-Caveat Lector- " Note, though Solaris is the current focus of these attackers, they will soon turn to NT and Linux and other UNIX variants. Take this opportunity to close the holes there as well. " " But don't delay long, the [detection] tool may have a short life span, as the attackers will begin to modify the trojan code to evade detection. " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Tue, 4 Jan 2000 15:48:52 -0700 (MST) From: The SANS Institute <[EMAIL PROTECTED]> Subject: SANS Flash Alert For Solaris SANS Flash Alert for Solaris Users Help, please - today -- in the Hunt For Solaris Trojans THE PROBLEM Several of you have reported that your Sun computers have been infected with Trojan horse software (trojans, for short) using such tools as trinoo, TFN, TFN2000, or stacheldraht which is German for barbed wire. Here is what we know so far about these attacks from users and experts around the world: These trojans are controlled by master computers using various communications channels. The infected machines are used as a collective force (reports range upward from 230 acting together) to attack other sites and close them down. These attacks have succeeded in flooding out both large and small sites. The trojans are being installed continuously - with attackers coming back time and again looking for new computers to compromise. Several universities found them installed on multiple computers. Attackers appear to have constructed relatively complete maps of the computers at the sites they are attacking. If your Solaris computers are infected and are used in attacks on other organizations, you may face economic liability or be viewed as a pariah to the community. DETECTION You and the community would greatly benefit if you could check to see whether your computers are infected. Two principal tools are available for the test. One was developed by the National Infrastructure Protection Center (NIPC) and can be installed on each host. The other is being developed by Dave Dittrich and Marcus Ranum and can be run remotely to scan your systems. There is no charge for either of the tools. Over the weekend the GIAC (Global Incident Analysis Center) at www.sans.org/y2k.htm put out an early notice and several dozen organizations tested the NIPC software and provided feedback that helped make it work better. Yes, the NIPC software has uncovered more infestations. The NIPC software works well and should be run immediately. As wonderful as the news is about the NIPC tool, to run it you have to install it on every system you want to test. A network scanning tool is potentially more efficient since one tool can scan an entire network. Just make certain the network you scan is yours and that you have permission! One such tool is under development, it was written by Dave Dittrich, and Marcus Ranum has enhanced it. In other words: extraordinary people are working together to create the tools needed to find these Trojans. If you have a lot of experience with software that is still a bit green, you could really make a contribution to the community by running and testing the scanning program. If you are less experienced you might want to delay a day or two. But don't delay long, the tool may have a short life span, as the attackers will begin to modify the trojan code to evade detection. Where to find the software: The host-based tool from NIPC may be found at: http://www.fbi.gov/nipc/trinoo.htm The scanning program from Dittrich/Ranum may be found (after 6 pm EST on January 4) at: http://staff.washington.edu/dittrich/misc/sickenscan.tar In addition, Dave Dittrich has written an extraordinary analysis of the infestation that may be found at: http://staff.washington.edu/dittrich/misc/stacheldraht.analysis If you are a university or any other organization with users who may not have tightly locked down their Solaris systems, please use both. If you are absolutely sure of your defenses, you might do spot checks instead. CONTAINMENT AND ERADICATION If you find evidence of infestation, please make a good back-up first to preserve evidence. Also if you search for the malicious code on your system, you probably will not find it. The attackers have been installing "root kits" to hide their work. There are resources available to help if you have been attacked. Please mail us at [EMAIL PROTECTED] and we'll connect you with the best sources available at that time. PREVENTION The most common paths used to compromise systems to insert the Trojans have been weaknesses in RPC (remote procedure call) implementation. The menacing character of this new threat may offer you an opportunity to get support to patch the RPC holes and eliminate other vulnerabilities. Note, though Solaris is the current focus of these attackers, they will soon turn to NT and Linux and other UNIX variants. Take this opportunity to close the holes there as well. That's a great deal cheaper and less embarrassing than nuking the system and reinstalling all the software after an infestation. IN CLOSING If you can spare the time, please take a look right away. The Trojans are under constant development and these detection tools may be less and less effective as the week progresses. Email us with the results at [EMAIL PROTECTED] Alan and Greg Greg Shipley Solaris Trojan Hunt Coordinator Alan Paller Director of Research The SANS Institute . DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance—not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
