-Caveat Lector-

 --------forwarded message--------
 From: The SANS Institute Research Office <[EMAIL PROTECTED]>
 To:   [EMAIL PROTECTED]
 Date: Fri, 31 Dec 1999
 Subj: SANS Alert: Sun Trojans


 Help, please - today  -- in the Hunt For Borg Trojans

 Many of you have reported finding trojans installed on your
 Sun computers - under names such as trinoo, TFN, TFN2000, or
 stacheldraht.  These trojans are controlled by a master computer
 (using clandestine traffic such as ICMP Echo Reply Request). They
 act as a collective force (reports range up to 2,000 acting
 together) to attack individual sites and close them down.  They
 work well and are gaining effectiveness.  Because they work as a
 collective and are entirely malicious, they have acquired the
 nickname "Borg Trojans" or BTs for short.

 And they are being installed continuously - with the attackers
 coming back time and again looking for new systems to compromise.
 When searches were run at universities, the smallest number of
 infections found so far is three, and that's at a university that
 has been educating administrators about the problem and getting rid
 of the trojans.

 The community would greatly benefit if you could check your systems
 to see the extent of the infection.  If it is very widespread,
 we'll need a worldwide, high-profile clean-up effort. If it is
 small we can use more subtle methods.  More importantly, if you
 look for them, you may find new strains (five have been identified
 so far) that would help the defenders plan better defenses,

 The NIPC has published a search tool and there's an even easier way
 to look for one of the strains. There's also a script for advanced
 security professionals. References and guidelines are below.

 If you can spare the time, please take a look right away (in the
 next two hours) and tell us (at [EMAIL PROTECTED]) the number of
 systems you checked and the number you found infected.  And if you
 find a new strain -please send the data to [EMAIL PROTECTED]

 If you need more time, we would welcome your data whenever you send
 it. As always, reports to SANS and the GIAC are confidential.

 All of us at SANS wish you a healthy and happy new year.

 Alan

 Alan Paller
 Director of Research
 The SANS Institute

 =====

 1. The NIPC script is found at
 http://www.fbi.gov/nipc/trinoo.htm


 2. One strain includes a modified in.telnetd that will give any
 user a root prompt if the TERM environment variable is set to
 "cterm100". You can test for this remotely by setting TERM to
 "cterm100" and connecting to the suspect host.  Here's how it looks
 for two common shells.

 csh:

 % set TERM=cterm100
 % printenv TERM
 cterm100
 % telnet suspect.your.domain
 Trying xxx.xxx.xxx.xxx...
 Connected to suspect.your.domain
 Escape character is '^]'.


 UNIX(r) System V Release 4.0 (suspect.your.domain)

 #

 ----------------------------------------------------

 sh:

 $ TERM=cterm100
 $ export TERM
 $ echo $TERM
 cterm100
 $ telnet suspect.your.domain
 Trying xxx.xxx.xxx.xxx...
 Connected to suspect.your.domain
 Escape character is '^]'.


 UNIX(r) System V Release 4.0 (suspect.your.domain)

 #

 ----------------------------------------------------


 3. Instructions for using the advanced script may be found at
 http://staff.washington.edu/dittrich/misc/stacheldraht.analysis


 ~~~~~~~~~~~~~~~~~
 ~~~~~~~~~~~~~~~~~

 As New Year nears, threat of Net attack program mounts

 By Stephen Shankland
 Staff Writer, CNET News.com
 http://news.cnet.com/category/0-1003-200-1504709.html
 December 23, 1999, 11:25 a.m. PT

 update -- A new and potentially more dangerous version of an
 Internet attack program has been posted just in time for the
 holidays, and another is on the way.

 A new version of a malicious program called the Tribe Flood
 Network (TFN) is more powerful and harder to detect than an
 earlier version, according to experts. And an updated sister
 program called Trinoo is due to be released next week.

 Few incidences of their use have been publicly acknowledged,
 but experts are warning sites to prepare against attacks that
 may coincide with New Year's. Widely anticipated problems owing
 to the Y2K computer glitch may provide cover for other
 mischief.

 The program works like this: A TFN attacker secretly embeds
 software into hundreds of computers. Then, at a selected time,
 a command is issued that prompts the infected computers to
 swamp a target Web site or server with messages in a method of
 attack called "denial of service." The program doesn't damage
 the "infected" computers or the target, but the sudden flood of
 messages typically knocks out the target system.

 Although it's possible for target computers to protect
 themselves by ignoring messages from attacking computers, it's
 hard to identify which computers are attacking--especially when
 there are hundreds. This fundamental vulnerability of networked
 computers makes protecting against denial-of-service attacks
 extremely difficult.

 It can be a vexing problem, as one victim reported.

 "I was hit for three solid days with over 1 megabyte per second
 of junk data from an attack like this," said Scott Thomas, an
 independent computer consultant whose network was hit. "There
 is nothing you can do but sit and take it."

 It's hard to find who the attackers really are and then discard
 or "filter" their messages, he said. "Sure, you can try to
 filter some of it, but it comes from so many places you spend
 hours just deciding what you should filter," Thomas said. He
 suspects he was targeted because a person on his network
 "annoyed a hacker in a chat room," he added.

 eToys, which has become embroiled in a legal dispute with a
 European art group called Etoy, was hit by a type of
 denial-of-service attack by people opposed to eToys' lawsuit.
 Organizations such as Rtmark helped to organize an attack that
 let people run software that inundate eToys' site with bogus
 Web page requests. The existence of TFN was reported earlier
 this week. The new variant, called TFN2K, is potentially more
 dangerous in that it can enlist machines based on both the
 Windows NT and Unix operating systems to deliver the flood of
 messages, according to Gia Threatte of the Packet Storm Web
 site, which publishes security-related software so system
 administrators can protect against attacks and intrusions.

        http://packetstorm.securify.com/

 TFN2K also adds the ability to act on a single command, a
 stealthier mode of operation than the previous version (which
 required the controller to send a password), and encrypts
 communications, making the infecting messages harder to detect,
 Threatte said.

 Further, TFN2K sends decoy information to throw hunters looking
 for the source off the scent.

 The purported author of the TFN family, who goes by the name
 "Mixter," sent a version of TFN2K to Packet Storm. Packet Storm
 said it also expects a new version of Trinoo from Mixter.

 With the new software being released now and the "2K" allusion
 to the new year in the name of the program, it appears that a
 computer attack could occur during the holidays.

 "I don't really think you're going to see any serious attacks
 using this until New Year's," Threatte said. On Jan. 1, though,
 people likely will try to "cause a little mischief," she said.

 Other security watchers concur. The consensus of a Year 2000
 bug workshop at Carnegie Mellon University's Computer Emergency
 Response Team was that "it is possible that intrusion attempts,
 viruses and other attacks will be focused on the time around 01
 January 2000 under cover of Y2K incidents," CERT said.

 CERT has warned, "We are receiving reports of intruders
 compromising machines and installing distributed systems used
 for launching packet-flooding denial-of-service attacks." CERT
 said that attackers generally gained unauthorized access to
 these computers through well-known weaknesses, reinforcing the
 message that system administrators must stay up-to-date on
 keeping their systems secure.

 Detection of attacks and their ultimate source isn't easy.
 Trinoo and the TFN family obscure the address of the actual
 attacker by hiding the person in control behind two layers of
 computers. The attacker lays the groundwork by breaking in to
 several computers, installing master software on some and
 attack software on others. When it's time for the attack, a
 message is sent to the master computers, which in turn is
 relayed to the drone computers that do the attacking by
 flooding the target with "packets" of information.

 Compromised computers that can be infected with the attack
 software have become a kind of currency, with attackers trading
 names and information about them over Internet Relay Chat (IRC)
 discussions, Threatte said.

 Threatte defended Packet Storm's philosophy of publishing
 attack software for all to see. "If we don't make it available,
 there's no way you can protect against these things," Threatte
 said. Sprint, for example, recently called upon Packet Storm's
 information to more quickly fend off an intruder.

 Other, more dangerous versions of distributed attack software
 are circulating, but Packet Storm doesn't have them, so they're
 harder to detect, Threatte said.

 Packet Storm, a five-person group based in Palo Alto, Calif.,
 is no stranger to controversy. It's now owned by security
 consultants Kroll-O'Gara after being embroiled in a debate with
 its former home at Harvard University and hacker chronicle site
 AntiOnline.

 Threatte foresees a time when coordinated denial-of-service is
 more serious. "Distributed attack tools right now are kind of
 in their infancy," she said.

 New improvements could involve a self-replicating "worm"
 version that would automatically spread the attack software to
 new computers. After several generations of spreading, the worm
 could erase itself from the original computers used to launch
 the worm, severing ties with the true origin. The worms could
 monitor several sites on the Internet for a sign that triggers
 the time and target to attack.



 Copyright ©1995-1999 CNET, Inc. All rights reserved.




.

DECLARATION & DISCLAIMER
==========
CTRL is a discussion and informational exchange list. Proselyzting propagandic
screeds are not allowed. Substance—not soapboxing!  These are sordid matters
and 'conspiracy theory', with its many half-truths, misdirections and outright
frauds is used politically  by different groups with major and minor effects
spread throughout the spectrum of time and thought. That being said, CTRL
gives no endorsement to the validity of posts, and always suggests to readers;
be wary of what you read. CTRL gives no credeence to Holocaust denial and
nazi's need not apply.

Let us please be civil and as always, Caveat Lector.
========================================================================
Archives Available at:
http://home.ease.lsoft.com/archives/CTRL.html

http:[EMAIL PROTECTED]/
========================================================================
To subscribe to Conspiracy Theory Research List[CTRL] send email:
SUBSCRIBE CTRL [to:] [EMAIL PROTECTED]

To UNsubscribe to Conspiracy Theory Research List[CTRL] send email:
SIGNOFF CTRL [to:] [EMAIL PROTECTED]

Om

Reply via email to