|
CERT Advisory CA-99-02-Trojan-Horses
Original
issue date: February 5, 1999
Last Revised:
Systems Affected
Any system
can be affected by Trojan horses.
Overview
Over
the past few weeks, we have received an increase in the number of incident
reports related to Trojan horses. This advisory includes descriptions
of some of those incidents (Section II), some general information about
Trojan horses (Sections I and V), and advice for system and network administrators,
end users, software developers, and distributors (Section III).
Few software developers and distributors provide a strong
means of authentication for software products. We encourage all software
developers and distributors to do so. This means that until strong authentication
of software is widely available, the problem of Trojan horses will persist.
In the meantime, users and administrators are strongly encouraged to be
aware of the risks as described in this document.
I. Description
A Trojan
horse is an "apparently useful program containing hidden functions
that can exploit the privileges of the user [running the program], with
a resulting security threat. A Trojan horse does things that the program
user did not intend" [Summers].
Trojan horses rely on users to install them, or they can
be installed by intruders who have gained unauthorized access by other
means. Then, an intruder attempting to subvert a system using a Trojan
horse relies on other users running the Trojan horse to be successful.
II. Recent Incidents
Incidents
involving Trojan horses include the following:
False Upgrade to Internet Explorer
Recent reports indicate wide distribution of an email message
which claims to be a free upgrade to the Microsoft Internet Explorer web
browser. However, we have confirmed with Microsoft that they do not provide
patches or upgrades via electronic mail, although they do distribute security
bulletins by electronic mail.
The email message contains an attached executable program
called Ie0199.exe. After installation, this program makes several modifications
to the system and attempts to contact other remote systems.We have received
conflicting information regarding the modifications made by the Trojan
horse, which could be explained by the existence of multiple versions
of the Trojan horse.
At least one version of the Trojan horse is accompanied by
a message which reads, in part:
As an user of the Microsoft Internet Explorer,
Microsoft
Corporation provides you with this upgrade for
your web browser. It
will fix some bugs found in your Internet Explorer.
To install the
upgrade, please save the attached file (ie0199.exe)
in some folder
and run it.
The above message is not from Microsoft !
Please refer to the Section III below for general solutions
to Trojan horses.
Trojan Horse Version of util-linux
The util-linux distribution includes several essential utilities
for linux systems. We have confirmed with the authors of
that a Trojan horse was placed in the file util-linux-2.9g.tar.gz on
at least one ftp server between January 22, 1999, and January 24, 1999.
This Trojan horse could have been distributed to mirror FTP sites.
Within the Trojan horse util-linux distribution the program
/bin/login was modified. The modifications included code to send email
to an intruder that contains the host name and uid of users logging in.
The code was also modified to provide anyone with access to a login prompt
the capability of executing commands based on their input at the login
prompt. There were no other functional modifications made to to the Trojan
horse util-linux distribution that we are aware of.
A quick check to ensure you do not have the Trojan horse
installed is to execute the following command
$ strings /bin/login | grep "HELO"
If that command returns the following output, then your machine
has the Trojan horse version of util-linux-2.9g installed.
HELO 127.0.0.1
If the above command returns nothing, then you do not have
this particular Trojan horse installed.
You cannot rely on the modification date of the file util-linux-2.9g.tar.gz
because the Trojan horse version has the same size and time stamp as the
original version.
In response to the distribution of this Trojan horse, the
authors of util-linux have released util-linux-2.9h.tar.gz. This file
is available via anonymous ftp from:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar.gz
Be sure to download and verify the PGP signature as well:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar.gz.sign
This package can be verified with the "Linux Kernel
Archives" PGP Public Key, available from the following URL:
http://www.kernel.org/signature.html
Previous Trojan Horses
Trojan
horses are not new entities. A classic description of a Trojan horse is
given in [Thompson]. Additionally, you may wish to review the following
documents for background and historical information about Trojan horses.
http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html
http://www.cert.org/vul_notes/VN-98.07.backorifice.html
http://www.cert.org/advisories/CA-94.14.trojan.horse.in.IRC.client.for.UNIX.html
http://www.cert.org/advisories/CA-94.07.wuarchive.ftpd.trojan.horse.html
http://www.cert.org/advisories/CA-94.05.MD5.checksums.html
http://www.cert.org/advisories/CA-94.01.ongoing.network.monitoring.attacks.html
http://www.cert.org/advisories/CA-90.11.Security.Probes.html
III. Impact
Trojan
horses can do anything that the user executing the program has the privileges
to do. This includes
* deleting files that the user can delete
* transmitting to the intruder any files that
the user can read
* changing any files the user can modify
* installing other programs with the privileges
of the user, such as
programs that provide unauthorized
network access
* executing privilege-elevation attacks, that
is the Trojan horse
can attempt to exploit a vulnerability
to increase the level of
access beyond that of the user running
the Trojan horse. If this
is successful, the Trojan horse can
operate with the increased
privileges.
* installing viruses
* installing other Trojan horses
If the user has administrative access to the operating system,
the Trojan horse can do anything that an administrator can. The Unix 'root'
account, the Microsoft Windows NT 'administrator' account, or any user
on a single-user operating system has administrative access to the operating
system. If you use one of these accounts, or a single-user operating system
(e.g., Windows 95 or MacOS), keep in mind the potential for increased
impact of a Trojan horse.
A compromise of any system on your network, including a compromise
through Trojan horses, may have consequences for the other systems on
your network. Particularly vulnerable are systems that transmit authentication
material, such as passwords, over shared networks in cleartext or in a
trivially encrypted form. This is very common. If a system on such a network
is compromised via a Trojan horse (or another method) the intruder may
be able to install a network sniffer and record usernames and passwords
or other sensitive information as it traverses the network.
Additionally, a Trojan horse, depending on the actions it
takes, may implicate your site as the source of an attack and may expose
your organization to liability.
IV. How Trojan Horses Are Installed
Users
can be tricked into installing Trojan horses by being enticed or frightened.
For example, a Trojan horse might arrive in email described as a computer
game. When the user receives the mail, they may be enticed by the description
of the game to install it. Although it may in fact be a game, it may also
be taking other action that is not readily apparent to the user, such
as deleting files or mailing sensitive information to the attacker. As
another example, an intruder may forge an advisory from a security organization,
such as the CERT Coordination Center, that instructs system administrators
to obtain and install a patch.
Other forms of "social engineering" can be used
to trick users into installing or running Trojan horses. For example,
an intruder might telephone a system administrator and pose as a legitimate
user of the system who needs assistance of some kind. The system administrator
might then be tricked into running a program of the intruder's design.
Software distribution sites can be compromised by intruders
who replace legitimate versions of software with Trojan horse versions.
If the distribution site is a central distribution site whose contents
are mirrored by other distribution sites, the Trojan horse may be downloaded
by many sites and spread quickly throughout the Internet community.
Because the Domain Name System (DNS) does not provide strong
authentication, users may be tricked into connecting to sites different
that the ones they intend to connect to. This could be exploited by an
intruder to cause users to download a Trojan horse, or to cause users
to expose confidential information.
Intruders may install Trojan horse versions of system utilities
after they have compromised a system. Often, collections of Trojan horses
are distributed in toolkits that an intruder can use to compromise a system
and conceal their activity after the compromise, e.g., a toolkit might
include a Trojan horse version of ls which does not list files owned by
the intruder. Once an intruder has gained administrative access to your
systems, it is very difficult to establish trust in it again without rebuilding
the system from known-good software. For information on recovering after
a compromise, please see
http://www.cert.org/tech_tips/root_compromise.html
A Trojan horse may be inserted into a program by a compiler
that is itself a Trojan horse. For more information about such an attack
see [Thompson].
Finally, a Trojan horse may simply be placed on a web siteto
which the intruder entices victims. The Trojan horse may be in the form
of a Java applet, JavaScript, ActiveX control, or other form of executable
content.
V. Solutions
The best
advice with respect to Trojan horses is to avoid them in the first place.
* System administrators (including the users
of single-user systems) should take care to verify that every piece of
software that is installed is from a trusted source and has not been modified
in transit. When digital signatures are provided, users are encouraged
to validate the signature (as well as validating the public key of the
signer). When digital signatures are not available, you may wish to acquire
software on tangible media such as CDs, which bear the manufacturer's
logo. Of course, this is not foolproof either. Without a way to authenticate
software, you may not be able to tell if a given piece of software is
legitimate regardless of the distribution media.
* We strongly encourage software developers and
software distributors to use cryptographically strong validation for all
software they produce or distribute. Any popular technique based on algorithms
that are widely believed to be strong will provide users a strong tool
to defeat Trojan horses.
* Anyone who invests trust in digital signatures
must also take care to validate any public keys that may be associated
with the signature. It is not enough for code merely to be signed -- it
must be signed by a trusted source.
* Do not execute anything sent to you via unsolicited
electronic mail.
* Use caution when executing content such as
Java applets, JavaScript, or Active X controls from web pages. You may
wish to configure your browser to disable the automatic execution of web
page content.
* Apply the principle of least privilege in daily
activity: do not retain or employ privileges that are not needed to accomplish
a given task. For example, do not run with enhanced privilege, such as
"root" or "administrator" for ordinary tasks such
as reading email.
* Install and configure a tool such as Tripwire?
that will allow you to detect changes to system files in a cryptographically
strong way.
Note, however, that Tripwire? is
not a foolproof guard against Trojan horses. For example, see
http://www.cert.org/vul_notes/VN-98.02.kernel_mod.html
* Educate your users regarding the danger of
Trojan horses.
* Use firewalls and virus products that are aware
of popular Trojan horses. Although it is impossible to detect all possible
Trojan horses using a firewall or virus product (because a Trojan horse
can be arbitrary code), they may aid you in preventing many popular Trojan
horses form affecting your systems.
* Review the source code to any open source products
you choose to install. Open source software has an advantage compared
to proprietary software that the source code can be widely reviewed and
any obvious Trojan horses will probably be discovered very quickly. However,
open source software also tends to be developed by a wide variety of people
with little or no central control. This makes it difficult to establish
trust in a single entity. Keep in mind that reviewing source code may
be impractical at best, and that some Trojan horses may not be evident
from a review of the source as described in [Thompson].
* Adopt the use of cryptographically strong mutual
authentication systems such as ssh for terminal emulation, X.509 public
key certificates in web servers, S/MIME or PGP for electronic mail, and
kerberos for a variety of services. Avoid the use of systems that trust
the domain name system for authentication, such as telnet, ordinary http
(as opposed to https), ftp, or smtp unless your network is specifically
designed to support that trust.
* Do not rely on timestamps, file sizes, or other
file attributes when trying to determine if a file contains a Trojan horse.
* Exercise caution when downloading unauthenticated
software. If you choose to install software that has not been signed by
a trusted source, you may wish to wait for a period of time before installing
it in order to see if a Trojan horse is discovered.
* We encourage all security organizations to
digitally sign any advisories or other alerts. We also recommend that
users validate any signatures, and to beware of unsigned security advice.
The CERT Coordination center signs all ASCII copies of our advisories
with our PGP key.
If you do fall victim to a Trojan horse, some anti-virus
software may also be able to recognize, remove and repair the damage from
the Trojan horse. However, if an intruder gains access to your systems
via a Trojan horse, it may be difficult or impossible to establish trust
in your systems. In this case, we recommend that you disconnect from the
network and rebuild your systems from known-good software being careful
to apply all relevant patches and updates, to change all passwords, and
to check other nearby systems. For information on how to rebuild a Unix
system after a compromise, please see
http://www.cert.org/tech_tips/root_compromise.html
References
[Summers]
Summers, Rita C.Secure Computing Threats and Safeguards,
McGraw-Hill, 1997 An online reference is available from the
publisher.
[Thompson] Thompson, Ken, "Reflections on Trusting Trust,"
Communications of the ACM 27(8) pp. 761-763 (Aug. 1984);
Turing Award
lecture.
Acknowledgment
Our thanks
to Andries Brouwer for providing information regarding util-linux and
to the many people who reported information about Trojan horse versions
of Internet Explorer.
Tripwire is a registered trademark of the Purdue Research
Foundation, and it is also licensed to VCC.
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-99-02-Trojan-Horses.html.
______________________________________________________________________
CERT/CC Contact Information
Email:
cert@cert.org
Phone: +1 412-268-7090
(24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination
Center
Software Engineering
Institute
Carnegie Mellon
University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5)
/ EDT(GMT-4)
Monday through Friday; they are on call for emergencies during
other
hours, on U.S. holidays, and on weekends.
Using encryption
We strongly
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from http://www.cert.org/CERT_PGP.key.
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT
publications and other security information are available from our web
site http://www.cert.org/.
To be added to our mailing list for advisories and bulletins,
send email to cert-advisory-request@cert.org
and include SUBSCRIBE your-email-address in the subject of your message.
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information
can be found in http://www.cert.org/legal_stuff.html.
* "CERT" and "CERT Coordination Center"
are registered in the U.S.
Patent and Trademark Office
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and
the Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited to, warranty
of fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from patent,
trademark, or copyright infringement.
______________________________________________________________________
|
