1999 CERT Incident Notes CERT Division [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. http://www.sei.cmu.edu REV-03.18.2016.0 Copyright 2017 Carnegie Mellon University. All Rights Reserved. This material is based upon work funded and supported by the Department of Defense under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be con- strued as an official Government position, policy, or decision, unless designated by other documentation. References herein to any specific commercial product, process, or service by trade name, trade mark, manu- facturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribu- tion. Please see Copyright notice for non-US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or elec- tronic form without requesting formal permission. Permission is required for any other use. Requests for per- mission should be directed to the Software Engineering Institute at [email protected]. CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. DM17-0052 1999 CERT INCIDENT NOTES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY ii [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. Table of Contents 1 IN-99-01: "sscan" Scanning Tool 2 2 IN-99-02: Happy 99 Trojan Horse 6 3 IN-99-03: CIH/Chernobyl Virus 9 4 IN-99-04: Similar Attacks Using Various RPC Services 12 5 IN-99-05: Systems Compromised Through a Vulnerability in am-utils 16 6 IN-99-06: Distributed Network Sniffer 19 7 IN-99-07: Distributed Denial of Service Tools 21 8 IN-99-08: Attacks against IIS web servers involving MDAC 27 1999 CERT INCIDENT NOTES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 1 [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 1: IN-99-01: "sscan" Scanning Tool 1 IN-99-01: "sscan" Scanning Tool Thursday, January 28, 1999 Recently a new scanning tool named "sscan" was announced on various public mailing lists. This tool is a derivative of the "mscan" tool that was widely used against a large number of sites in the second half of 1998. For more information about mscan, please read our earlier Incident Note IN- 98.02: http://www.cert.org/incident_notes/IN-98.02.html The sscan tool performs probes against victim hosts to identify services which may potentially be vulnerable to exploitation. Though sscan itself does not attempt to exploit vulnerabilities, it can be configured to automatically execute scripts of commands that can be maliciously crafted to ex- ploit vulnerabilities. Thus, it is possible for an unpredictable set of attacks to be mounted against a victim site in conjunction with the sscan probes. The documentation distributed with sscan includes an example set of scripted commands illustrat- ing how a self-replicating attack might be crafted using well known vulnerabilities detected by sscan. We encourage you to familiarize yourself with the actions sscan performs and to insure that your site is not vulnerable to attack. The current version of sscan has been written specifically to execute on a UNIX platform. Be- cause the tool crafts packets with custom attributes, privileged access to the source host is re- quired to run sscan. We encourage you to be mindful of the potential for intruder control of the source host when responding to an incident involving sscan probes. To determine whether the sscan tool is possibly being used against your site, look for the follow- ing activity: 1. Initial probes to selected services to determine the availability of the target host. TCP ACK packets are sent to the target host with the source and destination ports set as fol- lows: o source and destination TCP port 23 (telnet) o source and destination TCP port 25 (smtp) o source and destination TCP port 110 (pop3) o source and destination TCP port 143 (imap) o source and destination TCP port 80 (www) As currently configured, the sscan tool will not attempt to probe a host further if no re- sponse is received from these initial probes. 2. If any of the above probes receives a response, further probes are made to the target host in an attempt to identify potential vulnerabilities. Connection probes to the following TCP ports are user optional and may or may not appear in additional sscan activity. The TCP ports are listed in the order in which they currently would be probed by sscan. o 80 (www) o 23 (telnet), 143 (imap), 110 (pop3) [all three, or none, are probed] 1999 CERT INCIDENT NOTES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 2 [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 1: IN-99-01: "sscan" Scanning Tool o 111 (sunrpc) o 6000 (x11) o 79 (finger) o 53 (domain) o 31337 (unassigned by IANA) o 2766 (Solaris listen/nlps_server) Connection probes to the following TCP ports are always attempted and are not user op- tional. The TCP ports are listed in the order in which they are probed by sscan. o 139 (netbios-ssn) o 25 (smtp) o 21 (ftp) o 22 (ssh) o 1114 (Linux mSQL) o 1 (tcpmux) Ports responding to the probes in this section are considered by sscan to be "open" ports. 3. Two types of probes are made in an attempt to identify the target host's operating system. o TCP connection probe to port 23 (telnet) to obtain the login banner o Probes attempting to identify system and network architecture similar to those discussed in CERT Incident Note IN-98.04: http://www.cert.org/incident_notes/IN-98.04.html In this case, five packets are sent to the target host on the first TCP port identi- fied as being "open" in the previous scanning (section 2). The five packets have the following characteristics: . Packet #1 - SYN ACK packet from source TCP port 1 . Packet #2 - FIN packet from source TCP port 2 . Packet #3 - FIN ACK packet from source TCP port 3 . Packet #4 - SYN FIN packet from source TCP port 4 . Packet #5 - PUSH packet from source TCP port 5 4. Using information gathered from the probes, sscan attempts to determine if the target host may potentially have any of the following accessible information services or known vul- nerabilities: o qpopper - see http://www.cert.org/advisories/CA-98.08.qpopper_vul.html ftp://ftp.auscert.org.au/pub/auscert/advisory/AA- 98.01.qpopper.buffer.overflow.vul o imapd - see http://www.cert.org/advisories/CA-98.09.imapd.html http://www.cert.org/advisories/CA-97.09.imap_pop.html o SMTP EXPN command o Solaris listen/nlps_server (port 2766) o Linux mSQL (port 1114) 1999 CERT INCIDENT NOTES | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 3 [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 1: IN-99-01: "sscan" Scanning Tool o BIND - see http://www.cert.org/advisories/CA-98.05.bind_problems.html o Various CGI-BIN vulnerabilities - see http://www.cert.org/tech_tips/cgi_meta- characters.html . phf - also see http://www.cert.org/advisories/CA- 96.06.cgi_example_code.html . handler - also see ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi . Count.cgi - also see http://www.cert.org/advisories/CA- 97.24.Count_cgi.html . test-cgi - also see http://www.cert.org/advisories/CA-97.07.nph-test- cgi_script.html . php.cgi - also see ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-97.047 . webgais . websendmail . webdist.cgi - also see ftp://ftp.cert.org/pub/cert_bulletins/VB-97.07.sgi . faxsurvey . htmlscript . pfdisplay.cgi . perl.exe (Windows platforms) . wwwboard.pl (Windows platforms) o NFS filesystems exported to everyone - see http://www.cert.org/advisories/CA-94.15.NFS.Vulnerabilities.html o mountd - see http://www.cert.org/advisories/CA-98.12.mountd.html o rstatd - see http://www.cert.org/advisories/CA-97.26.statd.html o nlockmgr o rpc.nisd - see http://www.cert.org/advisories/CA-98.06.nisd.html o X11 (open X servers) o Wingate - see http://www.cert.org/vul_notes/VN-98.03.WinGate.html o Finger (optional) - The default behavior is to perform finger on 'root' and 'guest' accounts. Target accounts are configurable and may differ from the defaults mentioned here. 5. At this point, there may be additional, unpredictable activity if sscan is configured to exe- cute user crafted scripts of commands. If any machines in your network use any of the above services, we encourage you to make sure that all patches are up to date and your machines are properly secured. We also urge you to filter all traffic at your firewall except that which you explicitly decide to al- low.