Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: ciacl077.txt

CIAC L-077 - Glacier Backdoor




-----BEGIN PGP SIGNED MESSAGE-----


             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                              The Glacier Backdoor

April 27, 2001 23:00 GMT                                          Number L-077
______________________________________________________________________________
PROBLEM:       The Glacier backdoor program allows an intruder to remote 
               control a Windows computer. The intruder can see the desktop, 
               click on files, and type on the keyboard of the remote 
               computer. 
PLATFORM:      Windows computers: Windows NT and Windows NT Server. Possibly 
               also on Windows 95,98,ME, and Windows 2000. 
DAMAGE:        An intruder can remote control a system. He can access any 
               file, run code, type on the keyboard and generally do whatever 
               he wants on a system. The intruder could capture the passwords 
               of any system you log into and send mail as you using your 
               e-mail program. 
SOLUTION:      Some antivirus programs detect this program. Do not run 
               attachments to e-mail messages or download and run executables 
               from hacker sites. The server program must be delivered to and 
               run on the machine being attacked. To remove the code, delete 
               the files and reset the registry keys as described in this 
               bulletin. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. While the package gives an intruder full 
ASSESSMENT:    control of a system, the server must be downloaded and run on 
               that system by the system owner or the system must be broken 
               into by some other method and the server installed. 
______________________________________________________________________________

CIAC has information that the Glacier Backdoor/Remote Control program is being 
used to compromise sites on the Internet. Glacier is a backdoor/remote control 
program with capabilities that are similar to Back Orifice. After a Glacier 
server is installed on a host the Glacier client is used on a remote host 
to control the server. The screen of the server system can be seen on the 
client system. The client can move the mouse pointer on the server and typing 
on the client's keyboard appears on the server as if it were typed on the 
server's keyboard. Other options include changing the registry, initiating 
dialog boxes, collecting keystrokes, simulating errors, and shutting down the 
server. 

The server software can be delivered to a machine as an attachment on an e-mail 
message or as a download from a web or ftp site. Running the server installs it.

After installation, the server attempts to phone home to smtp.sina.com, a 
Chinese language mail server. 

The server installs itself in two places and changes several keys in the 
registry to restart it whenever the server is restarted and whenever an 
executable program is run. 

Operation of Glacier
====================

The Glacier Server
- ------------------

The default name of the Glacier server program is G_server.exe though that 
could be changed by an intruder to any provocative name that might get you 
to run it. When the Glacier server program is run on a host, it makes two 
copies of itself. 

    %SystemFile%\System32\Update.exe 
    %SystemFile%\System32\SysSet.exe 

where %SystemFile% resolves to the path to the current system directory 
(c:\Windows or c:\Winnt on most systems). Glacier then makes changes to the 
registry to insure that it is restarted whenever a system is rebooted or an 
executable file is run. It adds the value:

    WindowsUpdate = C:\WINNT\System32\UPDATE.EXE 

to the registry keys:  

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The path in the value points to where the Update.exe program was saved. These 
two changes try twice to run update.exe whenever the system is rebooted.

The server then modifies the following key:

    HKEY_CLASSES_ROOT\exefile\shell\open\command

from

    "%1" %*

to

    "c:\winnt\system32\sysset.exe" "%1" %*

This change causes sysset.exe to be run whenever any .exe file is run. 
Keep this in mind when cleaning up a system as running any executable 
program notepad.exe, regedit.exe, etc., runs the backdoor program again.

The server then modifies the following key:

    HKEY_CLASSES_ROOT\txtfile\shell\open\command

from

    %SystemRoot%\system32\notepad.exe %1

to

    NotePad.exe %1

This change does not do anything useful (for the backdoor) that we can see. 
It may be something the backdoor writer was going to implement but didn't. 
The system next does a query for smtp.sina.com, a Chinese language mail 
server. If it gets an IP address for this site, we believe it will send a 
mail message to that site advertising the address of the compromised system 
to a mail user on that server.

The server then starts listening on port 7626 for connections from a 
Glacier client.

The Glacier Client
- ------------------

The Glacier client has the Chinese language GUI interface shown below. 
Note that the GUI is run on an English language system so the Chinese
characters appear as unicode characters. The disks and documents showing in 
the window are files on the server system.

   *****Image of the Glacier GUI Interface*******
 
The client contains a scanner for searching subnets for systems with the 
Glacier client listening on port 7626. It also contains commands for 
configuring the glacier server, including changing the port it listens 
on and adding a password for connections. The small window on the lower 
left of the image above shows the server machine being controlled. That 
window can be enlarged to full size and then mouse clicks in that window 
are executed on the server machine as is any typing on the keyboard. The 
small window at bottom center controls the special keys on the keyboard.

Other options in the client include setting the port and password used to 
contact the server, commands to change the registry, and various commands 
to display dialog boxes, shut down the server and so forth. Note that the 
commands are listed in the Unicode values of the Chinese characters so 
determining what the commands do had to be done on a trial and error basis 
on a U.S. localized system.

Detecting Glacier
=================

If you have been infected with the Glacier server program, you will likely 
notice a significant system slowdown, especially in systems with older, 
slower CPUs. A Pentium 90 system slowed to a crawl when the server was run 
on it. 

On a Windows NT system, open the task manager and look for update.exe, 
sysset.exe or G_server.exe in the process list. Finding update.exe in the 
task list is not a sure detection of Glacier as there is a real update.exe 
program that handles Windows Internet Explorer updates. The second place to 
look is in the \windows\system32 (or \winnt\system32) directory for sysset.exe 
and update.exe. Again, update.exe may exist on normal systems. The backdoor 
program has a length of 261KB. Right click on the program and select 
Properties. In the Properties dialog box for the file, select the Version tab 
and click on the Language item in the Other Version Information list. If the 
language is "Chinese (PRC)" on English language systems, this is probably the 
backdoor program. 

You can also check the registry keys mentioned above. From the start menu, 
select Run and run regedit. In the Regedit window, select the path:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 

If the value WindowsUpdate exists in this key and has a value that points 
to update.exe you can be pretty sure that you have the Glacier server 
installed on your system.

Removing Glacier
================

Removing Glacier involves reversing the steps that Glacier took when it 
installed itself. Note that these steps involve editing the registry and 
errors in editing the registry can make a system unbootable so be very 
careful when doing so. 

Because of the changes Glacier has made to the registry, running Regedit 
will restart the server so you must perform these steps in the correct order.

1. Start Regedit by clicking on the Start button, selecting Run, typing 
   regedit.exe and clicking OK. 

2. In a Windows Explorer window, open the \windows\system32 or 
   \winnt\system32 directory depending on what kind of a system you have. 

3. Open the TaskManager and kill any processes named update.exe, sysset.exe,
   or G_server.exe. 

4. In the System32 directory, find and delete update.exe and sysset.exe. 

5. In regedit, open the following two keys and delete the WindowsUpdate 
   values.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 

6. Open the following key

    HKEY_CLASSES_ROOT\exefile\shell\open\command

   change the default (unnamed) value to: "%1" %*

   Be careful here as a mistake will make it impossible to run any .exe file. 
   Note that there is a single space between the second double quote and the 
   second percent sign, that is: "%1"<space>%* 

7. Open the following key

    HKEY_CLASSES_ROOT\txtfile\shell\open\command

   change the default (unnamed) value to: 

    "%SystemRoot%\system32\notepad.exe" %1 

8. Don't quit regedit yet. Try to run any .exe application such as 
   notepad.exe by double clicking on it in an Explorer window. If it 
   runs, great, if not, switch back to the regedit window and check your 
   changes to the registry. Don't quit regedit until you can start an .exe 
   application. 

9. When everything works, quit regedit and reboot the system. After the system
   is finished rebooting, check that the files are still gone from the system32
   directory and that the registry keys are still how you set them. If they 
   have changed back to the backdoor values, you missed something or did 
   something out of order and reinstalled the backdoor. Keep trying until the 
   files go away and stay away. 

- ----------------------------------------------------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-067: Linux worm Adore
L-068: Cisco VPN3000 Concentrator TELNET Vulnerability
L-069: Cisco Content Services Switch User Account Vulnerability
L-070: FTP Filename Expansion Vulnerability
L-071: Various Vendors' Network Time Protocol (NTP) Vulnerability
L-072: Cisco Catalyst 5000 Series 802.1x Vulnerability
L-073: Microsoft ISA Web Proxy Service Denial of Service
L-074: Microsoft WebDAV Runs Scripts As User
L-075: FreeBSD IPFilter May Incorrectly Pass Packets
L-076: Red Hat Ptrace and Exec Race Conditions


-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2

iQCVAwUBOuoJ8bnzJzdsy3QZAQFwuAP/cjbqtaHjOsxWtHADW9tPMGpTo+ic8nPp
0GW5lAW0tdO2hCQZV5kvRtpOkwE6ojy3dh0Ck96jNbrNPRaxe7S3eHBFde1xS2bE
5fNrQ56DNmZTUOSp5oLnFwimjq7RGyzt8k9MAnca0x8A1wjti75vQOJGRY0zZuVn
QHPNZdvxP+4=
=sHnK
-----END PGP SIGNATURE-----


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH