From Schlake, Fri Feb 5 16:54:27 1999
On Feb 5, 4:11pm, CERT Advisory wrote:
Subject: CERT Advisory CA-99.02 - Trojan Horses
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-99-02-Trojan-Horses
Original issue date: February 5, 1999 Last Revised:
Any system can be affected by Trojan horses.
Over the past few weeks, we have received an increase in the number of incident reports related to Trojan horses. This advisory includes descriptions of some of those incidents (Section II), some general information about Trojan horses (Sections I and V), and advice for system and network administrators, end users, software developers, and distributors (Section III).
Few software developers and distributors provide a strong means of authentication for software products. We encourage all software developers and distributors to do so. This means that until strong authentication of software is widely available, the problem of Trojan horses will persist. In the meantime, users and administrators are strongly encouraged to be aware of the risks as described in this document.
A Trojan horse is an "apparently useful program containing hidden functions that can exploit the privileges of the user [running the program], with a resulting security threat. A Trojan horse does things that the program user did not intend" [Summers].
Trojan horses rely on users to install them, or they can be installed by intruders who have gained unauthorized access by other means. Then, an intruder attempting to subvert a system using a Trojan horse relies on other users running the Trojan horse to be successful.
Incidents involving Trojan horses include the following:
- False Upgrade to Internet Explorer
Recent reports indicate wide distribution of an email message which claims to be a free upgrade to the Microsoft Internet Explorer web browser. However, we have confirmed with Microsoft that they do not provide patches or upgrades via electronic mail, although they do distribute security bulletins by electronic mail.
The email message contains an attached executable program called Ie0199.exe. After installation, this program makes several modifications to the system and attempts to contact other remote systems.We have received conflicting information regarding the modifications made by the Trojan horse, which could be explained by the existence of multiple versions of the Trojan horse.
At least one version of the Trojan horse is accompanied by a message which reads, in part:As an user of the Microsoft Internet Explorer, Microsoft Corporation provides you with this upgrade for your web browser. It will fix some bugs found in your Internet Explorer. To install the upgrade, please save the attached file (ie0199.exe) in some folder and run it.
The above message is not from Microsoft.
We encourage you to refer to the Microsoft Internet Explorer web site at the following location:
MS IE Trojan Info
Please refer to the Section III below for general solutions to Trojan horses.
- Trojan Horse Version of TCP Wrappers
We recently published "CA-99-01-Trojan-TCP-Wrappers," which said that some copies of the source code for the TCP Wrappers tool were modified by an intruder and contain a Trojan horse. The advisory is available at the following location:
Trojan TCP Wrapper from CERT
- Trojan Horse Version of util-linux
The util-linux distribution includes several essential utilities for linux systems. We have confirmed with the authors of util-linux that a Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least one ftp server between January 22, 1999, and January 24, 1999. This Trojan horse could have been distributed to mirror FTP sites.
Within the Trojan horse util-linux distribution the program /bin/login was modified. The modifications included code to send email to an intruder that contains the host name and uid of users logging in. The code was also modified to provide anyone with access to a login prompt the capability of executing commands based on their input at the login prompt. There were no other functional modifications made to to the Trojan horse util-linux distribution that we are aware of.
A quick check to ensure you do not have the Trojan horse installed is to execute the following command
$ strings /bin/login | grep "HELO"
If that command returns the following output, then your machine has the Trojan horse version of util-linux-2.9g installed.
If the above command returns nothing, then you do not have this particular Trojan horse installed.
You cannot rely on the modification date of the file util-linux-2.9g.tar.gz because the Trojan horse version has the same size and time stamp as the original version.
In response to the distribution of this Trojan horse, the authors of util-linux have released util-linux-2.9h.tar.gz. This file is available via anonymous ftp from:
Be sure to download and verify the PGP signature as well:
This package can be verified with the "Linux Kernel Archives" PGP Public Key, available from the following URL:
Linux Kernel Archive, PGP Public Key
- Previous Trojan Horses
Trojan horses are not new entities. A classic description of a Trojan horse is given in [Thompson]. Additionally, you may wish to review the following documents for background and historical information about Trojan horses.
Trojan TCP Wrappers
IRC client Trojan
MD5 Checsums Trojan
Monitoring Network Attacks
Trojan horses can do anything that the user executing the program has the privileges to do. This includes * deleting files that the user can delete * transmitting to the intruder any files that the user can read * changing any files the user can modify * installing other programs with the privileges of the user, such as programs that provide unauthorized network access * executing privilege-elevation attacks, that is the Trojan horse can attempt to exploit a vulnerability to increase the level of access beyond that of the user running the Trojan horse. If this is successful, the Trojan horse can operate with the increased privileges. * installing viruses * installing other Trojan horses
-----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNrtSWnVP+x0t4w7BAQGDXwQAh7kakdwkFhO10kQrq5l34UUgy3yyTRtz 6p+xpPyNsfFKwmZ1XTkLtDWRZftbq+Uz+wkaf4Pu7feKLGr4+J5sNa8Iwl4Cr2VQ nEOTnpQIx2pk9AWUu3P1HKDbnqQnmN12r+4/FzFJhDi6eAVJGcDaTPAYkXCNAK/C 3lo2FToAXbc= =jhuZ -----END PGP SIGNATURE-----