This is a multi-part message in MIME format. --------------182EC79ACD7B5F12603A09FC Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit The hunt is on . . . . --------------182EC79ACD7B5F12603A09FC Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Received: from SpoolDir by ROADRUNNER (Mercury 1.44); 4 Jan 00 13:10:19 pst8pdt Return-path: <sansat_private> Received: from csun.edu (130.166.1.41) by roadrunner.csun.edu (Mercury 1.44) with ESMTP; 4 Jan 00 13:10:16 pst8pdt Received: from mail1.csun.edu (mail1.csun.edu [130.166.1.23]) by csun.edu (8.9.1/8.9.1) with ESMTP id NAA11331 for <peter.dinauer@[130.166.1.60]>; Tue, 4 Jan 2000 13:09:51 -0800 (PST) Received: from server1.SANS.ORG (server1.sans.org [167.216.133.33]) by mail1.csun.edu (2.0.3/SMS 2.0.3) with ESMTP id NAA86762 for <peter.dinauerat_private>; Tue, 4 Jan 2000 13:06:19 -0800 Received: by server1.SANS.ORG (rbkq) id QCT84885 for peter.dinauerat_private; Tue, 4 Jan 2000 14:09:09 -0700 (MST) Date: Tue, 4 Jan 2000 14:09:09 -0700 (MST) Message-Id: <2000010414175.QCT84885at_private> From: The SANS Institute <sansat_private> Subject: SANS Flash Alert For Solaris Precedence: bulk Errors-To: bounceat_private To: Peter J Dinauer (SD070458) <peter.dinauerat_private> To: Peter J Dinauer (SD070458) SANS Flash Alert for Solaris Users Help, please - today -- in the Hunt For Solaris Trojans THE PROBLEM Several of you have reported that your Sun computers have been infected with Trojan horse software (trojans, for short) using such tools as trinoo, TFN, TFN2000, or stacheldraht which is German for barbed wire. Here is what we know so far about these attacks from users and experts around the world: These trojans are controlled by master computers using various communications channels. The infected machines are used as a collective force (reports range upward from 230 acting together) to attack other sites and close them down. These attacks have succeeded in flooding out both large and small sites. The trojans are being installed continuously - with attackers coming back time and again looking for new computers to compromise. Several universities found them installed on multiple computers. Attackers appear to have constructed relatively complete maps of the computers at the sites they are attacking. If your Solaris computers are infected and are used in attacks on other organizations, you may face economic liability or be viewed as a pariah to the community. DETECTION You and the community would greatly benefit if you could check to see whether your computers are infected. Two principal tools are available for the test. One is being developed by the National Infrastructure Protection Center (NIPC) and can be installed on each host. The other was developed by Dave Dittrich and Marcus Ranum and can be run remotely to scan your systems. There is no charge for either of the tools. Over the weekend the GIAC (Global Incident Analysis Center) at www.sans.org/y2k.htm put out an early notice and several dozen organizations tested the NIPC software and provided feedback that helped make it work better. Yes, the NIPC software has uncovered more infestations. The NIPC software works well and should be run immediately. As wonderful as the news is about the NIPC tool, to run it you have to install it on every system you want to test. A network scanning tool is potentially more efficient since one tool can scan an entire network. Just make certain the network you scan is yours and that you have permission! One such tool is under development, it was written by Dave Dittrich, and Marcus Ranum has enhanced it. In other words: extraordinary people are working together to create the tools need to find these Trojans. If you have a lot of experience with software that is still a bit green, you could really make a contribution to the community by running and testing the scanning program. If you are less experienced you might want to delay a day or two. But don't delay long, the tool may have a short life span, as the attackers will begin to modify the trojan code to evade detection. Where to find the software: The host-based tool from NIPC may be found at: http://www.fbi.gov/nipc/trinoo.htm The scanning program from Dittrich/Ranum may be found (after 6 pm EST on January 4) at: http://staff.washington.edu/dittrich/misc/sickenscan.tar In addition, Dave Dittrich has written an extraordinary analysis of the infestation that may be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis If you are a university or any other organization with users who may not have tightly locked down their Solaris systems, please use both. If you are absolutely sure of your defenses, you might do spot checks instead. CONTAINMENT AND ERADICATION If you find evidence of infestation, please make a good back-up first to preserve evidence. Also if you search for the malicious code on your system, you probably will not find it. The attackers have been installing "root kits" to hide their work. There are resources available to help if you have been attacked. Please mail us at sansroat_private and we'll connect you with the best sources available at that time. PREVENTION The most common paths used to compromise systems to insert the Trojans have been weaknesses in RPC (remote procedure call) implementation. The menacing character of this new threat may offer you an opportunity to get support to patch the RPC holes and eliminate other vulnerabilities. Note, though Solaris is the current focus of these attackers, they will soon turn to NT and Linux and other UNIX variants. Take this opportunity to close the holes there as well. That's a great deal cheaper and less embarrassing than nuking the system and reinstalling all the software after an infestation. IN CLOSING If you can spare the time, please take a look right away. The Trojans are under constant development and these detection tools may be less and less effective as the week progresses. Email us with the results at sansroat_private Alan and Greg Greg Shipley Solaris Trojan Hunt Coordinator Alan Paller Director of Research The SANS Institute --------------182EC79ACD7B5F12603A09FC--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:41 PDT