💾 Archived View for spam.works › mirrors › textfiles › internet › span01.vir captured on 2023-11-14 at 10:26:05.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

=============================================================================
INTRANETWORK MEMORANDUM                               SPAN MANAGEMENT OFFICE
=============================================================================
                                                                  19-OCT-1989

TO: 	ALL SPAN ROUTING CENTER MANAGERS AND REMOTE-NODE MANAGERS

FROM:	RON TENCATI - SPAN SECURITY MANAGER
	GODDARD SPACE FLIGHT CENTER  CODE 630.2
	GREENBELT, MD. 20771
	(301)286-5223

SUBJ:   INFORMATION REGARDING THE DECNET WORM AND PROTECTION MEASURES

                            ----------
The following information covers several aspects of the "WANK" DECnet worm
which was released into the "DECnet Internet" earlier in the week.

Information contained in prior reports written by John McMahon of GSFC and
Kevin Oberman of LLNL was used in preparing report.  The assistance of
Digital Equipment Corporation is also gratefully acknowledged. 

Previous messages regarding this worm appearing on various mailing lists 
have indicated that system managers with questions or infected nodes should 
call other organizations.  

For clarification, any SPAN-connected system that believes itself to be
infected, or attacked should contact ONLY the SPAN management at Goddard
Space Flight Center, Greenbelt, MD.  The security effort is being
coordinated by this group and all reports should be directed there.  The
contact number is (301)286-7251 or (301)286-5223.  Electronic mail should be 
sent to NSSDCA::TENCATI or NSSDCA::NETMGR only.  Do not send infection 
reports to any other node on SPAN.

HEPnet sites should contact FNAL::DEMAR.


BACKGROUND
----------

The worm's mission is to propagate itself randomly across the network, 
to seek out systems with poor security, and to establish itself in a 
priviliged account whereupon it will modify the system's SYS$ANNOUNCE
banner to the following message:


  
      W O R M S    A G A I N S T    N U C L E A R    K I L L E R S
    _______________________________________________________________
    \__  ____________  _____    ________    ____  ____   __  _____/
     \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /
      \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /
       \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /
        \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/
         \___________________________________________________/
          \                                                 /
           \    Your System Has Been Officically WANKed    /
            \_____________________________________________/
 
     You talk of times of peace for all, and then prepare for war.

                            ---------
We don't currently see that the WORM is destructive, BUT it wastes
resources, and may result in denial of service by locking out priviliged 
users or causing non-infected nodes to consume disk space storing all the
audit records from the failed access attempts.

The worm attempts to establish itself onto a system by exploiting various
weaknesses in the DECnet environment.  Some of these weaknesses have been
addressed by previous SPAN directives and guidelines.  Systems that have
implemented these guidelines are not at risk. 

A random number generator is used to pick the next node the worm will try
to infect. The worm contains an internal list of 82 canned usernames that
it will try against a system.  

In addition, it attempts to copy the file RIGHTSLIST.DAT from the selected
target node.  This file is normally protected W:R. If this file is
successfully copied, a list of usernames specific to the target system will
be generated and some subset of those will be appended to the "canned"
list.  The candidate words the worm uses whether or not it was successful
at accessing RIGHTSLIST.DAT are the following: 

      ACCOUNITING   ACCOUNTS     ALLIN1       APPLETALK     ARCHIVE
      BACKUP        CADCAM       COGNOS       CRAYSTN       CUSTOMER
      DDSNET        DEC          DECNET       DEFAULT       DEMO
      DFS$DEFAULT   DIGITAL      DNS$SERVER   DQS$SERVER    ETHERNIM  
      EXOS          FIELD        GAMES        GUEST         HASP
      IBM           INGRES       INVENTORY    ISSYS         IVP
      LIBRARY       LN03_DLAND   LPS$SERVER   MAC           MAIL
      MAILER        MANAGER      MANUALS      MASS11        MBMANAGER
      MIS           MRGATE       MANAGER      NETNONPRIV    NETPRIV
      NEWSMGR       NOTES$SERVER OPER         OPERATOR      ORACLE
      OSI           PCAPP        PCCOMMON     PLUTO         POSTMASTER
      RDBVMS$REM    RHM          SECURITY     SHUTDOWN      SNACSV
      SPEAR         SPM          SRS          STUDENT       SUPPLIES
      SYSINF        SYSTEM       SYSTEST      SYSTEST_CLIG  TAPESYS
      TCP           TELEX        TEMP         TEST          TRAINING
      TRANSFER      USER         USER1        USERP         VAXNET
      VAXSIM        VTX          VXSYS

The PASSWORDS tried against the set of accounts MAY be the username
ONLY, OR other passwords may be tried (such as DIGITAL, PSIPAD, MANAGER,
etc) apparently depending on the version of the WORM. A bug in the worm
prevents it from testing the null password as previously suspected. 

                          --------------
[The following section provides information relating to the behavior of
the worm. This information was primarily supplied by Kevin Oberman of
LLNL and John McMahon of GSFC]
                          --------------

1. The program assures that it is working in a directory to which the owner
   (itself) has full access (Read, Write,Execute, and Delete).

2. The program checks to see if another copy is still running. It looks for a
   process with the first 5 characters of "NETW_". If such is found, it deletes
   itself (the file) and stops its process.

                               NOTE

    This check is done using the F$GETJPI system service.  The results
    vary depending on the amount of priviliges the account possesses.
    Non-priviliged accounts which are penetrated will only be able to
    return information about their own UIC, so multiple copies of the
    worm could be running simultaneously under different usernames.


3. The program then changes the default DECNET account password to a random
   string of at least 12 characters.

4. Information on the infected node and account/password used to access the
   system is mailed to a central collection point on SPAN. 

5. The process changes its name to "NETW_" followed by a random number.

6. It checks to see if it has SYSNAM priv. If so, it defines the system
   announcement message to be the WANK banner.

7. If it has SYSPRV, it disables mail to the SYSTEM account.

8. Also if it has SYSPRV, it modifies the system login command procedure 
   (SYLOGIN.COM) to APPEAR to delete all of a user's files. (It really does
   nothing.) 

9. The procedure then scans the accounts logical name table for symbols
   which contain directory specifications. Each directory located is searched
   for command procedures within it protected (W:RWED). Any such procedures
   have code inserted at the top which tries to modify the FIELD account to a
   known password with login from any source and all privs. This is a
   primitive virus, but very effective IF the procedure should be executed by
   a priviliged account. 

10. It proceeds to attempt to access other systems by picking node numbers
   at random. It then used PHONE to get a list of active users on the remote
   system. It proceeds to irritate them by causing the PHONE object to send 
   them a one-line "fortune cookie" type message.  The appearance of this 
   message does not indicate a penetration attempt on that node, more 
   appropriately, it indicates an "irritation attempt".

                                 NOTE
   If your site receives these PHONE messages the source node
   information can be found in the NETSERVER.LOG files in your DECnet
   default account. 

11. The program tries to access the RIGHTSLIST.DAT file as previously 
   described earlier. 

12. It then steps through the list of usernames it has built and uses FAL 
   to validate the candidate userid/password combination.  If a password is 
   guesses, the worm copies itself over to the target system and starts itself
   via the SUBMIT/REMOTE feature of VMS. 

13. When the worm finishes with a system, it picks another random system and
   repeats (forever).



SECURITY GUIDELINES TO STOP THE SPREAD OF THIS WORM:
====================================================


1. It is IMPERATIVE that all systems protect or remove the DECnet TASK 0
   object to prevent reoccurrance of this worm, OR MORE SERIOUS ATTACKS
   OF THIS KIND IN THE FUTURE! 

   The TASK object can be secured by either of the following methods:

Method 1):
	Issue the command:	

		NCP> CLEAR OBJECT TASK ALL
	
	after the network is started up. This command can also be
	inserted into the procedure SYSTARTUP.COM (SYSTARTUP_V5.COM on V5.x
	systems) after the call to STARTNET.COM.  In addition while the system
	is running, this command must be executed EACH TIME the network is
	restarted. 

Method 2):
	Issue the following commands ONCE:

	NCP> SET OBJECT TASK USER DECNET PASSWORD <a bunch of garbage>
	NCP> DEFINE OBJECT TASK USER DECNET PASSWORD <a bunch of garbage>

	This causes a login failure to be generated whenever the TASK 
	object is accessed.  Once done, this change will be permanent.

			        NOTE
          We have received one report that TASK 0 is required 
          for DECwindows.  Read your documentation!
  

2. Under NO circumstances it is acceptable for an account to have a
   password the same as the username.  Passwords (passPHRASES) should be
   created so that they are difficult to guess, multi-word phrases are
   preferable. As a precaution, we recommend that all passwords be changed.
   Additionally, system managers may choose to revalidate ALL accounts. 

   If a system had the DECNET TASK 0 protected as above, the DECNET account
   protected against SUBMIT/REMOTE (described below) and no user had their
   userid as their password, it was immune to this WORM.  As a result, the
   number of nodes actually INFECTED by this attack is relatively small. The
   number ATTACKED however, is large. 

3. NETWORK ACCOUNTS
   To protect against the SUBMIT/REMOTE attack, run AUTHORIZE and make sure
   that all network account flags are set to NOBATCH, NODIALUP, NOLOCAL,
   and NOREMOTE.

4. FIELD ACCOUNT
   Make sure the FIELD ACCOUNT does not have the password FIELD. DISUSER the
   account.  You must SEARCH all .COM files for a "field/remote/dialup". If
   the search shows it is in .COM files, They have a trojan horse appended
   to the files. When the .COM file is executed, This Trojan horse will try
   to reset account FIELD to /NODISUSER and password to FIELD.  You should
   either delete the corrupted .COM file and obtain a good one elsewhere, or
   examine the file and remove the affected lines of the command procedure.

5. WORM FILES 
   The WORM source files are W.COM or a single alphabetic character (C or D)
   followed by 4 or 5 numeric characters. (Cnnnnn.COM), ("nnnn" represents a
   random number). The WORM will start a process or processes running. 
   These processes are named in format NETW_nnnn, and should be deleted.
   PHONE_nnnn may also be running as the WORM utilizes the PHONE object in
   an attempt to send a message to a user on another randomly selected node.

6. ALARMS
   Some alarms generated by the WORM are related to PHONE.EXE and FAL.EXE.
   The majority of the alarms are login failures as the WORM attempts to log
   into specific accounts. 

   We recommend that alarms be set immediately for logins, logouts, breakin
   attempts, modifications to the system and net UAF's, and to changes to
   user and system passwords. 


DISCOVERY AND CLEANUP
----------------------

  1.	 Log into a "privileged account"
 	   $ SHOW SYSTEM
	   Look for NETW_dddd (dddd represents 4 or 5 random digits)
 	   IF NETW_dddd is found, note the process ID and do:
	   $ STOP PROCESS/ID=NETW_dddd

	The command procedure included below can be used by system 
	managers to perform this function in the background.  It is 
	recommended that this procedure be run for the next week or 
	so until the worm is killed-off.

   2. 	Check the protection on all command procedures.  If any are
	(W:REWD), check for infection.  There should be two versions. The
 	older one should be OK unless multiple infection has occurred.
	Generally the oldest version is OK but this is not guaranteed.

	An easy method is to execute the command on every disk:

		$SEARCH dev:[000000...]*.COM;* PASS=FIELD
	
	Any infected files will contain the line:

	$mcr authorize add field/remote/dialup/network/batch/defpriv=all
	/priv=all/flag=(nodisuser,nocaptive,nopwd_expire)/pass=field

   3.	Redefine or deassingn the SYS$ANNOUNCE logical name.  Replace
	the correct SYS$ANNOUNCE messages.   (Note the initial value of
	SYS$ANNOUNCE to identify the infected user account and location of
	the false announce message files (on infected systems only).

   4.  	Clean up SYSLOGIN.COM.  Remove the bogus file deletion routine.

   5.  	Search all login directories for files named Cddddd.com or
        Dddddd.com.  Dddddd.COM is a dummy file which precedes the actual
	infection. Cddddd.COM is the worm itself (normally both are 
	deleted by the worm).
	
   6.   If your node is attacked or penetrated, please contact the SPAN 
	Management immediately via MAIL or by phone. Send all messages
	to either NSSDCA::TENCATI or NSSDCA::NETMGR. If you do not have
	NSSDCA defined in your database, use the node number 6277::. We
	need to know which nodes have the worm running on them so we can
	coordinate cleanup measures with the appropriate personnel.

			         NOTE
	  A tell-tale sign that your node was ATTACKED will be multiple
	  login failure reports in your operator.log file.


   7.   DO NOT DELETE ANY OF YOUR LOG FILES OR AUDIT TRAILS.  THIS 
	INFORMATION MAY BE REQUESTED OF YOU LATER IF THIS MATTER IS GOING
	TO BE PROSECUTED. 


PREVENTION MEASURES
-------------------

	1.  Ensure all user accounts have good password management. (No
	    "user user" or null passwords.)

	2.  No world READ command procedures in user or priviliged 
	    accounts.

	3.  No TASK objects.

	4.  Do not use the the account names as the password on network
	    accounts.  (Use the V5.2 approach - separate object userid's)

	5.  Ensure all network accounts are set NOBATCH, NOLOCAL, NODIALUP,
	    and NOREMOTE and have a PRCLIM of 1.

	6.  Audit all changes by AUTHORIZE. Analyze audit trail for changes
	    to the FIELD account.

	7.  Place an ALARM ACE on SYS$MANAGER:SYLOGIN.COM;* for
	    WRITE+DELETE+SUCCESS access. Enable ACL auditing. Analyze the
	    audit trail for change to SYLOGIN.COM.

	8.  Make sure ACCOUNTING and OPCOM are running and proper alarms
	    are set.

	9.  Protect RIGHTSLIST.DAT against World access.  Alternatively 
	    move or rename it and define the logical symbol RIGHTSLIST 
	    to the new file. ($DEF/SYS/EXEC RIGHTSLIST <renamed file>)
	    This will limit the ability of the worm to determine 
	    actual valid usernames.
----------------------------------------------------------------------------

The following command procedure was written by John McMahon at GSFC.  It 
can be run as a batch job under a priviliged account.  This procedure 
searches all processes on a running system to determine if the worm process 
is present.  If detected, the worm is deleted.


---------------------------- ANTIWANK.COM ----------------------------------
$!
$!	Antiwank.Com - This program performs two functions.  It kills any
$!	copy of the worm currently running (any process starting with NETW_
$!	in it's name) and disguises itself as a copy of the worm to help
$!	prevent new copies from being created.
$!
$!	This program should be submitted to a batch queue under the username
$!	SYSTEM.  It requires WORLD priv to check the process names on your
$!	CPU.  It runs continuously, but uses little overhead.
$!
$!	This program uses the process name "NETW_AntiWank".  It should not be
$!	confused as a copy of the worm program itself (which uses 
$!	NETW_randomnumber).
$!
$!	The system manager should add additional userids to the line
$!	beginning with SEND_MAIL_TO.  If the program detects the worm,
$!      it will send a detection message to the userids in SEND_MAIL_TO.  
$!
$!	John McMahon
$!	NASA/GSFC CODE 630.4
$!
$!	18-OCT-1989 16:11:56.21 
$!
$!	SPAN:		SDCDCL::FASTEDDY
$!	Internet:	Fasteddy@Dftnic.Gsfc.Nasa.Gov
$!	Bitnet:		Fasteddy@Dftbit
$!
$!	Phone:	301-286-2045
$!
$ Set NoON
$ AntiWank_Name = "NETW_AntiWank"
$ Process_Name_Prefix = "NETW_"
$ Send_Mail_To = "SYSTEM"
$ Set Process/Priv=(World)
$ Set Process/Name="''AntiWank_Name'"
$ Start:
$ Context = ""
$ Pid_Loop:
$ Check_Pid = F$Pid(Context)
$ If Check_Pid .Eqs. "" Then Goto End_Pid_Loop
$ Check_Prcnam = F$Edit(F$Getjpi(Check_Pid,"PRCNAM"),"TRIM")
$ Write Sys$Output "Process Name: ",Check_Prcnam
$ If Check_Prcnam .Eqs. AntiWank_Name Then Goto Pid_Loop
$ If F$Extract(0,5,Check_Prcnam) .Eqs. Process_Name_Prefix Then -
  Gosub Action_Routine
$ Goto Pid_Loop
$!
$ End_Pid_Loop:
$ Write Sys$Output F$TIME()," ANTIWANK is still working for you"
$ Wait 00:10:00
$ Goto Start
$!
$ Action_Routine:
$ Write Sys$Output "Action Routine"
$ Username = F$Getjpi(Check_Pid,"Username")
$ Stop/Id='Check_Pid'
$ Mail NL: 'Send_Mail_To' -
  /SUBJECT="Worm Terminated ''$Status' ''Check_Prcnam' ''Check_Pid' ''Username'"
YES
$ Return
---------------------------END OF ANTIWANK.COM-------------------------

Downloaded From P-80 International Information Systems 304-744-2253