L-077: The Glacier Backdoor

April 27, 2001 18:00 GMT
[Revision 5/1/2001 add glacier finder and changes for Windows 95, 98]


PROBLEM: The Glacier backdoor program allows an intruder to remote control a Windows computer. The intruder can see the desktop, click on files, and type on the keyboard of the remote computer.
PLATFORM: Windows computers: Windows NT and Windows NT Server. Possibly also on Windows 95,98,ME, and Windows 2000.
DAMAGE: An intruder can remote control a system. He can access any file, run code, type on the keyboard and generally do whatever he wants on a system. The intruder could capture the passwords of any system you log into and send mail as you using your e-mail program.
SOLUTION: Some antivirus programs detect this program. Do not run attachments to e-mail messages or download and run executables from hacker sites. The server program must be delivered to and run on the machine being attacked. To remove the code, delete the files and reset the registry keys as described in this bulletin.

VULNERABILITY
ASSESSMENT:
The risk is MEDIUM. While the package gives an intruder full control of a system, the server must be downloaded and run on that system by the system owner or the system must be broken into by some other method and the server installed.

CIAC has information that the Glacier Backdoor/Remote Control program is being used to compromise sites on the Internet. Glacier is a backdoor/remote control program with capabilities that are similar to Back Orifice. After a Glacier server is installed on a host the Glacier client is used on a remote host to control the server. The screen of the server system can be seen on the client system. The client can move the mouse pointer on the server and typing on the client's keyboard appears on the server as if it were typed on the server's keyboard. Other options include changing the registry, initiating dialog boxes, collecting keystrokes, simulating errors, and shutting down the server.

The server software can be delivered to a machine as an attachment on an e-mail message or as a download from a web or ftp site. Running the server installs it. After installation, the server attempts to phone home to smtp.sina.com, a Chinese language mail server.

The server installs itself in two places and changes several keys in the registry to restart it whenever the server is restarted and whenever an executable program is run.

Operation of Glacier

The Glacier Server

There are multiple versions of Glacier in the wild however, they all operate in much the same manner. The biggest difference we see are different default file names for the copies of Glacier saved in the system folder.

The default name of the Glacier server program is G_server.exe though that could be changed by an intruder to any provocative name that might get you to run it. When the Glacier server program is run on a host, it makes two copies of itself.

On Windows NT and Windows 2000 systems:
%SystemRoot%\System32\Update.exe
%SystemRoot%\System32\SysSet.exe
On Windows 95, 98 systems:
%SystemRoot%\System\Update.exe
%SystemRoot%\System\SysSet.exe

where %SystemRoot% resolves to the path to the current system directory (c:\Windows or c:\Winnt on most systems). Other versions use RegScan.exe in plase of SysSet.exe. Glacier then makes changes to the registry to insure that it is restarted whenever a system is rebooted or an executable file is run. It adds the value:

On Windows NT and Windows 2000 systems:
WindowsUpdate = C:\WINNT\System32\UPDATE.EXE
On Windows 95, 98 systems:
WindowsUpdate = C:\WINDOWS\System\UPDATE.EXE

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The path in the value points to where the Update.exe program was saved. These two changes try twice to run update.exe whenever the system is rebooted.

The server then modifies the following key:

HKEY_CLASSES_ROOT\exefile\shell\open\command

from

"%1" %*

to

On Windows NT and Windows 2000 systems:
"c:\winnt\system32\sysset.exe" "%1" %*
On Windows 95, 98 systems:
"c:\windows\system\sysset.exe" "%1" %*

This change causes sysset.exe to be run whenever any .exe file is run. Keep this in mind when cleaning up a system as running any executable program notepad.exe, regedit.exe, etc., runs the backdoor program again.

The server then modifies the following key:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

from

On Windows NT and Windows 2000 systems:
%SystemRoot%\system32\NOTEPAD.EXE %1
On Windows 95, 98 systems:
C:\windows\NOTEPAD.EXE %1

to

NotePad.exe %1

This change does not do anything useful (for the backdoor) that we can see. It may be something the backdoor writer was going to implement but didn't.

The system next does a query for smtp.sina.com, a Chinese language mail server. If it gets an IP address for this site, we believe it will send a mail message to that site advertising the address of the compromised system to a mail user on that  server.

The server then starts listening on port 7626 for connections from a Glacier client. We also saw the server connecting back to ports 7718 and 1826 on the client.

The Glacier Client

The Glacier client has the Chinese language GUI interface shown below. Note that the GUI is being run on an English language system so the Chinese characters appear as unicode characters. The disks and documents showing in the window are files on the server system.

Glacier

The client contains a scanner for searching subnets for systems with the Glacier client listening on port 7626. It also contains commands for configuring the glacier server, including changing the port it listens on and adding a password for connections. The small window on the lower left of the image above shows the server machine being controlled. That window can be enlarged to full size and then mouse clicks in that window are executed on the server machine as is any typing on the keyboard. The small window at bottom center controls the special keys on the keyboard.

Other options in the client include setting the port and password used to contact the server, commands to change the registry, and various commands to display dialog boxes, shut down the server and so forth. Note that the commands are listed in the Unicode values of the Chinese characters so determining what the commands do had to be done on a trial and error basis on a U.S. localized system.

Detecting Glacier

If you have been infected with the Glacier server program, you will likely notice a significant system slowdown, especially in systems with older, slower CPUs. A Pentium 90 system slowed to a crawl when the server was run on it.

The findglacier.vbs is a program for detecting default installations of Glacier. It is a Visual Basic Script that runs under the Windows Scripting Host and checks for the files and registry keys that Glacier uses. Download this program, open a command window, and run it with the command: cscript findglacier.vbs  Please note that the names of the files used by glacier can be changed from the default values using the client application. The values of the changed registry keys will help you find these changed files.

On a Windows NT system, open the task manager and look for update.exe, sysset.exe or G_server.exe in the process list. Finding update.exe in the task list is not a sure detection of Glacier as there is a real update.exe program that handles Windows Internet Explorer updates. The second place to look is in the \winnt\system32 (or \windows\system) directory for sysset.exe and update.exe. Again, update.exe may exist on normal systems. The backdoor program has a length of 261KB. Right click on the program and select Properties. In the Properties dialog box for the file, select the Version tab and click on the Language item in the Other Version Information list. If the language is "Chinese (PRC)" on English language systems, this is probably the backdoor program.

You can also check the registry keys mentioned above. From the start menu, select Run and run regedit. In the Regedit window, select the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

If the value WindowsUpdate exists in this key and has a value that points to update.exe you can be pretty sure that you have the Glacier server installed on your system.

Removing Glacier

Removing Glacier involves reversing the steps that Glacier took when it installed itself. Note that these steps involve editing the registry and errors in editing the registry can make a system unbootable so be very careful when doing so.

Because of the changes Glacier has made to the registry, running Regedit will restart the server so you must perform these steps in the correct order.

  1. On a Windows NT or Windows 2000 system, start Regedit32. On a Windows 95 or 98 system start Regedit. To run either program, click on the Start button, select Run, click Browse, find the program (Regedit32 is in the winnt\system32 directory and regedit is in the Windows directory), click Open, and click OK.
  2. In a Windows Explorer window, open the \windows\system or \winnt\system32 directory depending on what kind of a system you have.
  3. Open the TaskManager and kill any processes named update.exe, sysset.exe, or G_server.exe. Type Ctrl-Alt-Del to open the task manager or to open a dialog from which you can open the task manager.
  4. In the System or System32 directory, find and delete update.exe and sysset.exe.
  5. In regedit or regedit32, open the following two keys and delete the WindowsUpdate values.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  6. Open the following key
    HKEY_CLASSES_ROOT\exefile\shell\open\command
    change the default (unnamed) value to: "%1" %*
    Be careful here as a mistake will make it impossible to run any .exe file. Note that there is a single space between the second double quote and the second percent sign, that is: "%1"<space>%*
  7. In Regedit or regedit32 open the following key
    HKEY_CLASSES_ROOT\txtfile\shell\open\command
    If you are using regedit on a Windows 95 or Windows 98 system, change the existing default (unnamed) value to C:\Windows\NOTEPAD.EXE %1 (change the drive or path to point to where notepad.exe really exists). If you are using regedit32 on a Windows NT or Windows 2000 system, delete the existing  default (unnamed) value, create a new value with the Edit, Add Value command. Do not give it a Value Name, set the Data Type to: REG_EXPAND_SZ, and click OK. Set the value to: %SystemRoot%\system32\NOTEPAD.EXE %1 and click OK.
  8. Don't quit regedit yet. Try to run any .exe application such as notepad.exe by double clicking on it in an Explorer window. If it runs, great, if not, switch back to the regedit window and check your changes to the registry. Don't quit regedit until you can start a .exe application.
  9. When everything works, quit regedit and reboot the system. After the system is finished rebooting, check that the files are still gone from the system directory and that the registry keys are still how you set them. If they have changed back to the backdoor values, you missed something or did something out of order and reinstalled the backdoor. Keep trying until the files go away and stay away.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          [email protected]
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp://ftp.ciac.org/
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]