U.S. DOE's Computer Incident Advisory Capability
___ __ __ _ ___ __ __ __ __ __
/ | /_\ / |\ | / \ | |_ /_
\___ __|__ / \ \___ | \| \__/ | |__ __/
Number 95-12 September 25, 1995
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
$ Reference to any specific commercial product does not necessarily $
$ constitute or imply its endorsement, recommendation or favoring by $
$ CIAC, the University of California, or the United States Government.$
$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$
Table of Contents
==========================
FEATURE ARTICLES
Public Telnet Services
Securing X Windows
Merlin Beta Released
MACINTOSH & PC USER ARTICLES
Microsoft Word Macro Viruses
Allegations of Inappropriate Data Collection in Win95
CIAC INFORMATION
Who Is CIAC?
Contacting CIAC
==========================
FEATURE ARTICLES
------------------------------------------
Public Telnet Services
by
Marvin Christensen
Intruders do not always have to exploit a vulnerability to breach
security. It may be possible for the intruder to use available systems
services to achieve their objective.
Intruders are using public, non-passworded accounts to hide their
tracks. During one investigation, an intruder was back-tracked through
five systems before he was lost. Even though the services the intruder
used were not used for their indended purpose, prosecution of the
intruder would be very difficult.
The Problem
While library information systems are the most common type of system
to make use of local telnet clients, other systems use telnet for
similar capabilities. Library systems use telnet to allow the internet
library patron to connect to other libary services on the net
(i.e. "Press 1 to connect to the Big University Over There's library
system"). The Internet's library information systems form a large
interconnected web of their own. A given library system may have
pointers to dozens of other systems. Connections to target library
systems are usually implemented using telnet clients.
In attempting to prevent people from connecting to their site only to
connect out again to another site, system adminstrators infer that all
incoming connections are telnet sessions. Outgoing telnet connections
using a local telnet client are directed to a preselected destination
host (and optionally, port).
What the designers of these systems have missed is that many modern
telnet clients allow the user to change environment variables. By
changing the environment intruders can obtain a command prompt at the
remote telnet client with user priviledges. Once they have the
attention of the remote client they can issue an open to any reachable
host and port. Intruders can chain the connection through several
systems by changing the environment at each connection.
Assessment
CIAC considers this a serious problem that will become even more
serious when it becomes common knowlege that these library information
systems can be used to hide the intruders origin. System hiding
techniques are often used by persons who conduct unauthorized and/or
illegal activity.
Do not use a fully functional telnet client on systems that permit
public access. The telnet client should be modified to not allow
the user to enter the command prompt or telnet command prompt.
------------------------------------------
Securing X Windows
CIAC has added the document "Securing X Windows" to its 2300 series
document collection.
X Windows enjoys great popularity with users, in a variety of
environments. Its client/server model of application management allows
for powerful, flexible interaction between users and computers.
Unfortunately, this power comes at the cost of security. X Windows, if
not managed properly, can create a serious vulnerability. This paper
explores many of the security problems and solutions in X Windows.
You can find "Securing X Windows" at:
http://ciac.llnl.gov/ciac/documents/ciac2316.html
ftp://ciac.llnl.gov/pub/ciac/ciacdocs/ciac2316.txt
------------------------------------------
Merlin Beta Released
CIAC announces the public release of the Merlin beta! Merlin, an
exciting new UNIX tool, adds an easy-to-use graphical interface to
several popular security tools, including Tiger, Tripwire, COPS,
Crack, and SPI. The graphical interface simplifies and extending the
capabilities of these security tools.
Here are some of Merlin's features:
. Standard support for several popular security analysis tools: Comes
with support for COPS 1.04, TAMU Tiger 2.2.3, Crack 4.1, and
Tripwire 1.2 (SPI 3.2.2 is available for DOE, DOD and their
contractors).
. A powerful report browser: Provides the ability to sort reports
based on the type of tool used, the creation date, or the host where
the report is produced. Each report has been HTML-enhanced to improve
readability.
. Plug-and-play style of tool support: Can be easily extended to
support any command-line oriented tool which sends information to the
standard output. All code is written in Perl and is designed for easy
extendability.
. Utilization of Netscape: Provides a well-known interface and
close integration with the vast information resources available via
the Internet.
To obtain the latest release of Merlin, visit http://ciac.llnl.gov.
=============================
MACINTOSH & PC USER ARTICLES
------------------------------------------
Microsoft Word Macro Viruses
by
William J. Orvis
Macro viruses, that's right, its plural now. Currently at least two
macro viruses in the wild infect Microsoft Word documents; the
WinWord.Concept (Word Prank) and WordMacro.Nuclear viruses. Both of
these viruses infect document files for Microsoft Word version 6 or
later on any platform. The viruses don't overwrite a document, but
attach a macro program to the document that is loaded and run when the
document is loaded. These first two viruses are not particularly
damaging, but could easily have been so.
Microsoft Word version 6 and later have a macro capability known as
WordBasic (for more information, choose the Programming with Microsoft
Word section in the Word Help Contents). WordBasic is essentially the
Basic programming language with extensions to make it easy to access
the contents of open documents. WordBasic was intended to be used to
perform special editing and formatting tasks that were not part of
Word's built-in command set. A publisher I know uses WordBasic to
initialize a writer's document, insert standard headers and footers,
and set the default formatting. Most Word users don't even know they
have it, but it is available in all the current versions. If you are
using a version of Word that does not have WordBasic, you are not at
risk. To see if you have WordBasic, see if a Macro command exists on
the Tools menu. If so, then you have WordBasic.
Like most macro capabilities, WordBasic has the capability of creating
auto execute (AutoExe), auto open (AutoOpen), and auto close
(AutoClose) macros, which are the mechanisms the viruses use to take
control of a computer and install themselves. An auto execute macro is
one that automatically runs every time you start Word. The auto open
and auto close macros run whenever you open or close the document they
are attached to. When you open an infected document, its auto open
macro runs and installs an auto execute macro in your global macro
file (normal.dot). Once that is done, the virus code is executed every
time you startup Word. The virus code then writes copies of itself
onto every document you save with Word.
WordBasic is an interpreted language, that is, the programs are
written in text form, which are read and executed whenever the program
is run. This facility makes the code and the virus independent of the
platform they are running on. The virus does not have to be written in
machine language, but runs on any machine with a WordBasic
interpreter. Thus, the viruses run equally well on a Macintosh, or any
machine running Windows or Windows NT.
WinWord.Concept (Word Prank)
This is the first virus discovered of this type. It does nothing but
replicate itself. You can detect the virus the first time it executes,
because a dialog box appears containing the single digit 1. After the
first infection, you can detect an infection by looking for the
following line in the WINWORD6.INI file in the WINDOWS directory.
WW6I=1
Microsoft has made a disinfector available to detect and remove this
virus from a system and from infected documents. The disinfector is a
document named scan831.doc. It is available directly from Microsoft
at:
. The Microsoft World Wide Web site at http://www.microsoft.com/msoffice
. The Microsoft Network MSN(tm) using go word: wordprankfix
. The Word forums on other on-line services such as CompuServe(C) and
America Online(C)
. Customers can also get the tool by calling Microsoft's Product
Support Services at 206-462-9673 for Word for Windows, and
206-635-7200 for Word for the Macintosh.
. On the CIAC archive, at http://ciac.llnl.gov
To use scan831.doc, simply open it with Word. As soon as it is opened,
it innoculates your system against the virus and cleans any infected
documents as you save them. It also contains a procedure called
CleanAll, which can be used to check and clean individual files or
whole directories of files.
WordMacro.Nuclear
The WordMacro.Nuclear virus is similar in operation to the
WinWord.Concept virus in how it infects files, but contains an
additional payload. This virus contains a dropper for a DOS virus, as
well as the document infector, and if the date is April 5th, it
deletes command.com.
You can detect the virus by listing the macros installed in Word,
using the Tools Macros command. In the Macro dialog box that appears,
make sure that the Macros Available In: box is set to: All Active
Templates. If all the macros in the following list are listed in the
Macro Name list, you probably have the virus. If only some are there,
you probably don't.
AutoExec
AutoOpen
DropSuriv
FileExit
FilePrint
FilePrintDefault
FileSaveAs
InsertPayload
Payload
You can also detect the virus when printing a document during the last
5 seconds of any minute. If you do, the following text appears at the
top of the printed page.
"And finally I would like to say:"
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"
It is not known at this time if scan831.doc will protect or remove
this virus. To install some protection by hand, create an AutoExec
macro in your normal.dot file. It does not have to do anything, it
just has to be there. If the virus finds this macro already in the
normal.dot file it does not infect a machine.
To clean documents and normal.dot by hand, you must delete all the
macros in the above list from the document's and from normal.dot's
macro list. Note again that all of the macros in the above list must
be present for the virus to work. If only some are present, they
likely came from some other source, for example, scan831.doc installs
a Payload and an AutoClose macro in your normal.doc template, which
you don't want to delete. To delete a macro from a file, open the
file and select the Tools Macro command. On the Macro dialog box,
click the Organizer button. On the Organizer dialog box, click the
Macros tab and you will see two lists. One is usually set to the
normal.dot file and the other is available. Click on a macro name and
click Delete to remove it. To open another file to clean it, click
Open File to select and open the file, then delete any macros.
Other Concerns
Most popular packages have a macro capability, and thus are at risk to
new viruses of this type. Spreadsheets, project managers, database
managers and word processors all have a built-in macro capability. If
you have these utilities and are not using the macros, it would
probably be a good idea to disable the auto-execute capabilities if
possible.
For example, in Word for Windows, holding Shift when starting the
program or opening a file disables any autoexecute macros that would
have been started by that action. To permanently disable auto-execute
macros, add /mDisableAutoMacros to the winword startup line. Select
the Word icon in the Program Manager, select File Properties, and in
the Program Item Properties dialog box, add the flag
/mDisableAutoMacros to the right of the text in the Command Line box,
so it reads something like the following (Note that the path to
winword.exe may be different on your machine.)
C:\MSOFFICE\WINWORD\WINWORD.EXE /MDISABLEAUTOMACROS
The next time you start Word, all auto-execute macros will be
disabled, including those in the scan831.doc file. To use auto-execute
macros again, you must remove the flag you just added.
------------------------------------------
Allegations of Inappropriate Data Collection in Win95
by
William J. Orvis
Over the last couple of months, allegations have been made in several
Internet newsgroups, that Microsoft was collecting information about a
users files and directories without the users consent. This collection
supposedly occurred when the user registered Win95 or connected to the
Microsoft Network (MSN). Note that we have not detected any
unauthorized transmission of information. In the May 22, 1995 edition
of Information Week (p. 88), an article in the In Short column on
software piracy said:
"Microsoft officials confirm that beta versions of Windows 95 include
a small viral routine called Registration Wizard. It interrogates
every system on a network gathering intelligence on what software is
being run on which machine. It then creates a complete listing of
both Microsoft's and competitors' products by machine, which it
reports to Microsoft when customers sign up for Microsoft's Network
Services, due for launch later this year. Customers must actively
disable the routine if they don't want it to run."
Later posts to some Internet news groups included a copy of the
Information Week article plus the following:
"An update on this. A friend of mine got hold of the beta test CD
of Win95, and set up a packet sniffer between his serial port and
the modem. When you try out the free demo time on The Microsoft
Network, it transmits your entire directory structure in
background. ..."
The official response from Microsoft in the WinNews Electronic
Newsletter (Vol. 2, #8, June 5, 19950 is as follows:
REDMOND, Washington - May 30, 1995
Microsoft today responds to customer confusion
with the on-line registration option of Windows 95.
Microsoft reassures customers the on-line registration
feature preserves user privacy. The confusion began
last week when an industry publication incorrectly
reported that the on-line registration option sent
information on customers' computer systems to Microsoft
without consent. This article, and several subsequent
posts on the Internet, alleging the unauthorized query
and sending of customer information, are not accurate.
In fact, the on-line registration option is simply an
electronic version of the paper-based registration card
that will ship in the Windows 95 product box. Similar
to many paper-based registration cards, on-line
registration is completely optional and allows customers
to provide their system information for product support
and marketing purposes.
The on-line registration option in Windows 95
provides a more convenient and accurate method for
registering than the paper-based card that comes in the
product box. This is because the information is gathered
directly from the local computer rather than requiring
the user to guess their system information, and then type
it and send via a separate card.
The on-line registration process uses three steps
to register customers. Customers are asked to provide
information such as Customer Name, Company Name, Address
and Phone Number. Customers are then presented the option
of providing information about their computer system's
configuration. A screen displays a list of the computer
system's configuration information - such as the processor
type, amount of RAM and hard disk space, and hardware
peripherals such as network card, CD-ROM drive, and sound
card. This information is gathered by the registration
program which queries the system registry of the local
computer. Customers must review and explicitly choose to
provide the information or it is not sent. Customers are
then presented with a list of application programs that
reside on the local computer and asked if they would like
to provide this information as well. The list of
products is gathered by the registration program which
looks for a list of programs on the local hard disk.
The user must again explicitly choose to provide this
information as part of the registration process or it is
not sent.
Once the user chooses to send the information, the
registration process is completed by sending the
registration information to Microsoft. On-line
registration uses the transport of the Microsoft Network
to send the information. The customer does not have to be
a Microsoft Network subscriber to register on-line, and
once registered, the customer is not a Microsoft Network
subscriber. Registering Windows 95 is a separate process
from signing up for the Microsoft Network. Contrary to
reports, the on-line registration feature does not query
serial numbers or product registration information
designed to fight software piracy. It also does not query
computers on the local or wide-area network. For a list
of the exact information gathered by on-line registration,
the user can view the REGINFO.TXT file found in the
C:\WINDOWS directory of the local computer.
The on-line registration feature of Windows 95 is
an option for customers that makes registering Windows 95
more accurate and convenient. Providing computer-
specific configuration information is strictly up to the
customer. The registration information helps Microsoft
build better products, as well as offer customers better
information on their programs and better product support.
To check these allegations, CIAC built a serial packet sniffer to
examine the message traffic between Win95 and Microsoft. Using this
sniffer and the released version of Win 95, we examined the message
traffic during Win95 registration, MSN registration, and MSN use. At
no time did we see any unauthorized transmission of
information. Everything we saw supported the claims in Microsoft's
response.
During the Win95 product registration, the Registration Wizard does
collect information about your hardware and software, but it asks you
if it can send that information to Microsoft before actually doing
so. If you answer No, the information is not sent. The information
actually sent to Microsoft during registration of the Win95 product is
contained in the file reginfo.txt in the windows directory. Examine
this file after completing the registration process to see what
information was sent to Microsoft.
During registration and use of the MSN network, nothing suspicious was
sent to Microsoft. We did note, that the credit card number you must
specify to pay for your connection to MSN is sent in the
clear. However, you should realize that this is no more risky than
giving your credit card number over the phone to any other company
whose products you want to buy.
Many applications register themselves over the network whenever you
start them up, so the risk is there that an application running on a
networked machine could send inappropriately obtained information to
some other site. While this could be done, it is unlikely that a large
company would take the risk, because the damage to a company's
reputation (not to mention legal action) would be severe.
==========================
CIAC INFORMATION
-----------------------------------
Who is CIAC?
CIAC is the U.S. Department of Energy's Computer Incident Advisory
Capability. Established in 1989, shortly after the Internet Worm, CIAC
provides various computer security services free of charge to
employees and contractors of the DOE, such as:
. Incident Handling Consulting
. Computer Security Information
. On-site Workshops
. White-hat Audits
CIAC is located at Lawrence Livermore National Laboratory in
Livermore, California, and is a part of its Computer Security
Technology Center. Further information can be found at CIAC. CIAC is
also a founding member of FIRST, the Forum of Incident Response and
Security Teams, a global organization established to foster
cooperation and coordination among computer security teams
worldwide. See FIRST for more details (http://www.first.org/first/).
CIAC services are available for fee to other Federal civilian agencies.
Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741.
-----------------------------------
CIAC can be contacted at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE and DOE contractor sites may
contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.
Previous CIAC notices, anti-virus software, pgp public key, and other
information are available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: (510) 423-4753 (14.4K baud)
(510) 423-3331 (14.4K baud)
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe
(add yourself) to one of our mailing lists, send the following request as
the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE
or SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.
-------------------------------------------------------------------
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
--------------------------------------------------------------------
End of CIAC Notes Number 95-12 95_09_25
Credits
-- UnKnown --
|