_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin       

        Detection/Eradication Procedures for VMSCRTL.EXE Trojan Horse

November 21, 1990, 1100 PST                              Number B-8
__________________________________________________________________________
PROBLEM:  Detection of trojan horse and recovery procedures
PLATFORM: VAX/VMS (all versions)
DAMAGE:  Gives unauthorized privileged access to system if trojan
  horse is implanted in system by intruders who have already obtained
  privileged status
DETECTION:  Several methods (described herein), of which finding
  VMSCRTL.EXE in SYS$LIBRARY is the fastest
__________________________________________________________________________
         Critical Trojan Horse Facts

In bulletin B-6 CIAC warned of a new pattern of intrusions into VMS
systems.  Part of this pattern is placing a file named VMSCTRL.EXE into
SYS$LIBRARY.  CIAC has determined that this file contains a trojan
horse program.  VMSCRTL.EXE also provides a means for the attackers to
gain full privileges from a non-privileged account if this file has
been installed with the CMKRNL privilege. The presence of VMSCRTL.EXE
in SYS$LIBRARY indicates that a VMS system has been compromised and
that the attackers have been able to gain full privileges.

The trojan horse behaviors of VMSCRTL.EXE are:

1.  Copies itself to SYS$LIBRARY:VMSCRTL.EXE

2.      Creates the file SYS$STARTUP:DECW$INSTALL_LAT.COM  This file
contains a standard DEC copyright notice and a DCL command to install
SYS$LIBRARY:VMSCRTL.EXE with CMKRNL privilege.

3.      Modifies the file SYS$STARTUP:VMS$LAYERED.DAT to include the
execution of SYS$STARTUP:DECW$INSTALL_LAT.COM as part of the VMS boot
procedure.

4.      Exits with a (falsified) CLI error message while returning a
status of SYS$NORMAL

The "tracks" left behind by the execution of VMSCRTL.EXE are fairly obvious:

1.  The presence of SYS$LIBRARY:VMSCRTL.EXE

2.  The presence of SYS$STARTUP:DECW$INSTALL_LAT.COM

3.      The file SYS$STARTUP:VMS$LAYERED.DAT will have its MODIFIED
date changed to reflect the time at which VMSCRTL.EXE was run.  Use the
DCL command "$ DIRECTORY/FULL SYS$STARTUP:VMS$LAYERED.DAT" or "$
DIRECTORY/DATE=MODIFIED SYS$STARTUP:VMS$LAYERED.DAT" to determine the
modification date.  Note that this evidence will be destroyed if any
subsequent modifications or listings of SYS$STARTUP:VMS$LAYERED.DAT are
made via the STARTUP command to SYSMAN.

4.      The DCL command "$ MCR SYSMAN STARTUP FILE" will list
DECW$INSTALL_LAT.COM as one of the startup files.  Note that executing
this command will change the modification date of
SYS$STARTUP:VMS$LAYERED.DAT  Be sure, therefore, to do this check after
checking the MODIFIED date as prescribed above.

5.       If the infected system has been rebooted since VMSCRTL.EXE was
run, the DCL command "$ MCR INSTALL /LIST" will reveal that
SYS$LIBRARY:VMSCRTL.EXE is installed with privilege. A full list of
this installed image will show it is installed with CMKRNL.
 
DETECTION

The presence of the file SYS$LIBRARY:VMSCRTL.EXE is definite
confirmation that this trojan horse is present.  Additional
confirmatory evidence includes:

1.  The presence of the file SYS$STARTUP:DECW$INSTALL_LAT.COM

2.      Modification to the SYSMAN STARTUP database file to include the
execution of SYS$STARTUP:DECW$INSTALL_LAT.COM

A search string that can be used to identify VMSCRTL.EXE regardless of
the file's name is "%VCR"    For example, to search your entire system
disk you might enter:

  $ SEARCH SYS$SYSDEVICE:[*...]*.* "%VCR"/WINDOW=1

If VMSCRTL.EXE is detected in a non-system directory, it is likely that
the attackers have penetrated a non-privileged account but have not yet
been able to gain full privileges.

MINIMAL RECOVERY PROCEDURE

If you have detected VMSCRTL.EXE in SYS$LIBRARY, the VMS system has
been compromised by attackers who were able to gain full privileges.
(If these attackers are able to reenter the system, they will again be
able to gain full privileges).  The minimal recovery procedure
described below is provided only as a quick, short-term, "stop gap"
measure.  (The possibility that other damage to the compromised VMS
system was done by the attackers is large--we therefore recommend that
when time permits the full recovery procedure be implemented.) The
minimal recovery procedure is:

1.      Use INSTALL to remove SYS$LIBRARY:VMSCRTL.EXE with the
command:  "$ MCR INSTALL SYS$LIBRARY:VMSCRTL.EXE/DELETE"

Note: It is possible that VMSCRTL.EXE is not installed (yet) and so
this command may produce the appropriate error message.

2.      Remove the startup entry SYS$STARTUP:DECW$INSTALL_LAT.COM from
SYSMAN's database with the command:  "$ MCR SYSMAN STARTUP REMOVE FILE
SYS$STARTUP:DECW$INSTALL_LAT.COM

3.  Delete the file SYS$LIBRARY:VMSCRTL.EXE and the file
SYS$STARTUP:DECW$INSTALL_LAT.COM

4.      Disable all inactive accounts using AUTHORIZE.  For example, to
disable an account named JONES, enter:

   $ SET DEF SYS$SYSTEM
   $ RUN AUTHORIZE
   UAF> MOD JONES/FLAGS=DISUSER
   UAF> EXIT

5.  Change the passwords on all active accounts.

6.  Review all entries in SYSUAF.DAT and make appropriate corrections

7.  Review all SYSGEN parameters and make appropriate corrections

8.      Review all system files for modifications occurring after the
penetration.  The following DCL command can prove very useful in this
endeavor:

    $ DIR/FULL/MODIFIED/SINCE="<actual penetration date>"

  For example, if the penetration date were October 31st, enter:

    $ DIR/FULL/MODIFIED/SINCE="31-OCT-1990"

 
FULL RECOVERY PROCEDURE
 
For the full recovery procedure, follow the complete VMS recovery
procedure given in the appendix to this bulletin.

For additional information or assistance, please contact CIAC

  Hal R. Brand
  (415) 422-6312 or (FTS) 532-6312

  or call (415) 422-8193 or (FTS) 532-8193

  send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty,  expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                    COMPLETE VMS RECOVERY PROCEDURE

This recovery procedure should be applied to a compromised VMS system
whenever it can not be determined that the intruders failed to gain
system privilege.

1.      Get a hardcopy listing of your current SYSUAF.DAT   If
SYSUAF.DAT contains an extremely large number of users, it will take
considerable time to restore all accounts (so it may be expedient to
save SYSUAF.DAT to tape or elsewhere so it can be restored, although we
do not generally recommend this procedure).

2.      Remove from all disks all executable code (including DCL
command procedures) run by  privileged accounts.

3.      Initialize the system disk to remove all files.  (This is an
extreme step, but it is guaranteed to remove any damage done by the
intruder.)

4.  Install VMS and all layered products. 
 
5.      Use AUTHORIZE to add only currently active accounts (or restore
the SYSUAF.DAT you saved).  If you restore SYSUAF.DAT you must
scrutinize it very carefully.  To restore SYSUAF.DAT is not generally
recommended.  It is better to re-create only the active accounts,
because this not only removes all dormant accounts, but also guarantees
elimination of bogus accounts and unauthorized modifications.

6.      Restore from TRUSTED backups all site specific files found on
the system disk.  In the event you do not have TRUSTED backups, we
recommend you re-create these files.

Note:  "Trusted backups" are defined as backups in which there is a
high degree of assurance that there were no unauthorized changes made
to any of the files before the backup was made.

7.      Restore from TRUSTED backups all files removed in step 2.  In
the event you do not have TRUSTED backups, we recommend that you
re-create these files.