|
_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Preliminary Information about SYSMAN.EXE Trojan Horse November 8, 1991, 16:00 PDT Number C-5 Critical Facts about SYSMAN.EXE Trojan Horse _________________________________________________________________________ PROBLEM: A trojan horse program installed in several systems PLATFORM: VMS systems connected to DECnet. DAMAGE: Allows potential unauthorized privileged access; unauthorized changes to critical system files. SOLUTIONS: Scan SYS$LIBRARY for executable called OBJ.EXE or check for modification of length of SYSMAN.EXE file; if OBJ.EXE or bogus SYSMAN.EXE program is found, replace with copy from original distribution tape, then delete OBJ.EXE _________________________________________________________________________ CIAC has been informed of a trojan horse program found in several VMS systems connected to the DECnet. All affected systems identified to date are systems connected to the European DECnet; no systems in the DOE community or U.S.A. are known to be infected by this bogus program at this time . At this moment we have disassembled approximately 98 percent of the binary code, and are distributing this bulletin to provide an interim progress report. Although early information provided to CIAC initially suggested that this program was a worm, we have been unable to locate any self-proliferation routines in this program. It is likely that the author of this trojan horse planted this program either by breaching a privileged account or by breaching an unprivileged account and escalating privilege. The intruder renames the SYS$SYSTEM:SYSMAN.EXE image to SYS$LIBRARY:OBJ.EXE. When the trojan horse program is installed, the intruder replaces the SYSMAN.EXE image with the trojan horse program. The SYSMAN.EXE trojan horse enables an intruder to grant privilege to an unprivileged account, thereby allowing that intruder back door access to system privilege. To detect the trojan horse program, run the SYSMAN program. After exiting, type the command SHOW SYMBOL * If the result contains a definition for the symbol OBFJ defined as "$SYS$LIBRARY:OBJ.EXE" or if you find the file SYS$LIBRARY: OBJ.EXE on your system, it is extremely likely that your system contains this trojan horse. CIAC recommends that if your system contracts the SYSMAN.EXE trojan horse, you should save the corrupted SYSMAN image. We request that you send a copy of this image to CIAC, and recommend that you replace it using the original distribution media. For additional information or assistance, please contact CIAC: Hal Brand Karyn Pichnarczyk (510)422-0039** or or (510) 422-1779** or (FTS) 532-0039 (FTS) 532-1779 brand@addvax.llnl.gov karyn@cheetah.llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)532-8193. **Note area code has changed from 415, although the 415 area code will work until Jan. 1992. CIAC would like to thank the Computer Emergency Response Team/Coordination Center and DEC for assistance in handling this incident. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.