OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
IDS Archives: IDS: SANS & Ranum on DoS Trojans for Solaris

IDS: SANS & Ranum on DoS Trojans for Solaris

Subject: IDS: SANS & Ranum on DoS Trojans for Solaris
From: Vin McLellan (vinshore.net)
Date: Wed Jan 05 2000 - 09:48:52 CST

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
--------------------------------------------------------------------------- 

---
Happy New Year Marcus,

        Want to tell us about this tool Dave Dittrich and you developed to
scan network hosts for Solaris machines infected with trojans which install
clients distributed Denial of Service attacks:  trinoo, TFN, TFN2000, or
stacheldraht?  
        I hadn't heard a thing about it until the SANS broadcast.  Is this a
Solaris-only scanner?  A Solaris-only threat?  

        Pray, tell all.  Own up.  Spill.

                _Vin

---------- in reference to -----------------------------

Date: Tue, 4 Jan 2000 14:16:22 -0700 (MST)
From: The SANS Institute <sanssans.org>
Subject: SANS Flash Alert For Solaris

SANS Flash Alert for Solaris Users 

Help, please - today  -- in the Hunt For Solaris Trojans

THE PROBLEM

Several of you have reported that your Sun computers have been
infected with Trojan horse software (trojans, for short) using such 
tools as trinoo, TFN, TFN2000, or stacheldraht which is German 
for barbed wire.
  
Here is what we know so far about these attacks from users and 
experts around the world: 

These trojans are controlled by master computers using various 
communications channels. The infected machines are used as a 
collective force (reports range upward from 230 acting together) to 
attack other sites and close them down.  These attacks have 
succeeded in flooding out both large and small sites. 

The trojans are being installed continuously - with attackers 
coming back time and again looking for new computers to 
compromise. Several universities found them installed on multiple 
computers. Attackers appear to have constructed relatively 
complete maps of the computers at the sites they are attacking.

If your Solaris computers are infected and are used in attacks on 
other organizations, you may face economic liability or be viewed 
as a pariah to the community.

DETECTION

You and the community would greatly benefit if you could check 
to see whether your computers are infected.  Two principal tools 
are available for the test. One was developed by the National 
Infrastructure Protection Center (NIPC) and can be installed on 
each host. The other is being developed by Dave Dittrich and Marcus 
Ranum and can be run remotely to scan your systems.  There is no 
charge for either of the tools.

Over the weekend the GIAC (Global Incident Analysis Center) at 
www.sans.org/y2k.htm put out an early notice and several dozen 
organizations tested the NIPC software and provided feedback that 
helped make it work better. Yes, the NIPC software has uncovered 
more infestations.

The NIPC software works well and should be run immediately.

As wonderful as the news is about the NIPC tool, to run it you 
have to install it on every system you want to test.  A network 
scanning tool is potentially more efficient since one tool can scan 
an entire network.  Just make certain the network you scan is yours 
and that you have permission!  One such tool is under 
development, it was written by Dave Dittrich, and Marcus Ranum 
has enhanced it. In other words: extraordinary people
are working together to create the tools need to find these Trojans.
 
If you have a lot of experience with software that is still a bit 
green, you could really make a contribution to the community by 
running and testing the scanning program.

If you are less experienced you might want to delay a day or two. 
But don't delay long, the tool may have a short life span, as the 
attackers will begin to modify the trojan code to evade detection.

Where to find the software:

The host-based tool from NIPC may be found at:
http://www.fbi.gov/nipc/trinoo.htm

The scanning program from Dittrich/Ranum may be found (after 6 
pm EST on January 4) at:
http://staff.washington.edu/dittrich/misc/sickenscan.tar

In addition, Dave Dittrich has written an extraordinary analysis of 
the infestation that may be found at: 
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

If you are a university or any other organization with users who 
may not have tightly locked down their Solaris systems, please use 
both.  If you are absolutely sure of your defenses, you might do 
spot checks instead.

CONTAINMENT AND ERADICATION

If you find evidence of infestation, please make a good back-up 
first to preserve evidence. Also if you search for the malicious 
code on your system, you probably will not find it. The attackers 
have been installing "root kits" to hide their work.  

There are resources available to help if you have been attacked. 
Please mail us at sansrosans.org and we'll connect you with the 
best sources available at that time.

PREVENTION

The most common paths used to compromise systems to insert the 
Trojans have been weaknesses in RPC (remote procedure call) 
implementation.

The menacing character of this new threat may offer you an 
opportunity to get support to patch the RPC holes and eliminate 
other vulnerabilities.

Note, though Solaris is the current focus of these attackers, they 
will soon turn to NT and Linux and other UNIX variants.  Take 
this opportunity to close the holes there as well.  That's a great deal 
cheaper and less embarrassing than nuking the system and 
reinstalling all the software after an infestation.

IN CLOSING
 
If you can spare the time, please take a look right away.  The 
Trojans are under constant development and these detection tools 
may be less and less effective as the week progresses.

Email us with the results at sansrosans.org

Alan and Greg

Greg Shipley
Solaris Trojan Hunt Coordinator

Alan Paller
Director of Research

The SANS Institute

This archive was generated by hypermail 2b27 : Wed Jan 05 2000 - 21:07:32 CST