any modified files from the vendor's media, not from backups.
-- or --
Reload your system from the vendor's media.
3) Search the system for new or modified setuid root files.
find / -user root -perm -4000 -print
If you are using NFS or AFS file systems, use ncheck to search the local file systems.
ncheck -s /dev/sd0a
4) Change the password on all accounts.
5) Don't trust your backups for reloading any file used by
root. You do not want to re-introduce files altered by an intruder.
B. Improving the security of your system
1) CERT Security Checklist
Using the checklist will help you identify security weaknesses or modifications to your systems. The CERT Security Checklist is based on information gained from computer security incidents reported to CERT. It is available via anonymous FTP from info.cert.org in the file pub/tech_tips/security_info.
2) Security Tools
Use security tools such as COPS and Tripwire to check for security configuration weaknesses and for modifications made by intruders. We suggest storing these security tools, their configuration files, and databases offline or encrypted. TCP daemon wrapper programs provide additional logging and access control. These tools are available via anonymous FTP from info.cert.org in the pub/tools directory.
APPENDIX B: onepass.txt
ONE-TIME PASSWORDS
Given today's networked environments, CERT recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CERT has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text.
Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection.
I. Public Domain packages
S/KEY(TM)
The S/KEY package is publicly available (no fee) via anonymous FTP from:
thumper.bellcore.com /pub/nmh directory
There are three subdirectories:
skey UNIX code and documents on S/KEY.
Includes the change needed to login,
and stand-alone commands (such as "key"),
that computes the one-time password for
the user, given the secret password and
the S/KEY command.
dos DOS or DOS/WINDOWS S/KEY programs. Includes
DOS version of "key" and "termkey" which is
a TSR program.
mac One-time password calculation utility for
the Mac.
II. Commercial Products
Secure Net Key (SNK) (Do-it-yourself project)
Digital Pathways, Inc.
201 Ravendale Dr.
Mountainview, Ca. 94043-5216
USA
Phone: 415-964-0707
Fax: (415) 961-7487
Products:
handheld authentication calculators (SNK004)
serial line auth interruptors (guardian)
Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export.
Secure ID (complete turnkey systems)
Security Dynamics
One Alewife Center
Cambridge, MA 02140-2312
USA
Phone: 617-547-7820
Fax: (617) 354-8836
Products:
SecurID changing number authentication card
ACE server software
SecureID is time-synchronized using a 'proprietary' number generation algorithm
WatchWord and WatchWord II
Racal-Guardata
480 Spring Park Place
Herndon, VA 22070
703-471-0892
1-800-521-6261 ext 217
Products:
Watchword authentication calculator
Encrypting modems
Alpha-numeric keypad, digital signature capability
SafeWord
Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707
Fax: (510)827-2593
Products:
DES Silver card authentication calculator
SafeWord Multisync card authentication calculator
Available for UNIX, VMS, MVS, MS-DOS, Tandum, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors.
APPENDIX C: cpm.txt
cpm 1.0 README FILE
cpm - check for network interfaces in promiscuous mode.
Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement.
It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED WARRANTY of merchantability or fitness for a particular purpose.
This package contains:
README
MANIFEST
cpm.1
cpm.c
To create cpm under SunOS, type:
% cc -Bstatic -o cpm cpm.c
On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled.
CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary.
The following is an example of the output of cpm and its exit status.
Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1):
% cpm
le0
le2
% echo $status
2
%
Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1):
