-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
The Glacier Backdoor
April 27, 2001 23:00 GMT Number L-077
______________________________________________________________________________
PROBLEM: The Glacier backdoor program allows an intruder to remote
control a Windows computer. The intruder can see the desktop,
click on files, and type on the keyboard of the remote
computer.
PLATFORM: Windows computers: Windows NT and Windows NT Server. Possibly
also on Windows 95,98,ME, and Windows 2000.
DAMAGE: An intruder can remote control a system. He can access any
file, run code, type on the keyboard and generally do whatever
he wants on a system. The intruder could capture the passwords
of any system you log into and send mail as you using your
e-mail program.
SOLUTION: Some antivirus programs detect this program. Do not run
attachments to e-mail messages or download and run executables
from hacker sites. The server program must be delivered to and
run on the machine being attacked. To remove the code, delete
the files and reset the registry keys as described in this
bulletin.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. While the package gives an intruder full
ASSESSMENT: control of a system, the server must be downloaded and run on
that system by the system owner or the system must be broken
into by some other method and the server installed.
______________________________________________________________________________
CIAC has information that the Glacier Backdoor/Remote Control program is being
used to compromise sites on the Internet. Glacier is a backdoor/remote control
program with capabilities that are similar to Back Orifice. After a Glacier
server is installed on a host the Glacier client is used on a remote host
to control the server. The screen of the server system can be seen on the
client system. The client can move the mouse pointer on the server and typing
on the client's keyboard appears on the server as if it were typed on the
server's keyboard. Other options include changing the registry, initiating
dialog boxes, collecting keystrokes, simulating errors, and shutting down the
server.
The server software can be delivered to a machine as an attachment on an e-mail
message or as a download from a web or ftp site. Running the server installs it.
After installation, the server attempts to phone home to smtp.sina.com, a
Chinese language mail server.
The server installs itself in two places and changes several keys in the
registry to restart it whenever the server is restarted and whenever an
executable program is run.
Operation of Glacier
====================
The Glacier Server
- ------------------
The default name of the Glacier server program is G_server.exe though that
could be changed by an intruder to any provocative name that might get you
to run it. When the Glacier server program is run on a host, it makes two
copies of itself.
%SystemFile%\System32\Update.exe
%SystemFile%\System32\SysSet.exe
where %SystemFile% resolves to the path to the current system directory
(c:\Windows or c:\Winnt on most systems). Glacier then makes changes to the
registry to insure that it is restarted whenever a system is rebooted or an
executable file is run. It adds the value:
WindowsUpdate = C:\WINNT\System32\UPDATE.EXE
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The path in the value points to where the Update.exe program was saved. These
two changes try twice to run update.exe whenever the system is rebooted.
The server then modifies the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
from
"%1" %*
to
"c:\winnt\system32\sysset.exe" "%1" %*
This change causes sysset.exe to be run whenever any .exe file is run.
Keep this in mind when cleaning up a system as running any executable
program notepad.exe, regedit.exe, etc., runs the backdoor program again.
The server then modifies the following key:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
from
%SystemRoot%\system32\notepad.exe %1
to
NotePad.exe %1
This change does not do anything useful (for the backdoor) that we can see.
It may be something the backdoor writer was going to implement but didn't.
The system next does a query for smtp.sina.com, a Chinese language mail
server. If it gets an IP address for this site, we believe it will send a
mail message to that site advertising the address of the compromised system
to a mail user on that server.
The server then starts listening on port 7626 for connections from a
Glacier client.
The Glacier Client
- ------------------
The Glacier client has the Chinese language GUI interface shown below.
Note that the GUI is run on an English language system so the Chinese
characters appear as unicode characters. The disks and documents showing in
the window are files on the server system.
*****Image of the Glacier GUI Interface*******
The client contains a scanner for searching subnets for systems with the
Glacier client listening on port 7626. It also contains commands for
configuring the glacier server, including changing the port it listens
on and adding a password for connections. The small window on the lower
left of the image above shows the server machine being controlled. That
window can be enlarged to full size and then mouse clicks in that window
are executed on the server machine as is any typing on the keyboard. The
small window at bottom center controls the special keys on the keyboard.
Other options in the client include setting the port and password used to
contact the server, commands to change the registry, and various commands
to display dialog boxes, shut down the server and so forth. Note that the
commands are listed in the Unicode values of the Chinese characters so
determining what the commands do had to be done on a trial and error basis
on a U.S. localized system.
Detecting Glacier
=================
If you have been infected with the Glacier server program, you will likely
notice a significant system slowdown, especially in systems with older,
slower CPUs. A Pentium 90 system slowed to a crawl when the server was run
on it.
On a Windows NT system, open the task manager and look for update.exe,
sysset.exe or G_server.exe in the process list. Finding update.exe in the
task list is not a sure detection of Glacier as there is a real update.exe
program that handles Windows Internet Explorer updates. The second place to
look is in the \windows\system32 (or \winnt\system32) directory for sysset.exe
and update.exe. Again, update.exe may exist on normal systems. The backdoor
program has a length of 261KB. Right click on the program and select
Properties. In the Properties dialog box for the file, select the Version tab
and click on the Language item in the Other Version Information list. If the
language is "Chinese (PRC)" on English language systems, this is probably the
backdoor program.
You can also check the registry keys mentioned above. From the start menu,
select Run and run regedit. In the Regedit window, select the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
If the value WindowsUpdate exists in this key and has a value that points
to update.exe you can be pretty sure that you have the Glacier server
installed on your system.
Removing Glacier
================
Removing Glacier involves reversing the steps that Glacier took when it
installed itself. Note that these steps involve editing the registry and
errors in editing the registry can make a system unbootable so be very
careful when doing so.
Because of the changes Glacier has made to the registry, running Regedit
will restart the server so you must perform these steps in the correct order.
1. Start Regedit by clicking on the Start button, selecting Run, typing
regedit.exe and clicking OK.
2. In a Windows Explorer window, open the \windows\system32 or
\winnt\system32 directory depending on what kind of a system you have.
3. Open the TaskManager and kill any processes named update.exe, sysset.exe,
or G_server.exe.
4. In the System32 directory, find and delete update.exe and sysset.exe.
5. In regedit, open the following two keys and delete the WindowsUpdate
values.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
6. Open the following key
HKEY_CLASSES_ROOT\exefile\shell\open\command
change the default (unnamed) value to: "%1" %*
Be careful here as a mistake will make it impossible to run any .exe file.
Note that there is a single space between the second double quote and the
second percent sign, that is: "%1"<space>%*
7. Open the following key
HKEY_CLASSES_ROOT\txtfile\shell\open\command
change the default (unnamed) value to:
"%SystemRoot%\system32\notepad.exe" %1
8. Don't quit regedit yet. Try to run any .exe application such as
notepad.exe by double clicking on it in an Explorer window. If it
runs, great, if not, switch back to the regedit window and check your
changes to the registry. Don't quit regedit until you can start an .exe
application.
9. When everything works, quit regedit and reboot the system. After the system
is finished rebooting, check that the files are still gone from the system32
directory and that the registry keys are still how you set them. If they
have changed back to the backdoor values, you missed something or did
something out of order and reinstalled the backdoor. Keep trying until the
files go away and stay away.
- ----------------------------------------------------------------------------
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-067: Linux worm Adore
L-068: Cisco VPN3000 Concentrator TELNET Vulnerability
L-069: Cisco Content Services Switch User Account Vulnerability
L-070: FTP Filename Expansion Vulnerability
L-071: Various Vendors' Network Time Protocol (NTP) Vulnerability
L-072: Cisco Catalyst 5000 Series 802.1x Vulnerability
L-073: Microsoft ISA Web Proxy Service Denial of Service
L-074: Microsoft WebDAV Runs Scripts As User
L-075: FreeBSD IPFilter May Incorrectly Pass Packets
L-076: Red Hat Ptrace and Exec Race Conditions
-----BEGIN PGP SIGNATURE-----
Version: PGP for Business Security 5.5.2
iQCVAwUBOuoJ8bnzJzdsy3QZAQFwuAP/cjbqtaHjOsxWtHADW9tPMGpTo+ic8nPp
0GW5lAW0tdO2hCQZV5kvRtpOkwE6ojy3dh0Ck96jNbrNPRaxe7S3eHBFde1xS2bE
5fNrQ56DNmZTUOSp5oLnFwimjq7RGyzt8k9MAnca0x8A1wjti75vQOJGRY0zZuVn
QHPNZdvxP+4=
=sHnK
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH
