Title: "Trojan Horse" attacks Question: I have heard rumors of the "happy99.exe" virus and a fake Internet Explorer Upgrade message from Microsoft. Are these true? Answer: In early 1999, computer security organizations began to see an increase in reports of malicious activity surrounding Microsoft Windows and Unix systems, employing an old technique known as the "trojan horse". Two of the most widespread attacks on Windows systems involve attaching an executable file to an email message, sending this message to tens or hundreds of thousands of people via email and Usenet newsgroups, and waiting for a non-zero percentage of these people to run the trojan horse, which completes (or in some cases replicates and re-initiates) the attack. On February 5, 1999, the Computer Emergency Response Team (CERT) released an advisory, CA-99-02-Trojan-Horses, which describes the "False Upgrade to Internet Explorer" trojan horse. This CERT advisory, also included below, can be found at: http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html This program, claiming to be an upgrade to Internet Explorer, installs itself on your Windows computer and uses your computer to implement a denial of service (DoS) attack against the Bulgarian Telecommunications Company. Another attack, known as "happy99.exe", is a trojan horse program that acts as a "worm", replicating and re-sending itself with subsequent outgoing email messages. It was first reported in Europe at the start of 1999, but soon after began showing up in the United States and elsewhere on the global Internet. This worm is described, among other places, on these two web sites: http://news.bbc.co.uk/hi/english/sci/tech/newsid_270000/270482.stm http://www.msnbc.com/news/235662.asp One user on the Internet has produced "clean up" instructions for happy99.exe, and anti-virus software companies are also beginning to report on it, e.g.: http://www.geocities.com/SiliconValley/Heights/3652/SKA.HTM http://www.datafellows.com/news/pr/eng/19990129.htm The lesson to be learned here is that malicious activity, preying on naive or trusting users, is on the increase. The cost of these attacks, even the "non-damaging" worms like happy99.exe, are still significant in lost time and productivity, at best, and at worst can lead to deletion of all your files, compromise of security of other systems on your network, and the theft of private information (credit card numbers, bank account numbers, your social security number and other "online" features of your private life). There are some things you can do to minimize your risk: 1). You are urged to read the CERT advisory that follows. 2). You should be sure to keep up-to-date anti-virus software installed and working on your computer. University of Washington faculty, staff, and students can get the 'Dr-Solomon' products under a campus-wide license. See: http://www.washington.edu/computing/software/drsol.html Please note that it is very important to also install the most recent updates to anti-virus software, usually obtained from the vendor's web site. If the anti-virus software you install is older than the most recent viruses/worms, it will not be able to detect and remove them. 3). Take great care when running programs you obtain or receive from others on the Internet. Running a program that you do not understand and trust is basically giving someone else complete control of your computer to do as they wish, acting as if they were you. You should be especially suspect of executable files sent to you through email. Software companies will rarely, if ever, send executables through email as they have far more efficient and secure distribution methods available to them. Executable files sent from "friends" and colleagues may also pose a risk, as the sender may not have been careful in scanning the programs for viruses, or may themselves have been the victim of a trojan horse attack and are unwittingly contributing to its spread. Date: 03/99 Author: dittrich -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-99-02-Trojan-Horses Original issue date: February 5, 1999 Last Revised: Systems Affected Any system can be affected by Trojan horses. Overview Over the past few weeks, we have received an increase in the number of incident reports related to Trojan horses. This advisory includes descriptions of some of those incidents (Section II), some general information about Trojan horses (Sections I and V), and advice for system and network administrators, end users, software developers, and distributors (Section III). Few software developers and distributors provide a strong means of authentication for software products. We encourage all software developers and distributors to do so. This means that until strong authentication of software is widely available, the problem of Trojan horses will persist. In the meantime, users and administrators are strongly encouraged to be aware of the risks as described in this document. I. Description A Trojan horse is an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend" [Summers]. Trojan horses rely on users to install them, or they can be installed by intruders who have gained unauthorized access by other means. Then, an intruder attempting to subvert a system using a Trojan horse relies on other users running the Trojan horse to be successful. II. Recent Incidents Incidents involving Trojan horses include the following: False Upgrade to Internet Explorer Recent reports indicate wide distribution of an email message which claims to be a free upgrade to the Microsoft Internet Explorer web browser. However, we have confirmed with Microsoft that they do not provide patches or upgrades via electronic mail, although they do distribute security bulletins by electronic mail. The email message contains an attached executable program called Ie0199.exe. After installation, this program makes several modifications to the system and attempts to contact other remote systems.We have received conflicting information regarding the modifications made by the Trojan horse, which could be explained by the existence of multiple versions of the Trojan horse. At least one version of the Trojan horse is accompanied by a message which reads, in part: As an user of the Microsoft Internet Explorer, Microsoft Corporation provides you with this upgrade for your web browser. It will fix some bugs found in your Internet Explorer. To install the upgrade, please save the attached file (ie0199.exe) in some folder and run it. The above message is not from Microsoft. We encourage you to refer to the Microsoft Internet Explorer web site at the following location: http://www.microsoft.com/windows/ie/security/default.asp Please refer to the Section III below for general solutions to Trojan horses. Trojan Horse Version of TCP Wrappers We recently published "CA-99-01-Trojan-TCP-Wrappers," which said that some copies of the source code for the TCP Wrappers tool were modified by an intruder and contain a Trojan horse. The advisory is available at the following location: http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html Trojan Horse Version of util-linux The util-linux distribution includes several essential utilities for linux systems. We have confirmed with the authors of util-linux that a Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least one ftp server between January 22, 1999, and January 24, 1999. This Trojan horse could have been distributed to mirror FTP sites. Within the Trojan horse util-linux distribution the program /bin/login was modified. The modifications included code to send email to an intruder that contains the host name and uid of users logging in. The code was also modified to provide anyone with access to a login prompt the capability of executing commands based on their input at the login prompt. There were no other functional modifications made to to the Trojan horse util-linux distribution that we are aware of. A quick check to ensure you do not have the Trojan horse installed is to execute the following command $ strings /bin/login | grep "HELO" If that command returns the following output, then your machine has the Trojan horse version of util-linux-2.9g installed. HELO 127.0.0.1 If the above command returns nothing, then you do not have this particular Trojan horse installed. You cannot rely on the modification date of the file util-linux-2.9g.tar.gz because the Trojan horse version has the same size and time stamp as the original version. In response to the distribution of this Trojan horse, the authors of util-linux have released util-linux-2.9h.tar.gz. This file is available via anonymous ftp from: ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar .gz Be sure to download and verify the PGP signature as well: ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar .gz.sign This package can be verified with the "Linux Kernel Archives" PGP Public Key, available from the following URL: http://www.kernel.org/signature.html Previous Trojan Horses Trojan horses are not new entities. A classic description of a Trojan horse is given in [Thompson]. Additionally, you may wish to review the following documents for background and historical information about Trojan horses. http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html http://www.cert.org/vul_notes/VN-98.07.backorifice.html http://www.cert.org/advisories/CA-94.14.trojan.horse.in.IRC.client. for.UNIX.html http://www.cert.org/advisories/CA-94.07.wuarchive.ftpd.trojan.horse .html http://www.cert.org/advisories/CA-94.05.MD5.checksums.html http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring. attacks.html http://www.cert.org/advisories/CA-90.11.Security.Probes.html III. Impact Trojan horses can do anything that the user executing the program has the privileges to do. This includes * deleting files that the user can delete * transmitting to the intruder any files that the user can read * changing any files the user can modify * installing other programs with the privileges of the user, such as programs that provide unauthorized network access * executing privilege-elevation attacks, that is the Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If this is successful, the Trojan horse can operate with the increased privileges. * installing viruses * installing other Trojan horses If the user has administrative access to the operating system, the Trojan horse can do anything that an administrator can. The Unix 'root' account, the Microsoft Windows NT 'administrator' account, or any user on a single-user operating system has administrative access to the operating system. If you use one of these accounts, or a single-user operating system (e.g., Windows 95 or MacOS), keep in mind the potential for increased impact of a Trojan horse. A compromise of any system on your network, including a compromise through Trojan horses, may have consequences for the other systems on your network. Particularly vulnerable are systems that transmit authentication material, such as passwords, over shared networks in cleartext or in a trivially encrypted form. This is very common. If a system on such a network is compromised via a Trojan horse (or another method) the intruder may be able to install a network sniffer and record usernames and passwords or other sensitive information as it traverses the network. Additionally, a Trojan horse, depending on the actions it takes, may implicate your site as the source of an attack and may expose your organization to liability. IV. How Trojan Horses Are Installed Users can be tricked into installing Trojan horses by being enticed or frightened. For example, a Trojan horse might arrive in email described as a computer game. When the user receives the mail, they may be enticed by the description of the game to install it. Although it may in fact be a game, it may also be taking other action that is not readily apparent to the user, such as deleting files or mailing sensitive information to the attacker. As another example, an intruder may forge an advisory from a security organization, such as the CERT Coordination Center, that instructs system administrators to obtain and install a patch. Other forms of "social engineering" can be used to trick users into installing or running Trojan horses. For example, an intruder might telephone a system administrator and pose as a legitimate user of the system who needs assistance of some kind. The system administrator might then be tricked into running a program of the intruder's design. Software distribution sites can be compromised by intruders who replace legitimate versions of software with Trojan horse versions. If the distribution site is a central distribution site whose contents are mirrored by other distribution sites, the Trojan horse may be downloaded by many sites and spread quickly throughout the Internet community. Because the Domain Name System (DNS) does not provide strong authentication, users may be tricked into connecting to sites different that the ones they intend to connect to. This could be exploited by an intruder to cause users to download a Trojan horse, or to cause users to expose confidential information. Intruders may install Trojan horse versions of system utilities after they have compromised a system. Often, collections of Trojan horses are distributed in toolkits that an intruder can use to compromise a system and conceal their activity after the compromise, e.g., a toolkit might include a Trojan horse version of ls which does not list files owned by the intruder. Once an intruder has gained administrative access to your systems, it is very difficult to establish trust in it again without rebuilding the system from known-good software. For information on recovering after a compromise, please see http://www.cert.org/tech_tips/root_compromise.html A Trojan horse may be inserted into a program by a compiler that is itself a Trojan horse. For more information about such an attack see [Thompson]. Finally, a Trojan horse may simply be placed on a web siteto which the intruder entices victims. The Trojan horse may be in the form of a Java applet, JavaScript, ActiveX control, or other form of executable content. V. Solutions The best advice with respect to Trojan horses is to avoid them in the first place. * System administrators (including the users of single-user systems) should take care to verify that every piece of software that is installed is from a trusted source and has not been modified in transit. When digital signatures are provided, users are encouraged to validate the signature (as well as validating the public key of the signer). When digital signatures are not available, you may wish to acquire software on tangible media such as CDs, which bear the manufacturer's logo. Of course, this is not foolproof either. Without a way to authenticate software, you may not be able to tell if a given piece of software is legitimate regardless of the distribution media. * We strongly encourage software developers and software distributors to use cryptographically strong validation for all software they produce or distribute. Any popular technique based on algorithms that are widely believed to be strong will provide users a strong tool to defeat Trojan horses. * Anyone who invests trust in digital signatures must also take care to validate any public keys that may be associated with the signature. It is not enough for code merely to be signed -- it must be signed by a trusted source. * Do not execute anything sent to you via unsolicited electronic mail. * Use caution when executing content such as Java applets, JavaScript, or Active X controls from web pages. You may wish to configure your browser to disable the automatic execution of web page content. * Apply the principle of least privilege in daily activity: do not retain or employ privileges that are not needed to accomplish a given task. For example, do not run with enhanced privilege, such as "root" or "administrator" for ordinary tasks such as reading email. * Install and configure a tool such as Tripwire® that will allow you to detect changes to system files in a cryptographically strong way. For more information about Tripwire®, see http://www.cert.org/ftp/tech_tips/security_tools Note, however, that Tripwire® is not a foolproof guard against Trojan horses. For example, see http://www.cert.org/vul_notes/VN-98.02.kernel_mod.html * Educate your users regarding the danger of Trojan horses. * Use firewalls and virus products that are aware of popular Trojan horses. Although it is impossible to detect all possible Trojan horses using a firewall or virus product (because a Trojan horse can be arbitrary code), they may aid you in preventing many popular Trojan horses form affecting your systems. * Review the source code to any open source products you choose to install. Open source software has an advantage compared to proprietary software that the source code can be widely reviewed and any obvious Trojan horses will probably be discovered very quickly. However, open source software also tends to be developed by a wide variety of people with little or no central control. This makes it difficult to establish trust in a single entity. Keep in mind that reviewing source code may be impractical at best, and that some Trojan horses may not be evident from a review of the source as described in [Thompson]. * Adopt the use of cryptographically strong mutual authentication systems such as ssh for terminal emulation, X.509 public key certificates in web servers, S/MIME or PGP for electronic mail, and kerberos for a variety of services. Avoid the use of systems that trust the domain name system for authentication, such as telnet, ordinary http (as opposed to https), ftp, or smtp unless your network is specifically designed to support that trust. * Do not rely on timestamps, file sizes, or other file attributes when trying to determine if a file contains a Trojan horse. * Exercise caution when downloading unauthenticated software. If you choose to install software that has not been signed by a trusted source, you may wish to wait for a period of time before installing it in order to see if a Trojan horse is discovered. * We encourage all security organizations to digitally sign any advisories or other alerts. We also recommend that users validate any signatures, and to beware of unsigned security advice. The CERT Coordination center signs all ASCII copies of our advisories with our PGP key, available at: http://www.cert.org/pgp/CERT_PGP.key If you do fall victim to a Trojan horse, some anti-virus software may also be able to recognize, remove and repair the damage from the Trojan horse. However, if an intruder gains access to your systems via a Trojan horse, it may be difficult or impossible to establish trust in your systems. In this case, we recommend that you disconnect from the network and rebuild your systems from known-good software being careful to apply all relevant patches and updates, to change all passwords, and to check other nearby systems. For information on how to rebuild a Unix system after a compromise, please see http://www.cert.org/tech_tips/root_compromise.html References [Summers] Summers, Rita C.Secure Computing Threats and Safeguards, McGraw-Hill, 1997 An online reference is available from the publisher. [Thompson] Thompson, Ken, "Reflections on Trusting Trust," Communications of the ACM 27(8) pp. 761-763 (Aug. 1984); Turing Award lecture. Acknowledgment Our thanks to Andries Brouwer for providing information regarding util-linux and to the many people who reported information about Trojan horse versions of Internet Explorer. Tripwire is a registered trademark of the Purdue Research Foundation, and it is also licensed to VCC. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Revision History -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNrtSWnVP+x0t4w7BAQGDXwQAh7kakdwkFhO10kQrq5l34UUgy3yyTRtz 6p+xpPyNsfFKwmZ1XTkLtDWRZftbq+Uz+wkaf4Pu7feKLGr4+J5sNa8Iwl4Cr2VQ nEOTnpQIx2pk9AWUu3P1HKDbnqQnmN12r+4/FzFJhDi6eAVJGcDaTPAYkXCNAK/C 3lo2FToAXbc= =jhuZ -----END PGP SIGNATURE-----