Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
HTML


<h2>Windows Based DDOS Agents</h2>
<b>Updated:</b> Tuesday, October 3, 2000<br/>
<b>Date:</b> Monday February 28, 2000<hr/>
<b>Description:</b><p>

We have received reports indicating intruders are beginning to deploy
and utilize windows based denial of service agents to launch
distributed denial of service attacks. 

On Feburary 16th we began receiving reports of a program called
"service.exe" that appears to be a Windows version of <a href="http://www.cert.org/incident_notes/IN-99-07.html#trinoo">trinoo</a>.
This program listens on UDP port 34555. More details about this tool
are available on Gary Flynn's web site at:

<dl><dd>
<a href="http://www.jmu.edu/computing/info-security/engineering/issues/wintrino.shtml">
   http://www.jmu.edu/computing/info-security/engineering/issues/wintrino.shtml</a>
</dd></dl>

We have seen two almost identical versions of the "service.exe"
program to date (they vary by 12 bytes but produce the same results
for strings(1)). The binaries we have seen have one of the following
MD5 checksums:<p>
<dl>
<dd>MD5 (service.exe) = 03fe58987d7dc07e736c13b8bee2e616</dd>
<dd>MD5 (service.exe) = 1d45f8425ef969eba40091e330921757</dd>
</dl><p>

In at least one incident, machines runing the "service.exe" program
were also running <a href="http://www.cert.org/vul_notes/VN-98.07.backorifice.html">backoriface</a>.
We have also received reports of administrators finding other "remote
administration" intruder tools on machines that were running
"service.exe".<p>

Note that the tool <a href="http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html">TFN2K</a>,
first released in December 1999, will run on Windows NT. The
existance of distributed denial of service tools for Windows platforms
is not new; however, we are beginning to receive reports of these
tools being installed on compromised systems.

<p><b>Impact:</b><p>

Windows machines have been used as intermediaries in various types of
denial of service attacks for years; however, the development and
deployment of the technology to use Windows machines as agents in a
distributed denial of service attacks represents an overall increase
in the threat of denial of service attacks.

<p><b>Solution:</b><p>

Standard safe computing practices will prevent intruders from
installing the service.exe program on your machine(s).<p>
<ul>
<li>Don't run programs of unknown origin, regardless of who sent you the
program. Likewise, don't send programs of unknown origin to your
friends or coworkers simply because they are amusing -- it might be a
Trojan horse.</li>
<li>Before opening any email attachments, be sure you know what the
source of the attachment was. It is not enough that the mail
originated from an address you recognize. The Melissa virus spread
precisely because it originated from a familiar address. Malicious
code might be distributed in amusing or enticing programs. If you must
open an attachment before you can verify the source, do so in an
isolated environment. If you are unsure how to proceed, contact your
local technical support organization.</li>
<li>Be sure your <a href="http://www.cert.org/other_sources/viruses.html#VI">
anti-virus software</a> is, and remains, up-to-date.</li>
<li>Some products, such as Microsoft Office, Lotus Notes and others,
include the ability to execute code embedded in documents. For any
such products you use, disable the automatic execution of code
embedded in documents. For example, in Microsoft Word 97, enable the
"Macro Virus Protection" feature by choosing Tools-&gt;Options-&gt;General
and selecting the appropriate checkbox. In Lotus Notes 4.6, set a
restrictive Execution Control List (ECL) by setting the options found
in File-&gt;Tools-&gt;User Preferences-&gt;Security Options to restrict the
execution of code to trusted signers. For other products, consult your
documentation.</li>
<li>Use data-integrity tools. <a href="http://www.cert.org/other_sources/viruses.html#V">Data-integrity
tools</a> use strong cryptography to help you determine which files,
if any, may have changed on a system. This may be crucial information
to determine the most appropriate response to a security event. The
use of these tools requires that they be installed before a security
event has taken place.</li>
<li>Avoid the use of MIME types that cause interpreters or shells to
be invoked.</li>
<li>Be aware of the risks involved in the use of "mobile code" such as
Active X, Java, and JavaScript. It is often the case that electronic
mail programs use the same code that web browsers use to render
HTML. Vulnerabilities that affect ActiveX, Java, and Javascript often
are applicable to electronic mail as well as web pages.</li>
</ul><p>
<b>Author:</b> Jed Pickel<br/>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 2000 Carnegie Mellon University.</p>



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p>