The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / pc / virus / span01.txt < prev next >

Wrap

Text File | 2003-06-11 | 17.9 KB | 418 lines

============================================================================= INTRANETWORK MEMORANDUM SPAN MANAGEMENT OFFICE ============================================================================= 19-OCT-1989 TO: ALL SPAN ROUTING CENTER MANAGERS AND REMOTE-NODE MANAGERS FROM: RON TENCATI - SPAN SECURITY MANAGER GODDARD SPACE FLIGHT CENTER CODE 630.2 GREENBELT, MD. 20771 (301)286-5223 SUBJ: INFORMATION REGARDING THE DECNET WORM AND PROTECTION MEASURES ---------- The following information covers several aspects of the "WANK" DECnet worm which was released into the "DECnet Internet" earlier in the week. Information contained in prior reports written by John McMahon of GSFC and Kevin Oberman of LLNL was used in preparing report. The assistance of Digital Equipment Corporation is also gratefully acknowledged. Previous messages regarding this worm appearing on various mailing lists have indicated that system managers with questions or infected nodes should call other organizations. For clarification, any SPAN-connected system that believes itself to be infected, or attacked should contact ONLY the SPAN management at Goddard Space Flight Center, Greenbelt, MD. The security effort is being coordinated by this group and all reports should be directed there. The contact number is (301)286-7251 or (301)286-5223. Electronic mail should be sent to NSSDCA::TENCATI or NSSDCA::NETMGR only. Do not send infection reports to any other node on SPAN. HEPnet sites should contact FNAL::DEMAR. BACKGROUND ---------- The worm's mission is to propagate itself randomly across the network, to seek out systems with poor security, and to establish itself in a priviliged account whereupon it will modify the system's SYS$ANNOUNCE banner to the following message: W O R M S A G A I N S T N U C L E A R K I L L E R S _______________________________________________________________ \__ ____________ _____ ________ ____ ____ __ _____/ \ \ \ /\ / / / /\ \ | \ \ | | | | / / / \ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / / \ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ / \_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/ \___________________________________________________/ \ / \ Your System Has Been Officically WANKed / \_____________________________________________/ You talk of times of peace for all, and then prepare for war. --------- We don't currently see that the WORM is destructive, BUT it wastes resources, and may result in denial of service by locking out priviliged users or causing non-infected nodes to consume disk space storing all the audit records from the failed access attempts. The worm attempts to establish itself onto a system by exploiting various weaknesses in the DECnet environment. Some of these weaknesses have been addressed by previous SPAN directives and guidelines. Systems that have implemented these guidelines are not at risk. A random number generator is used to pick the next node the worm will try to infect. The worm contains an internal list of 82 canned usernames that it will try against a system. In addition, it attempts to copy the file RIGHTSLIST.DAT from the selected target node. This file is normally protected W:R. If this file is successfully copied, a list of usernames specific to the target system will be generated and some subset of those will be appended to the "canned" list. The candidate words the worm uses whether or not it was successful at accessing RIGHTSLIST.DAT are the following: ACCOUNITING ACCOUNTS ALLIN1 APPLETALK ARCHIVE BACKUP CADCAM COGNOS CRAYSTN CUSTOMER DDSNET DEC DECNET DEFAULT DEMO DFS$DEFAULT DIGITAL DNS$SERVER DQS$SERVER ETHERNIM EXOS FIELD GAMES GUEST HASP IBM INGRES INVENTORY ISSYS IVP LIBRARY LN03_DLAND LPS$SERVER MAC MAIL MAILER MANAGER MANUALS MASS11 MBMANAGER MIS MRGATE MANAGER NETNONPRIV NETPRIV NEWSMGR NOTES$SERVER OPER OPERATOR ORACLE OSI PCAPP PCCOMMON PLUTO POSTMASTER RDBVMS$REM RHM SECURITY SHUTDOWN SNACSV SPEAR SPM SRS STUDENT SUPPLIES SYSINF SYSTEM SYSTEST SYSTEST_CLIG TAPESYS TCP TELEX TEMP TEST TRAINING TRANSFER USER USER1 USERP VAXNET VAXSIM VTX VXSYS The PASSWORDS tried against the set of accounts MAY be the username ONLY, OR other passwords may be tried (such as DIGITAL, PSIPAD, MANAGER, etc) apparently depending on the version of the WORM. A bug in the worm prevents it from testing the null password as previously suspected. -------------- [The following section provides information relating to the behavior of the worm. This information was primarily supplied by Kevin Oberman of LLNL and John McMahon of GSFC] -------------- 1. The program assures that it is working in a directory to which the owner (itself) has full access (Read, Write,Execute, and Delete). 2. The program checks to see if another copy is still running. It looks for a process with the first 5 characters of "NETW_". If such is found, it deletes itself (the file) and stops its process. NOTE This check is done using the F$GETJPI system service. The results vary depending on the amount of priviliges the account possesses. Non-priviliged accounts which are penetrated will only be able to return information about their own UIC, so multiple copies of the worm could be running simultaneously under different usernames. 3. The program then changes the default DECNET account password to a random string of at least 12 characters. 4. Information on the infected node and account/password used to access the system is mailed to a central collection point on SPAN. 5. The process changes its name to "NETW_" followed by a random number. 6. It checks to see if it has SYSNAM priv. If so, it defines the system announcement message to be the WANK banner. 7. If it has SYSPRV, it disables mail to the SYSTEM account. 8. Also if it has SYSPRV, it modifies the system login command procedure (SYLOGIN.COM) to APPEAR to delete all of a user's files. (It really does nothing.) 9. The procedure then scans the accounts logical name table for symbols which contain directory specifications. Each directory located is searched for command procedures within it protected (W:RWED). Any such procedures have code inserted at the top which tries to modify the FIELD account to a known password with login from any source and all privs. This is a primitive virus, but very effective IF the procedure should be executed by a priviliged account. 10. It proceeds to attempt to access other systems by picking node numbers at random. It then used PHONE to get a list of active users on the remote system. It proceeds to irritate them by causing the PHONE object to send them a one-line "fortune cookie" type message. The appearance of this message does not indicate a penetration attempt on that node, more appropriately, it indicates an "irritation attempt". NOTE If your site receives these PHONE messages the source node information can be found in the NETSERVER.LOG files in your DECnet default account. 11. The program tries to access the RIGHTSLIST.DAT file as previously described earlier. 12. It then steps through the list of usernames it has built and uses FAL to validate the candidate userid/password combination. If a password is guesses, the worm copies itself over to the target system and starts itself via the SUBMIT/REMOTE feature of VMS. 13. When the worm finishes with a system, it picks another random system and repeats (forever). SECURITY GUIDELINES TO STOP THE SPREAD OF THIS WORM: ==================================================== 1. It is IMPERATIVE that all systems protect or remove the DECnet TASK 0 object to prevent reoccurrance of this worm, OR MORE SERIOUS ATTACKS OF THIS KIND IN THE FUTURE! The TASK object can be secured by either of the following methods: Method 1): Issue the command: NCP> CLEAR OBJECT TASK ALL after the network is started up. This command can also be inserted into the procedure SYSTARTUP.COM (SYSTARTUP_V5.COM on V5.x systems) after the call to STARTNET.COM. In addition while the system is running, this command must be executed EACH TIME the network is restarted. Method 2): Issue the following commands ONCE: NCP> SET OBJECT TASK USER DECNET PASSWORD <a bunch of garbage> NCP> DEFINE OBJECT TASK USER DECNET PASSWORD <a bunch of garbage> This causes a login failure to be generated whenever the TASK object is accessed. Once done, this change will be permanent. NOTE We have received one report that TASK 0 is required for DECwindows. Read your documentation! 2. Under NO circumstances it is acceptable for an account to have a password the same as the username. Passwords (passPHRASES) should be created so that they are difficult to guess, multi-word phrases are preferable. As a precaution, we recommend that all passwords be changed. Additionally, system managers may choose to revalidate ALL accounts. If a system had the DECNET TASK 0 protected as above, the DECNET account protected against SUBMIT/REMOTE (described below) and no user had their userid as their password, it was immune to this WORM. As a result, the number of nodes actually INFECTED by this attack is relatively small. The number ATTACKED however, is large. 3. NETWORK ACCOUNTS To protect against the SUBMIT/REMOTE attack, run AUTHORIZE and make sure that all network account flags are set to NOBATCH, NODIALUP, NOLOCAL, and NOREMOTE. 4. FIELD ACCOUNT Make sure the FIELD ACCOUNT does not have the password FIELD. DISUSER the account. You must SEARCH all .COM files for a "field/remote/dialup". If the search shows it is in .COM files, They have a trojan horse appended to the files. When the .COM file is executed, This Trojan horse will try to reset account FIELD to /NODISUSER and password to FIELD. You should either delete the corrupted .COM file and obtain a good one elsewhere, or examine the file and remove the affected lines of the command procedure. 5. WORM FILES The WORM source files are W.COM or a single alphabetic character (C or D) followed by 4 or 5 numeric characters. (Cnnnnn.COM), ("nnnn" represents a random number). The WORM will start a process or processes running. These processes are named in format NETW_nnnn, and should be deleted. PHONE_nnnn may also be running as the WORM utilizes the PHONE object in an attempt to send a message to a user on another randomly selected node. 6. ALARMS Some alarms generated by the WORM are related to PHONE.EXE and FAL.EXE. The majority of the alarms are login failures as the WORM attempts to log into specific accounts. We recommend that alarms be set immediately for logins, logouts, breakin attempts, modifications to the system and net UAF's, and to changes to user and system passwords. DISCOVERY AND CLEANUP ---------------------- 1. Log into a "privileged account" $ SHOW SYSTEM Look for NETW_dddd (dddd represents 4 or 5 random digits) IF NETW_dddd is found, note the process ID and do: $ STOP PROCESS/ID=NETW_dddd The command procedure included below can be used by system managers to perform this function in the background. It is recommended that this procedure be run for the next week or so until the worm is killed-off. 2. Check the protection on all command procedures. If any are (W:REWD), check for infection. There should be two versions. The older one should be OK unless multiple infection has occurred. Generally the oldest version is OK but this is not guaranteed. An easy method is to execute the command on every disk: $SEARCH dev:[000000...]*.COM;* PASS=FIELD Any infected files will contain the line: $mcr authorize add field/remote/dialup/network/batch/defpriv=all /priv=all/flag=(nodisuser,nocaptive,nopwd_expire)/pass=field 3. Redefine or deassingn the SYS$ANNOUNCE logical name. Replace the correct SYS$ANNOUNCE messages. (Note the initial value of SYS$ANNOUNCE to identify the infected user account and location of the false announce message files (on infected systems only). 4. Clean up SYSLOGIN.COM. Remove the bogus file deletion routine. 5. Search all login directories for files named Cddddd.com or Dddddd.com. Dddddd.COM is a dummy file which precedes the actual infection. Cddddd.COM is the worm itself (normally both are deleted by the worm). 6. If your node is attacked or penetrated, please contact the SPAN Management immediately via MAIL or by phone. Send all messages to either NSSDCA::TENCATI or NSSDCA::NETMGR. If you do not have NSSDCA defined in your database, use the node number 6277::. We need to know which nodes have the worm running on them so we can coordinate cleanup measures with the appropriate personnel. NOTE A tell-tale sign that your node was ATTACKED will be multiple login failure reports in your operator.log file. 7. DO NOT DELETE ANY OF YOUR LOG FILES OR AUDIT TRAILS. THIS INFORMATION MAY BE REQUESTED OF YOU LATER IF THIS MATTER IS GOING TO BE PROSECUTED. PREVENTION MEASURES ------------------- 1. Ensure all user accounts have good password management. (No "user user" or null passwords.) 2. No world READ command procedures in user or priviliged accounts. 3. No TASK objects. 4. Do not use the the account names as the password on network accounts. (Use the V5.2 approach - separate object userid's) 5. Ensure all network accounts are set NOBATCH, NOLOCAL, NODIALUP, and NOREMOTE and have a PRCLIM of 1. 6. Audit all changes by AUTHORIZE. Analyze audit trail for changes to the FIELD account. 7. Place an ALARM ACE on SYS$MANAGER:SYLOGIN.COM;* for WRITE+DELETE+SUCCESS access. Enable ACL auditing. Analyze the audit trail for change to SYLOGIN.COM. 8. Make sure ACCOUNTING and OPCOM are running and proper alarms are set. 9. Protect RIGHTSLIST.DAT against World access. Alternatively move or rename it and define the logical symbol RIGHTSLIST to the new file. ($DEF/SYS/EXEC RIGHTSLIST <renamed file>) This will limit the ability of the worm to determine actual valid usernames. ---------------------------------------------------------------------------- The following command procedure was written by John McMahon at GSFC. It can be run as a batch job under a priviliged account. This procedure searches all processes on a running system to determine if the worm process is present. If detected, the worm is deleted. ---------------------------- ANTIWANK.COM ---------------------------------- $! $! Antiwank.Com - This program performs two functions. It kills any $! copy of the worm currently running (any process starting with NETW_ $! in it's name) and disguises itself as a copy of the worm to help $! prevent new copies from being created. $! $! This program should be submitted to a batch queue under the username $! SYSTEM. It requires WORLD priv to check the process names on your $! CPU. It runs continuously, but uses little overhead. $! $! This program uses the process name "NETW_AntiWank". It should not be $! confused as a copy of the worm program itself (which uses $! NETW_randomnumber). $! $! The system manager should add additional userids to the line $! beginning with SEND_MAIL_TO. If the program detects the worm, $! it will send a detection message to the userids in SEND_MAIL_TO. $! $! John McMahon $! NASA/GSFC CODE 630.4 $! $! 18-OCT-1989 16:11:56.21 $! $! SPAN: SDCDCL::FASTEDDY $! Internet: Fasteddy@Dftnic.Gsfc.Nasa.Gov $! Bitnet: Fasteddy@Dftbit $! $! Phone: 301-286-2045 $! $ Set NoON $ AntiWank_Name = "NETW_AntiWank" $ Process_Name_Prefix = "NETW_" $ Send_Mail_To = "SYSTEM" $ Set Process/Priv=(World) $ Set Process/Name="''AntiWank_Name'" $ Start: $ Context = "" $ Pid_Loop: $ Check_Pid = F$Pid(Context) $ If Check_Pid .Eqs. "" Then Goto End_Pid_Loop $ Check_Prcnam = F$Edit(F$Getjpi(Check_Pid,"PRCNAM"),"TRIM") $ Write Sys$Output "Process Name: ",Check_Prcnam $ If Check_Prcnam .Eqs. AntiWank_Name Then Goto Pid_Loop $ If F$Extract(0,5,Check_Prcnam) .Eqs. Process_Name_Prefix Then - Gosub Action_Routine $ Goto Pid_Loop $! $ End_Pid_Loop: $ Write Sys$Output F$TIME()," ANTIWANK is still working for you" $ Wait 00:10:00 $ Goto Start $! $ Action_Routine: $ Write Sys$Output "Action Routine" $ Username = F$Getjpi(Check_Pid,"Username") $ Stop/Id='Check_Pid' $ Mail NL: 'Send_Mail_To' - /SUBJECT="Worm Terminated ''$Status' ''Check_Prcnam' ''Check_Pid' ''Username'" YES $ Return ---------------------------END OF ANTIWANK.COM-------------------------