April 27, 2001 18:00 GMT
[Revision 5/1/2001 add glacier finder and
changes for Windows 95, 98]
| |
PROBLEM: | The Glacier backdoor program allows an intruder to remote control a Windows computer. The intruder can see the desktop, click on files, and type on the keyboard of the remote computer. |
PLATFORM: | Windows computers: Windows NT and Windows NT Server. Possibly also on Windows 95,98,ME, and Windows 2000. |
DAMAGE: | An intruder can remote control a system. He can access any file, run code, type on the keyboard and generally do whatever he wants on a system. The intruder could capture the passwords of any system you log into and send mail as you using your e-mail program. |
SOLUTION: | Some antivirus programs detect this program. Do not run attachments to e-mail messages or download and run executables from hacker sites. The server program must be delivered to and run on the machine being attacked. To remove the code, delete the files and reset the registry keys as described in this bulletin. |
| |
VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. While the package gives an intruder full control of a system, the server must be downloaded and run on that system by the system owner or the system must be broken into by some other method and the server installed. |
|
CIAC has information that the Glacier Backdoor/Remote Control program is being used to compromise sites on the Internet. Glacier is a backdoor/remote control program with capabilities that are similar to Back Orifice. After a Glacier server is installed on a host the Glacier client is used on a remote host to control the server. The screen of the server system can be seen on the client system. The client can move the mouse pointer on the server and typing on the client's keyboard appears on the server as if it were typed on the server's keyboard. Other options include changing the registry, initiating dialog boxes, collecting keystrokes, simulating errors, and shutting down the server.
The server software can be delivered to a machine as an attachment on an e-mail message or as a download from a web or ftp site. Running the server installs it. After installation, the server attempts to phone home to smtp.sina.com, a Chinese language mail server.
The server installs itself in two places and changes several keys in the registry to restart it whenever the server is restarted and whenever an executable program is run.
There are multiple versions of Glacier in the wild however, they all operate in much the same manner. The biggest difference we see are different default file names for the copies of Glacier saved in the system folder.
The default name of the Glacier server program is G_server.exe though that could be changed by an intruder to any provocative name that might get you to run it. When the Glacier server program is run on a host, it makes two copies of itself.
- On Windows NT and Windows 2000 systems:
- %SystemRoot%\System32\Update.exe
%SystemRoot%\System32\SysSet.exe- On Windows 95, 98 systems:
- %SystemRoot%\System\Update.exe
%SystemRoot%\System\SysSet.exe
where %SystemRoot% resolves to the path to the current system directory (c:\Windows or c:\Winnt on most systems). Other versions use RegScan.exe in plase of SysSet.exe. Glacier then makes changes to the registry to insure that it is restarted whenever a system is rebooted or an executable file is run. It adds the value:
- On Windows NT and Windows 2000 systems:
- WindowsUpdate = C:\WINNT\System32\UPDATE.EXE
- On Windows 95, 98 systems:
- WindowsUpdate = C:\WINDOWS\System\UPDATE.EXE
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The path in the value points to where the Update.exe program was saved. These two changes try twice to run update.exe whenever the system is rebooted.
The server then modifies the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
from
"%1" %*
to
- On Windows NT and Windows 2000 systems:
- "c:\winnt\system32\sysset.exe" "%1" %*
- On Windows 95, 98 systems:
- "c:\windows\system\sysset.exe" "%1" %*
This change causes sysset.exe to be run whenever any .exe file is run. Keep this in mind when cleaning up a system as running any executable program notepad.exe, regedit.exe, etc., runs the backdoor program again.
The server then modifies the following key:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
from
- On Windows NT and Windows 2000 systems:
- %SystemRoot%\system32\NOTEPAD.EXE %1
- On Windows 95, 98 systems:
- C:\windows\NOTEPAD.EXE %1
to
NotePad.exe %1
This change does not do anything useful (for the backdoor) that we can see. It may be something the backdoor writer was going to implement but didn't.
The system next does a query for smtp.sina.com, a Chinese language mail server. If it gets an IP address for this site, we believe it will send a mail message to that site advertising the address of the compromised system to a mail user on that server.
The server then starts listening on port 7626 for connections from a Glacier client. We also saw the server connecting back to ports 7718 and 1826 on the client.
The Glacier client has the Chinese language GUI interface shown below. Note that the GUI is being run on an English language system so the Chinese characters appear as unicode characters. The disks and documents showing in the window are files on the server system.
The client contains a scanner for searching subnets for systems with the Glacier client listening on port 7626. It also contains commands for configuring the glacier server, including changing the port it listens on and adding a password for connections. The small window on the lower left of the image above shows the server machine being controlled. That window can be enlarged to full size and then mouse clicks in that window are executed on the server machine as is any typing on the keyboard. The small window at bottom center controls the special keys on the keyboard.
Other options in the client include setting the port and password used to contact the server, commands to change the registry, and various commands to display dialog boxes, shut down the server and so forth. Note that the commands are listed in the Unicode values of the Chinese characters so determining what the commands do had to be done on a trial and error basis on a U.S. localized system.
If you have been infected with the Glacier server program, you will likely notice a significant system slowdown, especially in systems with older, slower CPUs. A Pentium 90 system slowed to a crawl when the server was run on it.
The findglacier.vbs is a program for detecting default installations of Glacier. It is a Visual Basic Script that runs under the Windows Scripting Host and checks for the files and registry keys that Glacier uses. Download this program, open a command window, and run it with the command: cscript findglacier.vbs Please note that the names of the files used by glacier can be changed from the default values using the client application. The values of the changed registry keys will help you find these changed files.
On a Windows NT system, open the task manager and look for update.exe, sysset.exe or G_server.exe in the process list. Finding update.exe in the task list is not a sure detection of Glacier as there is a real update.exe program that handles Windows Internet Explorer updates. The second place to look is in the \winnt\system32 (or \windows\system) directory for sysset.exe and update.exe. Again, update.exe may exist on normal systems. The backdoor program has a length of 261KB. Right click on the program and select Properties. In the Properties dialog box for the file, select the Version tab and click on the Language item in the Other Version Information list. If the language is "Chinese (PRC)" on English language systems, this is probably the backdoor program.
You can also check the registry keys mentioned above. From the start menu, select Run and run regedit. In the Regedit window, select the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If the value WindowsUpdate exists in this key and has a value that points to update.exe you can be pretty sure that you have the Glacier server installed on your system.
Removing Glacier involves reversing the steps that Glacier took when it installed itself. Note that these steps involve editing the registry and errors in editing the registry can make a system unbootable so be very careful when doing so.
Because of the changes Glacier has made to the registry, running Regedit will restart the server so you must perform these steps in the correct order.
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: [email protected]
World Wide Web: http://www.ciac.org/
http://ciac.llnl.gov/
(same machine -- either one will work)
Anonymous FTP: ftp://ftp.ciac.org/
ciac.llnl.gov
(same machine -- either one will work)