_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Additional Information about the SYSMAN.EXE Trojan Horse November 15, 1991, 1530 PDT Number C-7 _________________________________________________________________________ PROBLEM: A trojan horse program disguised as SYSMAN.EXE PLATFORM: VMS systems DAMAGE: Allows non-privileged users to gain full privileges; unauthorized changes to critical system files. DIAGNOSIS: Scan SYS$LIBRARY for executable called OBJ.EXE or check for modification of length of SYSMAN.EXE file. SOLUTION: If SYSMAN.EXE trojan is found a complete re-install of VMS is recommended. _________________________________________________________________________ Critical Facts about SYSMAN.EXE Trojan Horse In Bulletin C-5 we provided information about the SYSMAN.EXE trojan horse program found in several VMS systems. We have completed analyzing this program, and now have additional information. All affected systems identified to date are systems connected to the European DECnet. To the best of our knowledge, no systems in the DOE or ESnet community have been implanted with this bogus program. In addition, we have not received any direct reports of any systems in the U.S.A. that were effected by this trojan horse program. The purpose of the SYSMAN.EXE trojan is to grant full privileges to a non-privileged account. However, this trojan will only grant full privileges when a particular key string is provided in a certain manner. It is extremely unlikely that non-privileged users not in possession of the key string nor its use could use this trojan to gain privileges. Since this trojan can only be used to escalate privileges, the intruder appears to assume that re-entry into a non-privileged account in the future is possible. The SYSMAN.EXE trojan appears to be manually planted by the intruder in two steps; the intruder renames the SYS$SYSTEM:SYSMAN.EXE image to SYS$LIBRARY:OBJ.EXE and then inserts the trojan SYSMAN.EXE into SYS$SYSTEM. Since installing this trojan requires full privileges, the intruder must have either breached a privileged account or breached a non-privileged account and escalated privileges in some manner. Signs that a VMS system has been compromised by installation of this trojan are the existance of SYS$LIBRARY:OBJ.EXE, the length of SYS$SYSTEM:SYSMAN.EXE being 166 blocks, and "$ ANALYZE/IMAGE SYS$SYSTEM:SYSMAN.EXE" showing an "image name" of "VA6" in the "Image Identification Information" section. To confirm the existence of the trojan, log into a non-privileged account, and execute the following three DCL commands: $ delete/symbol obfj Ignore the "%DCL-W-UNDSYM" error $ run sys$system:sysman Ignore the "%SYSMAN-F-NOOPER" error $ show symbol obfj If the symbol OBFJ is defined as "$SYS$LIBRARY:OBJ.EXE", the VMS system contains the SYSMAN.EXE trojan horse. If instead you get a "%DCL-W-UNDSYM" error, the SYSMAN.EXE trojan is not installed. Because installation of the SYSMAN.EXE trojan requires the intruder(s) to gain system privileges, CIAC strongly recommends that as a recovery procedure you do a complete re-install of VMS and all software installed with privilege or run under privileged accounts. This should be followed by carefully examining all security features and carefully screening all accounts, including changing the passwords of all accounts. We also request that if you find the SYSMAN.EXE trojan horse, you save the trojan SYSMAN.EXE image and send a copy of this image to CIAC for further analysis. In cases in which circumstances require the VMS system to continue running uninterrupted for a short period of time, the following sanitization procedure will remove the SYSMAN.EXE trojan: $ rename sys$system:sysman.exe sys$manager:sysman.exe-trojan $ set prot=(s:rwed,o:rwed,g,w) sys$manager:sysman.exe-trojan and finally: $ rename sys$library:obj.exe sys$system:sysman.exe or, better yet: $ delete sys$library:obj.exe;* (restore sys$system:sysman.exe from trusted distribution media) For additional information or assistance, please contact CIAC: Hal Brand (510)422-6312** or (FTS) 532-6312 (FTS) 532-6312 brand@addvax.llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193. **Note area code has changed from 415, although the 415 area code will work until Jan. 1992. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. The assistance of several users in providing copies of the SYSMAN.EXE trojan horse is appreciated. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.