home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hackers Underworld 2: Forbidden Knowledge
/
Hackers Underworld 2: Forbidden Knowledge.iso
/
VIRUS
/
SPAN01.TXT
< prev
next >
Wrap
Text File
|
1994-07-17
|
18KB
|
419 lines
=============================================================================
INTRANETWORK MEMORANDUM SPAN MANAGEMENT OFFICE
=============================================================================
19-OCT-1989
TO: ALL SPAN ROUTING CENTER MANAGERS AND REMOTE-NODE MANAGERS
FROM: RON TENCATI - SPAN SECURITY MANAGER
GODDARD SPACE FLIGHT CENTER CODE 630.2
GREENBELT, MD. 20771
(301)286-5223
SUBJ: INFORMATION REGARDING THE DECNET WORM AND PROTECTION MEASURES
----------
The following information covers several aspects of the "WANK" DECnet worm
which was released into the "DECnet Internet" earlier in the week.
Information contained in prior reports written by John McMahon of GSFC and
Kevin Oberman of LLNL was used in preparing report. The assistance of
Digital Equipment Corporation is also gratefully acknowledged.
Previous messages regarding this worm appearing on various mailing lists
have indicated that system managers with questions or infected nodes should
call other organizations.
For clarification, any SPAN-connected system that believes itself to be
infected, or attacked should contact ONLY the SPAN management at Goddard
Space Flight Center, Greenbelt, MD. The security effort is being
coordinated by this group and all reports should be directed there. The
contact number is (301)286-7251 or (301)286-5223. Electronic mail should be
sent to NSSDCA::TENCATI or NSSDCA::NETMGR only. Do not send infection
reports to any other node on SPAN.
HEPnet sites should contact FNAL::DEMAR.
BACKGROUND
----------
The worm's mission is to propagate itself randomly across the network,
to seek out systems with poor security, and to establish itself in a
priviliged account whereupon it will modify the system's SYS$ANNOUNCE
banner to the following message:
W O R M S A G A I N S T N U C L E A R K I L L E R S
_______________________________________________________________
\__ ____________ _____ ________ ____ ____ __ _____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / /
\ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ /
\_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/
\___________________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_____________________________________________/
You talk of times of peace for all, and then prepare for war.
---------
We don't currently see that the WORM is destructive, BUT it wastes
resources, and may result in denial of service by locking out priviliged
users or causing non-infected nodes to consume disk space storing all the
audit records from the failed access attempts.
The worm attempts to establish itself onto a system by exploiting various
weaknesses in the DECnet environment. Some of these weaknesses have been
addressed by previous SPAN directives and guidelines. Systems that have
implemented these guidelines are not at risk.
A random number generator is used to pick the next node the worm will try
to infect. The worm contains an internal list of 82 canned usernames that
it will try against a system.
In addition, it attempts to copy the file RIGHTSLIST.DAT from the selected
target node. This file is normally protected W:R. If this file is
successfully copied, a list of usernames specific to the target system will
be generated and some subset of those will be appended to the "canned"
list. The candidate words the worm uses whether or not it was successful
at accessing RIGHTSLIST.DAT are the following:
ACCOUNITING ACCOUNTS ALLIN1 APPLETALK ARCHIVE
BACKUP CADCAM COGNOS CRAYSTN CUSTOMER
DDSNET DEC DECNET DEFAULT DEMO
DFS$DEFAULT DIGITAL DNS$SERVER DQS$SERVER ETHERNIM
EXOS FIELD GAMES GUEST HASP
IBM INGRES INVENTORY ISSYS IVP
LIBRARY LN03_DLAND LPS$SERVER MAC MAIL
MAILER MANAGER MANUALS MASS11 MBMANAGER
MIS MRGATE MANAGER NETNONPRIV NETPRIV
NEWSMGR NOTES$SERVER OPER OPERATOR ORACLE
OSI PCAPP PCCOMMON PLUTO POSTMASTER
RDBVMS$REM RHM SECURITY SHUTDOWN SNACSV
SPEAR SPM SRS STUDENT SUPPLIES
SYSINF SYSTEM SYSTEST SYSTEST_CLIG TAPESYS
TCP TELEX TEMP TEST TRAINING
TRANSFER USER USER1 USERP VAXNET
VAXSIM VTX VXSYS
The PASSWORDS tried against the set of accounts MAY be the username
ONLY, OR other passwords may be tried (such as DIGITAL, PSIPAD, MANAGER,
etc) apparently depending on the version of the WORM. A bug in the worm
prevents it from testing the null password as previously suspected.
--------------
[The following section provides information relating to the behavior of
the worm. This information was primarily supplied by Kevin Oberman of
LLNL and John McMahon of GSFC]
--------------
1. The program assures that it is working in a directory to which the owner
(itself) has full access (Read, Write,Execute, and Delete).
2. The program checks to see if another copy is still running. It looks for a
process with the first 5 characters of "NETW_". If such is found, it deletes
itself (the file) and stops its process.
NOTE
This check is done using the F$GETJPI system service. The results
vary depending on the amount of priviliges the account possesses.
Non-priviliged accounts which are penetrated will only be able to
return information about their own UIC, so multiple copies of the
worm could be running simultaneously under different usernames.
3. The program then changes the default DECNET account password to a random
string of at least 12 characters.
4. Information on the infected node and account/password used to access the
system is mailed to a central collection point on SPAN.
5. The process changes its name to "NETW_" followed by a random number.
6. It checks to see if it has SYSNAM priv. If so, it defines the system
announcement message to be the WANK banner.
7. If it has SYSPRV, it disables mail to the SYSTEM account.
8. Also if it has SYSPRV, it modifies the system login command procedure
(SYLOGIN.COM) to APPEAR to delete all of a user's files. (It really does
nothing.)
9. The procedure then scans the accounts logical name table for symbols
which contain directory specifications. Each directory located is searched
for command procedures within it protected (W:RWED). Any such procedures
have code inserted at the top which tries to modify the FIELD account to a
known password with login from any source and all privs. This is a
primitive virus, but very effective IF the procedure should be executed by
a priviliged account.
10. It proceeds to attempt to access other systems by picking node numbers
at random. It then used PHONE to get a list of active users on the remote
system. It proceeds to irritate them by causing the PHONE object to send
them a one-line "fortune cookie" type message. The appearance of this
message does not indicate a penetration attempt on that node, more
appropriately, it indicates an "irritation attempt".
NOTE
If your site receives these PHONE messages the source node
information can be found in the NETSERVER.LOG files in your DECnet
default ac