Date: Thu, 28 Mar 2024 13:19:43 -0400 (EDT) Message-ID: <491525283.501.1711646383490@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_500_31400603.1711646383488" ------=_Part_500_31400603.1711646383488 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
Any system can be affected by Trojan horses.
Over the past few weeks, we have received an increase in the number of i= ncident reports related to Trojan horses. This advisory includes descriptio= ns of some of those incidents (Section II), some = general information about Trojan horses (Sections I= a> and V), and advice for system and network admi= nistrators, end users, software developers, and distributors (Section III).
Few software developers and distributors provide a strong means of authe= ntication for software products. We encourage all software developers and d= istributors to do so. This means that until strong authentication of softwa= re is widely available, the problem of Trojan horses will persist. In the m= eantime, users and administrators are strongly encouraged to be aware of th= e risks as described in this document.
A Trojan horse is an "apparently useful program containing hidden functi= ons that can exploit the privileges of the user [running the program], with= a resulting security threat. A Trojan horse does things that the program u= ser did not intend" [Summers].
Trojan horses rely on users to install them, or they can be installed by= intruders who have gained unauthorized access by other means. Then, an int= ruder attempting to subvert a system using a Trojan horse relies on other u= sers running the Trojan horse to be successful.
Incidents involving Trojan horses include the following:
Recent reports indicate wide distribution of an email message which clai= ms to be a free upgrade to the Microsoft Internet Explorer web browser. How= ever, we have confirmed with Microsoft that they do not provide patches or = upgrades via electronic mail, although they do distribute security bulletin= s by electronic mail.
The email message contains an attached executable program called Ie01= 99.exe. After installation, this program makes several modifications to= the system and attempts to contact other remote systems. We have received = conflicting information regarding the modifications made by the Trojan hors= e, which could be explained by the existence of multiple versions of the Tr= ojan horse.
At least one version of the Trojan horse is accompanied by a message whi= ch reads, in part:
As an user of the Microsoft Internet Explorer, Microsoft Corporati= on provides you with this upgrade for your web browser. It will fix some bu= gs found in your Internet Explorer. To install the upgrade, please save the= attached file (ie0199.exe) in some folder and run it.
The above message is not from Microsoft.
We encourage you to refer to the Microsoft Internet Explorer web site at= the following location:
Please refer to the Section III below for gene= ral solutions to Trojan horses.
We recently published "CA-99-01-Trojan-TCP-Wrappers" which said th= at some copies of the source code for the TCP Wrappers tool were modified b= y an intruder and contain a Trojan horse. The advisory is available at the = following location:
http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html= p>
The util-linux distribution includes several essential utilities for lin= ux systems. We have confirmed with the authors of util-linux that a Trojan = horse was placed in the file util-linux-2.9g.tar.gz on at least one ftp ser= ver between January 22, 1999, and January 24, 1999. This Trojan horse could= have been distributed to mirror FTP sites.
Within the Trojan horse util-linux distribution the program /bin/logi= n was modified. The modifications included code to send email to an int= ruder that contains the host name and uid of users logging in. The code was= also modified to provide anyone with access to a login prompt the capabili= ty of executing commands based on their input at the login prompt. There we= re no other functional modifications made to the Trojan horse util-linux di= stribution that we are aware of.
A quick check to ensure you do not have the Trojan horse installed is to= execute the following command:
$ strings /bin/login | grep "H= ELO"
If that command returns the following output, then your machine has the = Trojan horse version of util-linux-2.9g installed:
HELO 127.0.0.1
If the above command returns nothing, then you do not have this particul= ar Trojan horse installed.
You cannot rely on the modification date of the file util-linux-2.9g.tar= .gz because the Trojan horse version has the same size and time stamp as th= e original version.
In response to the distribution of this Trojan horse, the authors of uti= l-linux have released util-linux-2.9h.tar.gz. This file is available via an= onymous ftp from:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.= tar.gz
Be sure to download and verify the PGP signature as well:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-= 2.9h.tar.gz.sign
This package can be verified with the "Linux Kernel Archives" PGP Public= Key, available from the following URL:
Trojan horses are not new entities. A classic description of a Trojan ho= rse is given in [Thompson]. Additionally, you m= ay wish to review the following documents for background and historical inf= ormation about Trojan horses.
http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html= p>
http= ://www.cert.org/vul_notes/VN-98.07.backorifice.html
http://www.cert.org/advisories/CA-94.14.trojan.horse.i= n.IRC.client.for.UNIX.html
http://www.cert.org/advisories/CA-94.07.wuarchive.ftpd.trojan.= horse.html
h= ttp://www.cert.org/advisories/CA-94.05.MD5.checksums.html
http://www.cert.org/advisories/CA-94.01.ongoing.network= .monitoring.attacks.html
http://www.cert.org/advisories/CA-90.11.Security.Probes.html
Trojan horses can do anything that the user executing the program has th= e privileges to do. This includes
If the user has administrative access to the operating system, the Troja= n horse can do anything that an administrator can. The Unix 'root' account,= the Microsoft Windows NT 'administrator' account, or any user on a single-= user operating system has administrative access to the operating system. If= you use one of these accounts, or a single-user operating system (e.g., Wi= ndows 95 or MacOS), keep in mind the potential for increased impact of a Tr= ojan horse.
A compromise of any system on your network, including a compromise throu= gh Trojan horses, may have consequences for the other systems on your netwo= rk. Particularly vulnerable are systems that transmit authentication materi= al, such as passwords, over shared networks in cleartext or in a trivially = encrypted form. This is very common. If a system on such a network is compr= omised via a Trojan horse (or another method), the intruder may be able to = install a network sniffer and record usernames and passwords or other sensi= tive information as it traverses the network.
Additionally, a Trojan horse, depending on the actions it takes, may imp= licate your site as the source of an attack and may expose your organizatio= n to liability.
Users can be tricked into installing Trojan horses by being enticed or f= rightened. For example, a Trojan horse might arrive in email described as a= computer game. When the user receives the mail, they may be enticed by the= description of the game to install it. Although it may in fact be a game, = it may also be taking other action that is not readily apparent to the user= , such as deleting files or mailing sensitive information to the attacker. = As another example, an intruder may forge an advisory from a security organ= ization, such as the CERT Coordination Center, that instructs system admini= strators to obtain and install a patch.
Other forms of "social engineering" can be used to trick users into inst= alling or running Trojan horses. For example, an intruder might telephone a= system administrator and pose as a legitimate user of the system who needs= assistance of some kind. The system administrator might then be tricked in= to running a program of the intruder's design.
Software distribution sites can be compromised by intruders who replace = legitimate versions of software with Trojan horse versions. If the distribu= tion site is a central distribution site whose contents are mirrored by oth= er distribution sites, the Trojan horse may be downloaded by many sites and= spread quickly throughout the Internet community.
Because the Domain Name System (DNS) does not provide strong authenticat= ion, users may be tricked into connecting to sites different than the ones = they intend to connect to. This could be exploited by an intruder to cause = users to download a Trojan horse, or to cause users to expose confidential = information.
Intruders may install Trojan horse versions of system utilities after th= ey have compromised a system. Often, collections of Trojan horses are distr= ibuted in toolkits that an intruder can use to compromise a system and conc= eal their activity after the compromise, e.g., a toolkit might include a Tr= ojan horse version of ls which does not list files owned by the intr= uder. Once an intruder has gained administrative access to your systems, it= is very difficult to establish trust in it again without rebuilding the sy= stem from known-good software. For information on recovering after a compro= mise, please see
A Trojan horse may be inserted into a program by a compiler that is itse= lf a Trojan horse. For more information about such an attack, see [Thompson].
Finally, a Trojan horse may simply be placed on a web site to which the = intruder entices victims. The Trojan horse may be in the form of a Java app= let, JavaScript, ActiveX control, or other form of executable content.
The best advice with respect to Trojan horses is to avoid them in the fi= rst place.
If you do fall victim to a Trojan horse, some anti-virus software may al= so be able to recognize, remove and repair the damage from the Trojan horse= . However, if an intruder gains access to your systems via a Trojan horse, = it may be difficult or impossible to establish trust in your systems. In th= is case, we recommend that you disconnect from the network and rebuild your= systems from known-good software, being careful to apply all relevant patc= hes and updates, to change all passwords, and to check other nearby systems= . For information on how to rebuild a Unix system after a compromise, pleas= e see
[Summers] Summers,= Rita C. Secure Computing Threats and Safeguards, McGraw-Hill, 1997. An onlin= e reference is available from the publisher.
[Thompson] Thompson, Ken, "Reflections on Tr= usting Trust," Communications of the ACM 27(8) pp. 761-763 (Aug. 1984); Tur= ing Award lecture.
Our thanks to Andries Brouwer for providing information regarding util-l= inux and to the many people who reported information about Trojan horse ver= sions of Internet Explorer.
Tripwire is a registered trademark of the Purdue Research Foundation; it= is also licensed to Tripwire Security Systems, Inc.
Copyright 1999 Carnegie Mellon University.
Mar. 08, 1999 Minor typograhical corrections