[ISN] US Military Scours Windows Systems For Hacker Back Doors

From: InfoSec News (isnat_private)
Date: Mon Mar 18 2002 - 00:08:28 PST

  • Next message: InfoSec News: "[ISN] SECURITY BREACH: NEW 'STAR WARS' FLICK SCREENED BY NET REPORTER"

    http://www.newsbytes.com/news/02/175245.html
    
    By Brian McWilliams, Newsbytes
    ATLANTA, GEORGIA, U.S.A.,
    15 Mar 2002, 11:22 AM CST
     
    The United States Army and Navy are conducting a high-priority
    security review of their Microsoft [NASDAQ:MSFT] Windows systems for
    the presence of an unauthorized remote-control program, sources
    familiar with the investigation have confirmed.
    
    An unclassified memo, sent Mar. 6 by the Navy's Computer Incident
    Response Team (NAVCIRT), warned Navy computer administrators to scan
    their Windows systems for evidence of a popular commercial software
    program called RemotelyAnywhere.
     
    "NAVCIRT received several computer incident reports involving the
    installation of RemotelyAnywhere on compromised computer systems which
    in turn enables scanning, probing, and compromising of additional DOD
    systems," said the memo, a copy of which was received by Rob
    Rosenberger, an independent virus expert who consults to the military
    on information security matters.
    
    Officials from NAVCIRT, which is part of the Navy's Fleet Information
    Warfare Center in Virginia, were not immediately available for
    comment.
    
    A similar message was sent Mar. 13 by the Army Forces Command to
    computer systems staff at all of its installations.
    
    The Army memo, which was distributed by e-mail and designated High
    Importance, warned information assurance managers (IAMs) that the
    remote access tool "may be sitting on our systems, waiting to be
    launched."
    
    A copy of the Army e-mail obtained by Newsbytes instructed Army system
    administrators to search all Windows computers for the presence of
    files that "are evidence of system compromise."
    
    Jack Coffey, an Army Forces Command spokesman in Atlanta, confirmed
    the authenticity of the memo and said it was based on the advisory
    from NAVCIRT as well as one from the Department of Defense Computer
    Emergency Response Team. Coffee said he was unable to immediately
    provide more information.
    
    Pentagon officials did not respond to requests for interviews.
    
    It was not immediately clear whether other branches of the U.S.  
    military or Defense Dept. headquarters were performing a similar
    security review.
    
    A representative of Wisconsin-based Binary Research International,
    which distributes RemotelyAnywhere, said military investigators
    contacted the company last week for assistance after an undisclosed
    number of copies of the program were discovered on Department of
    Defense computer systems.
    
    "We are cooperating fully and doing what we can to help track these
    people down," said Binary spokesman Jim Szopinski.
    
    The attackers are believed to have obtained illegally licensed or
    "cracked" copies of RemotelyAnywhere, which costs $99 for a
    single-user license, according to Szopinski.
    
    According to product documentation, RemotelyAnywhere is developed by
    Hungary-based 3am Labs. The software acts as a HTTP server and allows
    remote users to access files and manage a computer remotely through a
    Web browser. The program includes a configurable "listener" function
    that waits for connections on TCP ports 2000 and 2001 by default.
    
    To install RemotelyAnywhere on Windows NT, 2000, or XP systems, users
    must have system administrator privileges, Szopinski said.
    
    Rosenberger said attackers may have used RemotelyAnywhere, rather than
    an underground remote-control tool such as NetBus, because the
    commercial program would not be detected by anti-virus software.
    
    According to NAVCIRT, the presence of the following four files is
    "evidence of system compromise: RAMIRR.DLL, RAHOOK.DLL, RA_SSH1.DLL,
    RA_SSH2.DLL."
    
    The Army memo requests that computer systems personnel complete their
    review of multi-user server systems today, after which they are to
    perform a sweep of desktop computers, workstations, and laptops.
    
    "This has become terribly important," said the memo, which described
    the security review as "a must-accomplish action."
    
    The state of information security at many government agencies,
    including the Department of Defense, was criticized in a report to
    Congress last April by the General Accounting Office. According to the
    GAO, "weaknesses at the Department of Defense increase the
    vulnerability of various military operations."
    
    According to Binary Research, companies using RemotelyAnywhere include
    AT&T, Office Depot, and MCI Worldcom.
    
    The Navy Fleet Information Warfare Center is at
    http://www.fiwc.navy.mil
    
    The Army Forces Command is at http://www.forscom.army.mil
    
    The RemotelyAnywhere site is at http://www.remotelyanywhere.com
    
    Binary Research is on the Web at http://www.binaryresearch.net
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 03:18:51 PST