http://www.newsbytes.com/news/02/175245.html By Brian McWilliams, Newsbytes ATLANTA, GEORGIA, U.S.A., 15 Mar 2002, 11:22 AM CST The United States Army and Navy are conducting a high-priority security review of their Microsoft [NASDAQ:MSFT] Windows systems for the presence of an unauthorized remote-control program, sources familiar with the investigation have confirmed. An unclassified memo, sent Mar. 6 by the Navy's Computer Incident Response Team (NAVCIRT), warned Navy computer administrators to scan their Windows systems for evidence of a popular commercial software program called RemotelyAnywhere. "NAVCIRT received several computer incident reports involving the installation of RemotelyAnywhere on compromised computer systems which in turn enables scanning, probing, and compromising of additional DOD systems," said the memo, a copy of which was received by Rob Rosenberger, an independent virus expert who consults to the military on information security matters. Officials from NAVCIRT, which is part of the Navy's Fleet Information Warfare Center in Virginia, were not immediately available for comment. A similar message was sent Mar. 13 by the Army Forces Command to computer systems staff at all of its installations. The Army memo, which was distributed by e-mail and designated High Importance, warned information assurance managers (IAMs) that the remote access tool "may be sitting on our systems, waiting to be launched." A copy of the Army e-mail obtained by Newsbytes instructed Army system administrators to search all Windows computers for the presence of files that "are evidence of system compromise." Jack Coffey, an Army Forces Command spokesman in Atlanta, confirmed the authenticity of the memo and said it was based on the advisory from NAVCIRT as well as one from the Department of Defense Computer Emergency Response Team. Coffee said he was unable to immediately provide more information. Pentagon officials did not respond to requests for interviews. It was not immediately clear whether other branches of the U.S. military or Defense Dept. headquarters were performing a similar security review. A representative of Wisconsin-based Binary Research International, which distributes RemotelyAnywhere, said military investigators contacted the company last week for assistance after an undisclosed number of copies of the program were discovered on Department of Defense computer systems. "We are cooperating fully and doing what we can to help track these people down," said Binary spokesman Jim Szopinski. The attackers are believed to have obtained illegally licensed or "cracked" copies of RemotelyAnywhere, which costs $99 for a single-user license, according to Szopinski. According to product documentation, RemotelyAnywhere is developed by Hungary-based 3am Labs. The software acts as a HTTP server and allows remote users to access files and manage a computer remotely through a Web browser. The program includes a configurable "listener" function that waits for connections on TCP ports 2000 and 2001 by default. To install RemotelyAnywhere on Windows NT, 2000, or XP systems, users must have system administrator privileges, Szopinski said. Rosenberger said attackers may have used RemotelyAnywhere, rather than an underground remote-control tool such as NetBus, because the commercial program would not be detected by anti-virus software. According to NAVCIRT, the presence of the following four files is "evidence of system compromise: RAMIRR.DLL, RAHOOK.DLL, RA_SSH1.DLL, RA_SSH2.DLL." The Army memo requests that computer systems personnel complete their review of multi-user server systems today, after which they are to perform a sweep of desktop computers, workstations, and laptops. "This has become terribly important," said the memo, which described the security review as "a must-accomplish action." The state of information security at many government agencies, including the Department of Defense, was criticized in a report to Congress last April by the General Accounting Office. According to the GAO, "weaknesses at the Department of Defense increase the vulnerability of various military operations." According to Binary Research, companies using RemotelyAnywhere include AT&T, Office Depot, and MCI Worldcom. The Navy Fleet Information Warfare Center is at http://www.fiwc.navy.mil The Army Forces Command is at http://www.forscom.army.mil The RemotelyAnywhere site is at http://www.remotelyanywhere.com Binary Research is on the Web at http://www.binaryresearch.net - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 03:18:51 PST