Date: Monday February 28, 2000
Description:
We have received reports indicating intruders are beginning to deploy and utilize windows based denial of service agents to launch distributed denial of service attacks. On Feburary 16th we began receiving reports of a program called "service.exe" that appears to be a Windows version of trinoo. This program listens on UDP port 34555. More details about this tool are available on Gary Flynn's web site at:
We have seen two almost identical versions of the "service.exe" program to date (they vary by 12 bytes but produce the same results for strings(1)). The binaries we have seen have one of the following MD5 checksums:
- MD5 (service.exe) = 03fe58987d7dc07e736c13b8bee2e616
- MD5 (service.exe) = 1d45f8425ef969eba40091e330921757
In at least one incident, machines runing the "service.exe" program were also running backoriface. We have also received reports of administrators finding other "remote administration" intruder tools on machines that were running "service.exe".
Note that the tool TFN2K, first released in December 1999, will run on Windows NT. The existance of distributed denial of service tools for Windows platforms is not new; however, we are beginning to receive reports of these tools being installed on compromised systems.
Impact:
Windows machines have been used as intermediaries in various types of denial of service attacks for years; however, the development and deployment of the technology to use Windows machines as agents in a distributed denial of service attacks represents an overall increase in the threat of denial of service attacks.
Solution:
Standard safe computing practices will prevent intruders from installing the service.exe program on your machine(s).
- Don't run programs of unknown origin, regardless of who sent you the program. Likewise, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- it might be a Trojan horse.
- Before opening any email attachments, be sure you know what the source of the attachment was. It is not enough that the mail originated from an address you recognize. The Melissa virus spread precisely because it originated from a familiar address. Malicious code might be distributed in amusing or enticing programs. If you must open an attachment before you can verify the source, do so in an isolated environment. If you are unsure how to proceed, contact your local technical support organization.
- Be sure your anti-virus software is, and remains, up-to-date.
- Some products, such as Microsoft Office, Lotus Notes and others, include the ability to execute code embedded in documents. For any such products you use, disable the automatic execution of code embedded in documents. For example, in Microsoft Word 97, enable the "Macro Virus Protection" feature by choosing Tools->Options->General and selecting the appropriate checkbox. In Lotus Notes 4.6, set a restrictive Execution Control List (ECL) by setting the options found in File->Tools->User Preferences->Security Options to restrict the execution of code to trusted signers. For other products, consult your documentation.
- Use data-integrity tools. Data-integrity tools use strong cryptography to help you determine which files, if any, may have changed on a system. This may be crucial information to determine the most appropriate response to a security event. The use of these tools requires that they be installed before a security event has taken place.
- Avoid the use of MIME types that cause interpreters or shells to be invoked.
- Be aware of the risks involved in the use of "mobile code" such as Active X, Java, and JavaScript. It is often the case that electronic mail programs use the same code that web browsers use to render HTML. Vulnerabilities that affect ActiveX, Java, and Javascript often are applicable to electronic mail as well as web pages.
Author: Jed Pickel
Copyright 2000 Carnegie Mellon University.