exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FA-99-02.trojans

FA-99-02.trojans
Posted Sep 23, 1999

FA-99-02.trojans

tags | trojan
SHA-256 | 925214a88ca42d8b55d39eaae3f49afc615b64c8451600c15e8eda59755ebccb

FA-99-02.trojans

Change Mirror Download

FedCIRC Advisory FA-99-02

Original issue date: February 5, 1999
Last Revised: March 08, 1999 - Minor typograhical corrections

Systems Affected

Any system can be affected by Trojan horses.

Overview

Over the past few weeks, we have received an increase in the number of
incident reports related to Trojan horses. This advisory includes
descriptions of some of those incidents ([1]Section II), some general
information about Trojan horses ([2]Sections I and [3]V), and advice
for system and network administrators, end users, software developers,
and distributors ([4]Section III).

Few software developers and distributors provide a strong means of
authentication for software products. We encourage all software
developers and distributors to do so. This means that until strong
authentication of software is widely available, the problem of Trojan
horses will persist. In the meantime, users and administrators are
strongly encouraged to be aware of the risks as described in this
document.

I. Description

A Trojan horse is an "apparently useful program containing hidden
functions that can exploit the privileges of the user [running the
program], with a resulting security threat. A Trojan horse does things
that the program user did not intend" [[5]Summers].

Trojan horses rely on users to install them, or they can be installed
by intruders who have gained unauthorized access by other means. Then,
an intruder attempting to subvert a system using a Trojan horse relies
on other users running the Trojan horse to be successful.

II. Recent Incidents

Incidents involving Trojan horses include the following:

False Upgrade to Internet Explorer

Recent reports indicate wide distribution of an email message which
claims to be a free upgrade to the Microsoft Internet Explorer web
browser. However, we have confirmed with Microsoft that they do not
provide patches or upgrades via electronic mail, although they do
distribute security bulletins by electronic mail.

The email message contains an attached executable program called
Ie0199.exe. After installation, this program makes several
modifications to the system and attempts to contact other remote
systems. We have received conflicting information regarding the
modifications made by the Trojan horse, which could be explained by
the existence of multiple versions of the Trojan horse.

At least one version of the Trojan horse is accompanied by a message
which reads, in part:

As an user of the Microsoft Internet Explorer, Microsoft
Corporation provides you with this upgrade for your web browser. It
will fix some bugs found in your Internet Explorer. To install the
upgrade, please save the attached file (ie0199.exe) in some folder
and run it.

The above message is not from Microsoft.

We encourage you to refer to the Microsoft Internet Explorer web site
at the following location:

[6]http://www.microsoft.com/windows/ie/security/default.asp

Please refer to the [7]Section III below for general solutions to
Trojan horses.

Trojan Horse Version of TCP Wrappers

We recently published "[8]CA-99-01-Trojan-TCP-Wrappers" which said
that some copies of the source code for the TCP Wrappers tool were
modified by an intruder and contain a Trojan horse. The advisory is
available at the following location:

[9]http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html

Trojan Horse Version of util-linux

The util-linux distribution includes several essential utilities for
linux systems. We have confirmed with the authors of util-linux that a
Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least
one ftp server between January 22, 1999, and January 24, 1999. This
Trojan horse could have been distributed to mirror FTP sites.

Within the Trojan horse util-linux distribution the program /bin/login
was modified. The modifications included code to send email to an
intruder that contains the host name and uid of users logging in. The
code was also modified to provide anyone with access to a login prompt
the capability of executing commands based on their input at the login
prompt. There were no other functional modifications made to the
Trojan horse util-linux distribution that we are aware of.

A quick check to ensure you do not have the Trojan horse installed is
to execute the following command:

$ strings /bin/login | grep "HELO"

If that command returns the following output, then your machine has
the Trojan horse version of util-linux-2.9g installed:

HELO 127.0.0.1

If the above command returns nothing, then you do not have this
particular Trojan horse installed.

You cannot rely on the modification date of the file
util-linux-2.9g.tar.gz because the Trojan horse version has the same
size and time stamp as the original version.

In response to the distribution of this Trojan horse, the authors of
util-linux have released util-linux-2.9h.tar.gz. This file is
available via anonymous ftp from:

[10]ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h
.tar.gz

Be sure to download and verify the PGP signature as well:

[11]ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h
.tar.gz.sign

This package can be verified with the "Linux Kernel Archives" PGP
Public Key, available from the following URL:

[12]http://www.kernel.org/signature.html

Previous Trojan Horses

Trojan horses are not new entities. A classic description of a Trojan
horse is given in [[13]Thompson]. Additionally, you may wish to review
the following documents for background and historical information
about Trojan horses.

[14]http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.htm
l

[15]http://www.cert.org/vul_notes/VN-98.07.backorifice.html

[16]http://www.cert.org/advisories/CA-94.14.trojan.horse.in.IRC.cli
ent.for.UNIX.html

[17]http://www.cert.org/advisories/CA-94.07.wuarchive.ftpd.trojan.h
orse.html

[18]http://www.cert.org/advisories/CA-94.05.MD5.checksums.html

[19]http://www.cert.org/advisories/CA-94.01.ongoing.network.monitor
ing.attacks.html

[20]http://www.cert.org/advisories/CA-90.11.Security.Probes.html

III. Impact

Trojan horses can do anything that the user executing the program has
the privileges to do. This includes
* deleting files that the user can delete
* transmitting to the intruder any files that the user can read
* changing any files the user can modify
* installing other programs with the privileges of the user, such as
programs that provide unauthorized network access
* executing privilege-elevation attacks; that is, the Trojan horse
can attempt to exploit a vulnerability to increase the level of
access beyond that of the user running the Trojan horse. If this
is successful, the Trojan horse can operate with the increased
privileges.
* installing viruses
* installing other Trojan horses

If the user has administrative access to the operating system, the
Trojan horse can do anything that an administrator can. The Unix
'root' account, the Microsoft Windows NT 'administrator' account, or
any user on a single-user operating system has administrative access
to the operating system. If you use one of these accounts, or a
single-user operating system (e.g., Windows 95 or MacOS), keep in mind
the potential for increased impact of a Trojan horse.

A compromise of any system on your network, including a compromise
through Trojan horses, may have consequences for the other systems on
your network. Particularly vulnerable are systems that transmit
authentication material, such as passwords, over shared networks in
cleartext or in a trivially encrypted form. This is very common. If a
system on such a network is compromised via a Trojan horse (or another
method), the intruder may be able to install a network sniffer and
record usernames and passwords or other sensitive information as it
traverses the network.

Additionally, a Trojan horse, depending on the actions it takes, may
implicate your site as the source of an attack and may expose your
organization to liability.

IV. How Trojan Horses Are Installed

Users can be tricked into installing Trojan horses by being enticed or
frightened. For example, a Trojan horse might arrive in email
described as a computer game. When the user receives the mail, they
may be enticed by the description of the game to install it. Although
it may in fact be a game, it may also be taking other action that is
not readily apparent to the user, such as deleting files or mailing
sensitive information to the attacker. As another example, an intruder
may forge an advisory from a security organization, such as the CERT
Coordination Center, that instructs system administrators to obtain
and install a patch.

Other forms of "social engineering" can be used to trick users into
installing or running Trojan horses. For example, an intruder might
telephone a system administrator and pose as a legitimate user of the
system who needs assistance of some kind. The system administrator
might then be tricked into running a program of the intruder's design.

Software distribution sites can be compromised by intruders who
replace legitimate versions of software with Trojan horse versions. If
the distribution site is a central distribution site whose contents
are mirrored by other distribution sites, the Trojan horse may be
downloaded by many sites and spread quickly throughout the Internet
community.

Because the Domain Name System (DNS) does not provide strong
authentication, users may be tricked into connecting to sites
different than the ones they intend to connect to. This could be
exploited by an intruder to cause users to download a Trojan horse, or
to cause users to expose confidential information.

Intruders may install Trojan horse versions of system utilities after
they have compromised a system. Often, collections of Trojan horses
are distributed in toolkits that an intruder can use to compromise a
system and conceal their activity after the compromise, e.g., a
toolkit might include a Trojan horse version of ls which does not list
files owned by the intruder. Once an intruder has gained
administrative access to your systems, it is very difficult to
establish trust in it again without rebuilding the system from
known-good software. For information on recovering after a compromise,
please see

[21]http://www.cert.org/tech_tips/root_compromise.html

A Trojan horse may be inserted into a program by a compiler that is
itself a Trojan horse. For more information about such an attack, see
[[22]Thompson].

Finally, a Trojan horse may simply be placed on a web site to which
the intruder entices victims. The Trojan horse may be in the form of a
Java applet, JavaScript, ActiveX control, or other form of executable
content.

V. Solutions

The best advice with respect to Trojan horses is to avoid them in the
first place.
* System administrators (including the users of single-user systems)
should take care to verify that every piece of software that is
installed is from a trusted source and has not been modified in
transit. When digital signatures are provided, users are
encouraged to validate the signature (as well as validating the
public key of the signer). When digital signatures are not
available, you may wish to acquire software on tangible media such
as CDs, which bear the manufacturer's logo. Of course, this is not
foolproof either. Without a way to authenticate software, you may
not be able to tell if a given piece of software is legitimate,
regardless of the distribution media.
* We strongly encourage software developers and software
distributors to use cryptographically strong validation for all
software they produce or distribute. Any popular technique based
on algorithms that are widely believed to be strong will provide
users a strong tool to defeat Trojan horses.
* Anyone who invests trust in digital signatures must also take care
to validate any public keys that may be associated with the
signature. It is not enough for code merely to be signed -- it
must be signed by a trusted source.
* Do not execute anything sent to you via unsolicited electronic
mail.
* Use caution when executing content such as Java applets,
JavaScript, or Active X controls from web pages. You may wish to
configure your browser to disable the automatic execution of web
page content.
* Apply the principle of least privilege in daily activity: do not
retain or employ privileges that are not needed to accomplish a
given task. For example, do not run with enhanced privilege, such
as "root" or "administrator," ordinary tasks such as reading
email.
* Install and configure a tool such as Tripwire® that will allow you
to detect changes to system files in a cryptographically strong
way. For more information about Tripwire®, see
[23]http://www.cert.org/ftp/tech_tips/security_tools
Note, however, that Tripwire® is not a foolproof guard against
Trojan horses. For example, see
[24]http://www.cert.org/vul_notes/VN-98.02.kernel_mod.html
* Educate your users regarding the danger of Trojan horses.
* Use firewalls and virus products that are aware of popular Trojan
horses. Although it is impossible to detect all possible Trojan
horses using a firewall or virus product (because a Trojan horse
can be arbitrary code), they may aid you in preventing many
popular Trojan horses from affecting your systems.
* Review the source code to any open source products you choose to
install. Open source software has an advantage compared to
proprietary software because the source code can be widely
reviewed and any obvious Trojan horses will probably be discovered
very quickly. However, open source software also tends to be
developed by a wide variety of people with little or no central
control. This makes it difficult to establish trust in a single
entity. Keep in mind that reviewing source code may be impractical
at best, and that some Trojan horses may not be evident from a
review of the source as described in [[25]Thompson].
* Adopt the use of cryptographically strong mutual authentication
systems, such as ssh, for terminal emulation, X.509 public key
certificates in web servers, S/MIME or PGP for electronic mail,
and kerberos for a variety of services. Avoid the use of systems
that trust the domain name system for authentication, such as
telnet, ordinary http (as opposed to https), ftp, or smtp, unless
your network is specifically designed to support that trust.
* Do not rely on timestamps, file sizes, or other file attributes
when trying to determine if a file contains a Trojan horse.
* Exercise caution when downloading unauthenticated software. If you
choose to install software that has not been signed by a trusted
source, you may wish to wait for a period of time before
installing it in order to see if a Trojan horse is discovered.
* We encourage all security organizations to digitally sign any
advisories or other alerts. We also recommend that users validate
any signatures, and beware of unsigned security advice. The CERT
Coordination Center signs all ASCII copies of our advisories with
our PGP key, available at:
[26]http://www.cert.org/pgp/CERT_PGP.key

If you do fall victim to a Trojan horse, some anti-virus software may
also be able to recognize, remove and repair the damage from the
Trojan horse. However, if an intruder gains access to your systems via
a Trojan horse, it may be difficult or impossible to establish trust
in your systems. In this case, we recommend that you disconnect from
the network and rebuild your systems from known-good software, being
careful to apply all relevant patches and updates, to change all
passwords, and to check other nearby systems. For information on how
to rebuild a Unix system after a compromise, please see

[27]http://www.cert.org/tech_tips/root_compromise.html

References

[Summers] Summers, Rita C. Secure Computing Threats and Safeguards,
McGraw-Hill, 1997. An [28]online reference is available from the
publisher.

[Thompson] Thompson, Ken, "Reflections on Trusting Trust,"
Communications of the ACM 27(8) pp. 761-763 (Aug. 1984); Turing Award
lecture.

Acknowledgment

Our thanks to Andries Brouwer for providing information regarding
util-linux and to the many people who reported information about
Trojan horse versions of Internet Explorer.

Tripwire is a registered trademark of the Purdue Research Foundation;
it is also licensed to Tripwire Security Systems, Inc.
______________________________________________________________________

This document is available from:
[29]http://www2.fedcirc.gov/advisories/FA-99-02.html
______________________________________________________________________

FedCIRC Contact Information

Email: [30]fedcirc@fedcirc.gov
Phone: +1 888-282-0870 (24-hour toll-free hotline)
Phone: +1 412-268-6321 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
FedCIRC CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

FedCIRC personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from

[31]http://www2.fedcirc.gov/keys.html

If you prefer to use DES, please call the FedCIRC hotline for more
information.

Getting security information

FedCIRC publications and other security information are available from
our web site

[32]http://www.fedcirc.gov/

FedCIRC (Federal Computer Incident Response Capability) is operated by
the CERT/CC for the U.S. General Services Administration. FedCIRC
provides security services to U.S. Federal civilian agencies.

Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be
found in

[33]http://www.cert.org/legal_stuff.html

* "CERT" and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
______________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed or
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
______________________________________________________________________

Revision History

Mar. 08, 1999 Minor typograhical corrections

References

1. http://www2.fedcirc.gov/advisories/FA-99-02.html#section2
2. http://www2.fedcirc.gov/advisories/FA-99-02.html#section1
3. http://www2.fedcirc.gov/advisories/FA-99-02.html#section5
4. http://www2.fedcirc.gov/advisories/FA-99-02.html#section3
5. http://www2.fedcirc.gov/advisories/FA-99-02.html#reference1
6. http://www.microsoft.com/windows/ie/security/default.asp
7. http://www2.fedcirc.gov/advisories/FA-99-02.html#section3
8. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
9. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
10. ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar.gz
11. ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar.gz.sign
12. http://www.kernel.org/signature.html
13. http://www2.fedcirc.gov/advisories/FA-99-02.html#reference2
14. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
15. http://www.cert.org/vul_notes/VN-98.07.backorifice.html
16. http://www.cert.org/advisories/CA-94.14.trojan.horse.in.IRC.client.for.UNIX.html
17. http://www.cert.org/advisories/CA-94.07.wuarchive.ftpd.trojan.horse.html
18. http://www.cert.org/advisories/CA-94.05.MD5.checksums.html
19. http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html
20. http://www.cert.org/advisories/CA-90.11.Security.Probes.html
21. http://www.cert.org/tech_tips/root_compromise.html
22. http://www2.fedcirc.gov/advisories/FA-99-02.html#reference2
23. http://www.cert.org/ftp/tech_tips/security_tools
24. http://www.cert.org/vul_notes/VN-98.02.kernel_mod.html
25. http://www2.fedcirc.gov/advisories/FA-99-02.html#reference2
26. http://www.cert.org/pgp/CERT_PGP.key%20
27. http://www.cert.org/tech_tips/root_compromise.html
28. http://mcgraw-hill.inforonics.com/cgi/getarec?mgh22516%25new
29. http://www2.fedcirc.gov/advisories/FA-99-02.html
30. mailto:fedcirc@fedcirc.gov
31. http://www2.fedcirc.gov/keys.html
32. http://www.fedcirc.gov/
33. http://www.cert.org/legal_stuff.html
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close