fc Tue Jan 4 13:48:15 2000 Received: from 207.222.214.225 by localhost with POP3 (fetchmail-5.0.0) for fc@l... (single-drop); Tue, 04 Jan 2000 13:48:15 -0800 (PST) Received: by multi33.netcomi.com for fc (with Netcom Interactive pop3d (v1.21.1 1998/05/07) Tue Jan 4 21:48:09 2000) X-From_: sans@s... Tue Jan 4 15:47:36 2000 Received: from server1.SANS.ORG (server1.sans.org [167.216.133.33]) by multi33.netcomi.com (8.8.5/8.7.4) with ESMTP id PAA05769 for fc@a...; Tue, 4 Jan 2000 15:47:36 -0600 Received: by server1.SANS.ORG (rbkq) id QCU17905 for fc@a...; Tue, 4 Jan 2000 14:47:26 -0700 (MST) Date: Tue, 4 Jan 2000 14:47:26 -0700 (MST) Message-Id: 2000010415129.QCU17905@s... From: The SANS Institute sans@s... Subject: SANS Flash Alert For Solaris Precedence: bulk Errors-To: bounce@s... To: Fred Cohen (SD308262) fc@a...
To: Fred Cohen (SD308262)
SANS Flash Alert for Solaris Users
Help, please - today -- in the Hunt For Solaris Trojans
THE PROBLEM
Several of you have reported that your Sun computers have been infected with Trojan horse software (trojans, for short) using such tools as trinoo, TFN, TFN2000, or stacheldraht which is German for barbed wire. Here is what we know so far about these attacks from users and experts around the world:
These trojans are controlled by master computers using various communications channels. The infected machines are used as a collective force (reports range upward from 230 acting together) to attack other sites and close them down. These attacks have succeeded in flooding out both large and small sites.
The trojans are being installed continuously - with attackers coming back time and again looking for new computers to compromise. Several universities found them installed on multiple computers. Attackers appear to have constructed relatively complete maps of the computers at the sites they are attacking.
If your Solaris computers are infected and are used in attacks on other organizations, you may face economic liability or be viewed as a pariah to the community.
DETECTION
You and the community would greatly benefit if you could check to see whether your computers are infected. Two principal tools are available for the test. One was developed by the National Infrastructure Protection Center (NIPC) and can be installed on each host. The other is being developed by Dave Dittrich and Marcus Ranum and can be run remotely to scan your systems. There is no charge for either of the tools.
Over the weekend the GIAC (Global Incident Analysis Center) at www.sans.org/y2k.htm put out an early notice and several dozen organizations tested the NIPC software and provided feedback that helped make it work better. Yes, the NIPC software has uncovered more infestations.
The NIPC software works well and should be run immediately.
As wonderful as the news is about the NIPC tool, to run it you have to install it on every system you want to test. A network scanning tool is potentially more efficient since one tool can scan an entire network. Just make certain the network you scan is yours and that you have permission! One such tool is under development, it was written by Dave Dittrich, and Marcus Ranum has enhanced it. In other words: extraordinary people are working together to create the tools need to find these Trojans.
If you have a lot of experience with software that is still a bit
green, you could really make a contribution to the community by running and testing the scanning program.
If you are less experienced you might want to delay a day or two. But don't delay long, the tool may have a short life span, as the attackers will begin to modify the trojan code to evade detection.
Where to find the software:
The host-based tool from NIPC may be found at:
http://www.fbi.gov/nipc/trinoo.htm
The scanning program from Dittrich/Ranum may be found (after 6 pm EST on January 4) at: http://staff.washington.edu/dittrich/misc/sickenscan.tar
In addition, Dave Dittrich has written an extraordinary analysis of the infestation that may be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
If you are a university or any other organization with users who may not have tightly locked down their Solaris systems, please use both. If you are absolutely sure of your defenses, you might do spot checks instead.
CONTAINMENT AND ERADICATION
If you find evidence of infestation, please make a good back-up first to preserve evidence. Also if you search for the malicious code on your system, you probably will not find it. The attackers have been installing "root kits" to hide their work.
There are resources available to help if you have been attacked. Please mail us at sansro@s... and we'll connect you with the best sources available at that time.
PREVENTION
The most common paths used to compromise systems to insert the Trojans have been weaknesses in RPC (remote procedure call) implementation.
The menacing character of this new threat may offer you an opportunity to get support to patch the RPC holes and eliminate other vulnerabilities.
Note, though Solaris is the current focus of these attackers, they will soon turn to NT and Linux and other UNIX variants. Take this opportunity to close the holes there as well. That's a great deal cheaper and less embarrassing than nuking the system and reinstalling all the software after an infestation.
IN CLOSING If you can spare the time, please take a look right away. The Trojans are under constant development and these detection tools may be less and less effective as the week progresses.
Email us with the results at sansro@s...
Alan and Greg
Greg Shipley
Solaris Trojan Hunt Coordinator
Alan Paller
Director of Research
The SANS Institute
-- Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225 Fred Cohen & Associates: http://all.net - fc@a... - tel/fax:925-454-0171 Fred Cohen - Practitioner in Residence - The University of New Haven Have a great day!!!
[This communication is confidential to the parties to which it is sent. If you get this email in error, please delete it immediately and do not use, repost, reprint, or view the contents.]
Per the official policy of Sandia National Laboratories, the reader should be aware that: - Fred Cohen of Fred Cohen & Associates is the same Fred Cohen who is a Principal Member of Technical Staff at Sandia National Laboratories. - Fred Cohen & Associates - is owned and operated by Fred Cohen and is separate and independent from the work done by Fred Cohen at Sandia National Laboratories.