View Source



The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>W32/Leaves: Exploitation of previously installed SubSeven Trojan Horses</h2>

Release Date: July 3, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Systems running Microsoft Windows (all versions)</li>
</ul>
<a name="overview">
<h2>Overview</h2>
<p>


The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows.
Most of these reports surround the intruder tool SubSeven.  SubSeven is often used as a 
<a href="http://www.cert.org/advisories/CA-1999-02.html">Trojan horse</a>,
which allows an intruder to deliver and execute any custom 
payload and run arbitrary commands on the affected machine.  This control includes
the ability to read, modify, and delete confidential information.  Additionally, the intruder
may use the affected computer as
a launching point for additional attacks (namely, denial of service).  

<p>
<p>
While we believe that this level of intruder activity is not unusual, additional concern
may be warranted in light of a new emerging class of "malware" such as W32/Leaves.  
W32/Leaves appears to be 
representative of a class of self-replicating, malicious code that automatically scans 
for hosts with these toolkits installed and leverages backdoors (i.e., SubSeven) for further
malicious activity.  An existing backdoor installed on a host by one intruder can
now be used by another without any prior communication or intention for
collaboration between intruders.  

<p>
Additional analysis performed by the NIPC on W32/Leaves can be found at
<dl><dd>
<a href="http://www.nipc.gov/warnings/advisories/2001/01-014.htm">http://www.nipc.gov/warnings/advisories/2001/01-014.htm</a>
</dd></dl>
<h2>Mitigation</h2>

In order to protect against this class of attacks, the CERT/CC recommends installing
defensive software.

<blockquote>
<h4>1. Install and Maintain Anti-Virus Software</h4>

The CERT/CC strongly recommends using anti-virus software.  Most
current anti-virus software products are able to detect and
alert the user that an intruder is attempting to install a
Trojan horse program or that one has already been installed.

<p>
In order to ensure the
continued effectiveness of such products, it is important to keep them
up to date with current virus and attack signatures supplied by the
original vendors. Many anti-virus packages support automatic updates
of virus definitions. We recommend using these automatic updates
when available.

<h4>2. Deploy a Firewall</h4>

The CERT/CC also recommends using a firewall product, such as a
network appliance or a personal firewall software package.  In some
situations, these products may be able to alert users to the fact that
their machine has been compromised.  Furthermore, they have the
ability to block intruders from accessing backdoors over the network.
However, no firewall can detect or stop all attacks, so it is
important to continue to follow safe computing practices.

<p>
For additional information about securing home systems and networks,
please see the "Home Network Security" tech tip at

<a href="http://www.cert.org/tech_tips/home_networks.html">
http://www.cert.org/tech_tips/home_networks.html</a>
</p></p></blockquote>

If these protective measures reveal that the machine has already
been compromised, more drastic steps need to be taken to recover.
When a computer is compromised, any installed software could have been
modified, including the operating system, applications, data files,
and memory. In general, the only way to ensure that a compromised
computer is free from backdoors and intruder modifications is to
re-install the operating system from the distribution media and install
vendor-recommended security patches before connecting back to the
network. Merely identifying and fixing the vulnerability that was used
to initially compromise the machine may not be enough.
<p>
For detailed information about recovering from a system compromise,
please see our "Steps for Recovering from a UNIX or NT System Compromise"
tech tip at
<dl><dd>
<a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html</a>
</dd></dl>
<h2>Reporting</h2>

The CERT/CC is interested in receiving reports of this activity.  If machines
under your administrative control are compromised, please send mail to 
<a href="mailto:cert@cert.org?Subject=[CERT%2328548]">cert@cert.org</a> with the following text included
in the subject line: "[CERT#28548]".

<p>
In addition, please see our explicit guidelines on reporting an incident 
at
<dl><dd>
<a href="http://www.cert.org/tech_tips/incident_reporting.html">http://www.cert.org/tech_tips/incident_reporting.html</a>
</dd></dl>
<p>
<p>
<hr noshade="" width="100%"/>
<b>Authors</b>: Roman Danyliw, Chad Dougherty and Allen Householder<br/>
<hr noshade="" width="100%"/>
<h2>CERT/CC Contact Information</h2>
<dl>
<b>Email:</b> <a href="mailto:cert@cert.org">cert@cert.org</a><br/>
<b>Phone:</b> +1 412-268-7090 (24-hour hotline)<br/>
<b>Fax:</b> +1 412-268-6989<br/>
<b>Postal address:</b><br/>
<dd>
CERT Coordination Center<br/>
Software Engineering Institute<br/>
Carnegie Mellon University<br/>
Pittsburgh PA 15213-3890<br/>
U.S.A.<br/>
</dd></dl>

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)
Monday through Friday; they are on call for emergencies during other
hours, on U.S. holidays, and on weekends.
<p>
<h4>Using encryption</h4>
<p>We strongly urge you to encrypt sensitive information sent by
email.  Our public PGP key is available from<p>
<ul>
<a href="http://www.cert.org/CERT_PGP.key">http://www.cert.org/CERT_PGP.key</a>
</ul>

If you prefer to use DES, please call the CERT hotline for more
information.<p>
<h4>Getting security information</h4>

CERT publications and other security information are available from
our web site<p>
<ul>
<a href="http://www.cert.org/">http://www.cert.org/</a>
</ul>

To subscribe to the CERT mailing list for advisories and bulletins, send email to
<a href="mailto:majordomo@cert.org">majordomo@cert.org</a>. Please include in the body of your
message<br/>
<p><tt>subscribe cert-advisory</tt>
<p>

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.<p>
<hr noshade="" width="100%"/>
<b><u>NO WARRANTY</u></b><br/>
<b>Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.</b>
<hr/>
<a href="http://www.cert.org/legal_stuff.html">Conditions for use, disclaimers, and sponsorship information</a><p>
<p>Copyright 2001 Carnegie Mellon University.</p>
<p>Revision History
<pre>
July 3, 2001: Initial Release
</pre>
<!-- This completes the table started in *_titlebar.html -->



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></a></a>