[Fwd: SANS Flash Alert For Solaris]

[Peter J Dinauer <peter.dinauer () csun edu>]

The hunt is on . . . .
> --- Begin Message ---
>
>
> From: The SANS Institute <sans () sans org>
>
> Date: Tue, 4 Jan 2000 14:09:09 -0700 (MST)
>
> To: Peter J Dinauer (SD070458)
>
> SANS Flash Alert for Solaris Users 
>
> Help, please - today  -- in the Hunt For Solaris Trojans
>
> THE PROBLEM
>
> Several of you have reported that your Sun computers have been
> infected with Trojan horse software (trojans, for short) using such 
> tools as trinoo, TFN, TFN2000, or stacheldraht which is German 
> for barbed wire.
>   
> Here is what we know so far about these attacks from users and 
> experts around the world: 
>
> These trojans are controlled by master computers using various 
> communications channels. The infected machines are used as a 
> collective force (reports range upward from 230 acting together) to 
> attack other sites and close them down.  These attacks have 
> succeeded in flooding out both large and small sites. 
>
> The trojans are being installed continuously - with attackers 
> coming back time and again looking for new computers to 
> compromise. Several universities found them installed on multiple 
> computers. Attackers appear to have constructed relatively 
> complete maps of the computers at the sites they are attacking.
>
> If your Solaris computers are infected and are used in attacks on 
> other organizations, you may face economic liability or be viewed 
> as a pariah to the community.
>
>
> DETECTION
>
> You and the community would greatly benefit if you could check 
> to see whether your computers are infected.  Two principal tools 
> are available for the test. One is being developed by the National 
> Infrastructure Protection Center (NIPC) and can be installed on 
> each host. The other was developed by Dave Dittrich and Marcus 
> Ranum and can be run remotely to scan your systems.  There is no 
> charge for either of the tools.
>
> Over the weekend the GIAC (Global Incident Analysis Center) at 
> www.sans.org/y2k.htm put out an early notice and several dozen 
> organizations tested the NIPC software and provided feedback that 
> helped make it work better. Yes, the NIPC software has uncovered 
> more infestations.
>
> The NIPC software works well and should be run immediately.
>
> As wonderful as the news is about the NIPC tool, to run it you 
> have to install it on every system you want to test.  A network 
> scanning tool is potentially more efficient since one tool can scan 
> an entire network.  Just make certain the network you scan is yours 
> and that you have permission!  One such tool is under 
> development, it was written by Dave Dittrich, and Marcus Ranum 
> has enhanced it. In other words: extraordinary people
> are working together to create the tools need to find these Trojans.
>  
> If you have a lot of experience with software that is still a bit 
> green, you could really make a contribution to the community by 
> running and testing the scanning program.
>
> If you are less experienced you might want to delay a day or two. 
> But don't delay long, the tool may have a short life span, as the 
> attackers will begin to modify the trojan code to evade detection.
>
> Where to find the software:
>
> The host-based tool from NIPC may be found at:
> http://www.fbi.gov/nipc/trinoo.htm
>
> The scanning program from Dittrich/Ranum may be found (after 6 
> pm EST on January 4) at:
> http://staff.washington.edu/dittrich/misc/sickenscan.tar
>
> In addition, Dave Dittrich has written an extraordinary analysis of 
> the infestation that may be found at: 
> http://staff.washington.edu/dittrich/misc/stacheldraht.analysis
>
> If you are a university or any other organization with users who 
> may not have tightly locked down their Solaris systems, please use 
> both.  If you are absolutely sure of your defenses, you might do 
> spot checks instead.
>
> CONTAINMENT AND ERADICATION
>
> If you find evidence of infestation, please make a good back-up 
> first to preserve evidence. Also if you search for the malicious 
> code on your system, you probably will not find it. The attackers 
> have been installing "root kits" to hide their work.  
>
> There are resources available to help if you have been attacked. 
> Please mail us at sansro () sans org and we'll connect you with the 
> best sources available at that time.
>
>
> PREVENTION
>
> The most common paths used to compromise systems to insert the 
> Trojans have been weaknesses in RPC (remote procedure call) 
> implementation.
>
> The menacing character of this new threat may offer you an 
> opportunity to get support to patch the RPC holes and eliminate 
> other vulnerabilities.
>
> Note, though Solaris is the current focus of these attackers, they 
> will soon turn to NT and Linux and other UNIX variants.  Take 
> this opportunity to close the holes there as well.  That's a great deal 
> cheaper and less embarrassing than nuking the system and 
> reinstalling all the software after an infestation.
>
> IN CLOSING
>  
> If you can spare the time, please take a look right away.  The 
> Trojans are under constant development and these detection tools 
> may be less and less effective as the week progresses.
>
> Email us with the results at sansro () sans org
>
> Alan and Greg
>
> Greg Shipley
> Solaris Trojan Hunt Coordinator
>
> Alan Paller
> Director of Research
>
> The SANS Institute
>
>
>
>
> --- End Message ---