Happy New Year Marcus,
Want to tell us about this tool Dave Dittrich and you developed to
scan network hosts for Solaris machines infected with trojans which install
clients distributed Denial of Service attacks: trinoo, TFN, TFN2000, or
stacheldraht?
I hadn't heard a thing about it until the SANS broadcast. Is this a
Solaris-only scanner? A Solaris-only threat?
Pray, tell all. Own up. Spill.
_Vin
---------- in reference to -----------------------------
Date: Tue, 4 Jan 2000 14:16:22 -0700 (MST)
From: The SANS Institute <sansat_private>
Subject: SANS Flash Alert For Solaris
SANS Flash Alert for Solaris Users
Help, please - today -- in the Hunt For Solaris Trojans
THE PROBLEM
Several of you have reported that your Sun computers have been
infected with Trojan horse software (trojans, for short) using such
tools as trinoo, TFN, TFN2000, or stacheldraht which is German
for barbed wire.
Here is what we know so far about these attacks from users and
experts around the world:
These trojans are controlled by master computers using various
communications channels. The infected machines are used as a
collective force (reports range upward from 230 acting together) to
attack other sites and close them down. These attacks have
succeeded in flooding out both large and small sites.
The trojans are being installed continuously - with attackers
coming back time and again looking for new computers to
compromise. Several universities found them installed on multiple
computers. Attackers appear to have constructed relatively
complete maps of the computers at the sites they are attacking.
If your Solaris computers are infected and are used in attacks on
other organizations, you may face economic liability or be viewed
as a pariah to the community.
DETECTION
You and the community would greatly benefit if you could check
to see whether your computers are infected. Two principal tools
are available for the test. One was developed by the National
Infrastructure Protection Center (NIPC) and can be installed on
each host. The other is being developed by Dave Dittrich and Marcus
Ranum and can be run remotely to scan your systems. There is no
charge for either of the tools.
Over the weekend the GIAC (Global Incident Analysis Center) at
www.sans.org/y2k.htm put out an early notice and several dozen
organizations tested the NIPC software and provided feedback that
helped make it work better. Yes, the NIPC software has uncovered
more infestations.
The NIPC software works well and should be run immediately.
As wonderful as the news is about the NIPC tool, to run it you
have to install it on every system you want to test. A network
scanning tool is potentially more efficient since one tool can scan
an entire network. Just make certain the network you scan is yours
and that you have permission! One such tool is under
development, it was written by Dave Dittrich, and Marcus Ranum
has enhanced it. In other words: extraordinary people
are working together to create the tools need to find these Trojans.
If you have a lot of experience with software that is still a bit
green, you could really make a contribution to the community by
running and testing the scanning program.
If you are less experienced you might want to delay a day or two.
But don't delay long, the tool may have a short life span, as the
attackers will begin to modify the trojan code to evade detection.
Where to find the software:
The host-based tool from NIPC may be found at:
http://www.fbi.gov/nipc/trinoo.htm
The scanning program from Dittrich/Ranum may be found (after 6
pm EST on January 4) at:
http://staff.washington.edu/dittrich/misc/sickenscan.tar
In addition, Dave Dittrich has written an extraordinary analysis of
the infestation that may be found at:
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
If you are a university or any other organization with users who
may not have tightly locked down their Solaris systems, please use
both. If you are absolutely sure of your defenses, you might do
spot checks instead.
CONTAINMENT AND ERADICATION
If you find evidence of infestation, please make a good back-up
first to preserve evidence. Also if you search for the malicious
code on your system, you probably will not find it. The attackers
have been installing "root kits" to hide their work.
There are resources available to help if you have been attacked.
Please mail us at sansroat_private and we'll connect you with the
best sources available at that time.
PREVENTION
The most common paths used to compromise systems to insert the
Trojans have been weaknesses in RPC (remote procedure call)
implementation.
The menacing character of this new threat may offer you an
opportunity to get support to patch the RPC holes and eliminate
other vulnerabilities.
Note, though Solaris is the current focus of these attackers, they
will soon turn to NT and Linux and other UNIX variants. Take
this opportunity to close the holes there as well. That's a great deal
cheaper and less embarrassing than nuking the system and
reinstalling all the software after an infestation.
IN CLOSING
If you can spare the time, please take a look right away. The
Trojans are under constant development and these detection tools
may be less and less effective as the week progresses.
Email us with the results at sansroat_private
Alan and Greg
Greg Shipley
Solaris Trojan Hunt Coordinator
Alan Paller
Director of Research
The SANS Institute
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:42 PDT