Published:
22 July 2001
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.305 -- CERT Advisory CA-2001-20 Continuing Threats to Home Users 23 July 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: "Home Network Security" Paper Vendor: CERT/CC - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-20 Continuing Threats to Home Users Original release date: July 20, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Need to Protect Home Systems This year, we have seen a significant increase in activity resulting in compromises of home user machines. In many cases, these machines are then used by intruders to launch attacks against other organizations. Home users have generally been the least prepared to defend against attacks. Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections. Most of the subscribers to the CERT Advisory Mailing List and many visitors to our web site are technical staff responsible for maintaining systems and networks. But all of us know people who have home computers and need advice about how to secure them. We recently released a document on our web site providing some basic security information and references for home users. The document, "Home Network Security," is available on our web site at http://www.cert.org/tech_tips/home_networks.html We encourage the technical readers of our mailing list to reach out to your parents, children, and other relatives and friends who might not be as technically oriented, point them to this document and help them understand the basics of security, the risks, and how they can better defend themselves. We have a long road to travel in educating home users on the security risks of the Internet. But all of us working together to educate home users will improve the security of the Internet as a whole. Worms and DDoS Tools The CERT/CC is currently tracking the activity of several large-scale incidents involving new worms and distributed denial-of-service (DDoS) tools. Some of these worms include a command and control structure that allows the intruder to dynamically modify the behavior of the worm after it has infected a victim system. In some cases, the command and control structure allows the intruder to issue a single command to all the infected systems without needing to know which systems have actually been infected. This ability to change the behavior of the worm (including wholesale replacement), makes it substantially more difficult to develop "one size fits all" solutions to the problem. Additionally, many of these worms have targeted home users as victims. With these facts in mind, and the large number of hosts involved in these incidents, it is imperative for everyone to take precautions to patch the vulnerabilities involved and recover compromised systems. W32/Leaves worm The W32/Leaves worm, described in IN-2001-07 primarily affects systems that have been previously compromised by the SubSeven Trojan horse program. We have received reports that over 23,000 machines have been compromised by this worm. This worm includes functionality that allows a remote intruder to control the network of compromised machines. "Code Red" worm The "Code Red" worm, described in CA-2001-19 exploits a vulnerability in the Indexing Service on systems running Microsoft IIS. Current reports indicate that over 225,000 hosts have already been compromised by this worm. "Power" worm A worm, known by the name of "Power" is also compromising systems vulnerable to the IIS Unicode vulnerability described in CA-1999-16. It uses the Internet Relay Chat (IRC) as a control channel for coordinating compromised machines in DDoS attacks. Based on reports that we have received, over 10,000 machines have already been compromised by this worm. "Knight" distributed attack tool An attack tool known as "Knight" has been found on approximately 1,500 hosts. This tool appears to be a DDoS tool and also uses IRC as a control channel. It has been reported that the tool is commonly being installed on machines that were previously compromised by the BackOrifice Trojan horse program. So far, there has been no indication that this tool is a worm; it does not contain any logic to propagate automatically. Protective Measures For all of these problems, the deployment and maintenance of some these simple defenses are relatively effective: 1. Install and Maintain Anti-Virus Software The CERT/CC strongly recommends using anti-virus software. Most current anti-virus software products are able to detect and alert the user that an intruder is attempting to install a Trojan horse program or that one has already been installed. In order to ensure the continued effectiveness of such products, it is important to keep them up to date with current virus and attack signatures supplied by the original vendors. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. 2. Deploy a Firewall The CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices. For additional information about securing home systems and networks, please see the "Home Network Security" tech tip at http://www.cert.org/tech_tips/home_networks.html If these protective measures reveal that the machine has already been compromised, more drastic steps need to be taken to recover. When a computer is compromised, any installed software could have been modified, including the operating system, applications, data files, and memory. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system from the distribution media and install vendor-recommended security patches before connecting back to the network. Merely identifying and fixing the vulnerability that was used to initially compromise the machine may not be enough. Often, these worms rely on Trojan horses to initially compromise a system. For more information on Trojan horses, see http://www.cert.org/advisories/CA-1999-02.html Additionally, these worms often spread by exploiting vulnerabilities in systems. For information on vulnerabilities affecting popular products, please see http://www.kb.cert.org/vuls ______________________________________________________________________ Author(s): Jeff Carpenter, Chad Dougherty, Shawn Hernan ______________________________________________________________________ ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-20.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 20, 2001: Initial release - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1inDgYcfu8gsZJZAQE1iwP7BpBJ4J2aUgjNxgTPdytNiYAeDJC7zKCU jYYumhEGPAjBQgoqVPkVi4zApStfMUMsBBSahSll+S8zBoZfbviblnzLLx1Ac/NN YAw7sq6X8RQ+RQ7kltcwUy0Ut0gJDxZCinPxgg+dyQ0Sww9dzSQesCaKT3uazY4P AkPWGUsE/Ic= =0QKl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO1v5ZCh9+71yA2DNAQH1wAP8D5aDPcOFqVk/knz1VWtIuX6WanmYT8hV M6SFdBovzCgK2ukO5whjpbLPoxGy8W0nwWUp26oaRwkGis4gjftfqla8MnWjSBSQ Pun2DLMkzxtcVYxR24s2cpq7xVzMRzVjIeXo7ElJqVxq9VzoLhL9t6pYzv61Xedc aKrRTF+ycec= =A514 -----END PGP SIGNATURE-----