-Caveat Lector- --------forwarded message-------- From: The SANS Institute Research Office <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Fri, 31 Dec 1999 Subj: SANS Alert: Sun Trojans Help, please - today -- in the Hunt For Borg Trojans Many of you have reported finding trojans installed on your Sun computers - under names such as trinoo, TFN, TFN2000, or stacheldraht. These trojans are controlled by a master computer (using clandestine traffic such as ICMP Echo Reply Request). They act as a collective force (reports range up to 2,000 acting together) to attack individual sites and close them down. They work well and are gaining effectiveness. Because they work as a collective and are entirely malicious, they have acquired the nickname "Borg Trojans" or BTs for short. And they are being installed continuously - with the attackers coming back time and again looking for new systems to compromise. When searches were run at universities, the smallest number of infections found so far is three, and that's at a university that has been educating administrators about the problem and getting rid of the trojans. The community would greatly benefit if you could check your systems to see the extent of the infection. If it is very widespread, we'll need a worldwide, high-profile clean-up effort. If it is small we can use more subtle methods. More importantly, if you look for them, you may find new strains (five have been identified so far) that would help the defenders plan better defenses, The NIPC has published a search tool and there's an even easier way to look for one of the strains. There's also a script for advanced security professionals. References and guidelines are below. If you can spare the time, please take a look right away (in the next two hours) and tell us (at [EMAIL PROTECTED]) the number of systems you checked and the number you found infected. And if you find a new strain -please send the data to [EMAIL PROTECTED] If you need more time, we would welcome your data whenever you send it. As always, reports to SANS and the GIAC are confidential. All of us at SANS wish you a healthy and happy new year. Alan Alan Paller Director of Research The SANS Institute ===== 1. The NIPC script is found at http://www.fbi.gov/nipc/trinoo.htm 2. One strain includes a modified in.telnetd that will give any user a root prompt if the TERM environment variable is set to "cterm100". You can test for this remotely by setting TERM to "cterm100" and connecting to the suspect host. Here's how it looks for two common shells. csh: % set TERM=cterm100 % printenv TERM cterm100 % telnet suspect.your.domain Trying xxx.xxx.xxx.xxx... Connected to suspect.your.domain Escape character is '^]'. UNIX(r) System V Release 4.0 (suspect.your.domain) # ---------------------------------------------------- sh: $ TERM=cterm100 $ export TERM $ echo $TERM cterm100 $ telnet suspect.your.domain Trying xxx.xxx.xxx.xxx... Connected to suspect.your.domain Escape character is '^]'. UNIX(r) System V Release 4.0 (suspect.your.domain) # ---------------------------------------------------- 3. Instructions for using the advanced script may be found at http://staff.washington.edu/dittrich/misc/stacheldraht.analysis ~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~ As New Year nears, threat of Net attack program mounts By Stephen Shankland Staff Writer, CNET News.com http://news.cnet.com/category/0-1003-200-1504709.html December 23, 1999, 11:25 a.m. PT update -- A new and potentially more dangerous version of an Internet attack program has been posted just in time for the holidays, and another is on the way. A new version of a malicious program called the Tribe Flood Network (TFN) is more powerful and harder to detect than an earlier version, according to experts. And an updated sister program called Trinoo is due to be released next week. Few incidences of their use have been publicly acknowledged, but experts are warning sites to prepare against attacks that may coincide with New Year's. Widely anticipated problems owing to the Y2K computer glitch may provide cover for other mischief. The program works like this: A TFN attacker secretly embeds software into hundreds of computers. Then, at a selected time, a command is issued that prompts the infected computers to swamp a target Web site or server with messages in a method of attack called "denial of service." The program doesn't damage the "infected" computers or the target, but the sudden flood of messages typically knocks out the target system. Although it's possible for target computers to protect themselves by ignoring messages from attacking computers, it's hard to identify which computers are attacking--especially when there are hundreds. This fundamental vulnerability of networked computers makes protecting against denial-of-service attacks extremely difficult. It can be a vexing problem, as one victim reported. "I was hit for three solid days with over 1 megabyte per second of junk data from an attack like this," said Scott Thomas, an independent computer consultant whose network was hit. "There is nothing you can do but sit and take it." It's hard to find who the attackers really are and then discard or "filter" their messages, he said. "Sure, you can try to filter some of it, but it comes from so many places you spend hours just deciding what you should filter," Thomas said. He suspects he was targeted because a person on his network "annoyed a hacker in a chat room," he added. eToys, which has become embroiled in a legal dispute with a European art group called Etoy, was hit by a type of denial-of-service attack by people opposed to eToys' lawsuit. Organizations such as Rtmark helped to organize an attack that let people run software that inundate eToys' site with bogus Web page requests. The existence of TFN was reported earlier this week. The new variant, called TFN2K, is potentially more dangerous in that it can enlist machines based on both the Windows NT and Unix operating systems to deliver the flood of messages, according to Gia Threatte of the Packet Storm Web site, which publishes security-related software so system administrators can protect against attacks and intrusions. http://packetstorm.securify.com/ TFN2K also adds the ability to act on a single command, a stealthier mode of operation than the previous version (which required the controller to send a password), and encrypts communications, making the infecting messages harder to detect, Threatte said. Further, TFN2K sends decoy information to throw hunters looking for the source off the scent. The purported author of the TFN family, who goes by the name "Mixter," sent a version of TFN2K to Packet Storm. Packet Storm said it also expects a new version of Trinoo from Mixter. With the new software being released now and the "2K" allusion to the new year in the name of the program, it appears that a computer attack could occur during the holidays. "I don't really think you're going to see any serious attacks using this until New Year's," Threatte said. On Jan. 1, though, people likely will try to "cause a little mischief," she said. Other security watchers concur. The consensus of a Year 2000 bug workshop at Carnegie Mellon University's Computer Emergency Response Team was that "it is possible that intrusion attempts, viruses and other attacks will be focused on the time around 01 January 2000 under cover of Y2K incidents," CERT said. CERT has warned, "We are receiving reports of intruders compromising machines and installing distributed systems used for launching packet-flooding denial-of-service attacks." CERT said that attackers generally gained unauthorized access to these computers through well-known weaknesses, reinforcing the message that system administrators must stay up-to-date on keeping their systems secure. Detection of attacks and their ultimate source isn't easy. Trinoo and the TFN family obscure the address of the actual attacker by hiding the person in control behind two layers of computers. The attacker lays the groundwork by breaking in to several computers, installing master software on some and attack software on others. When it's time for the attack, a message is sent to the master computers, which in turn is relayed to the drone computers that do the attacking by flooding the target with "packets" of information. Compromised computers that can be infected with the attack software have become a kind of currency, with attackers trading names and information about them over Internet Relay Chat (IRC) discussions, Threatte said. Threatte defended Packet Storm's philosophy of publishing attack software for all to see. "If we don't make it available, there's no way you can protect against these things," Threatte said. Sprint, for example, recently called upon Packet Storm's information to more quickly fend off an intruder. Other, more dangerous versions of distributed attack software are circulating, but Packet Storm doesn't have them, so they're harder to detect, Threatte said. Packet Storm, a five-person group based in Palo Alto, Calif., is no stranger to controversy. It's now owned by security consultants Kroll-O'Gara after being embroiled in a debate with its former home at Harvard University and hacker chronicle site AntiOnline. Threatte foresees a time when coordinated denial-of-service is more serious. "Distributed attack tools right now are kind of in their infancy," she said. New improvements could involve a self-replicating "worm" version that would automatically spread the attack software to new computers. After several generations of spreading, the worm could erase itself from the original computers used to launch the worm, severing ties with the true origin. The worms could monitor several sites on the Internet for a sign that triggers the time and target to attack. Copyright ©1995-1999 CNET, Inc. All rights reserved. . DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
