_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Additional Information about the SYSMAN.EXE Trojan Horse
November 15, 1991, 1530 PDT Number C-7
_________________________________________________________________________
PROBLEM: A trojan horse program disguised as SYSMAN.EXE
PLATFORM: VMS systems
DAMAGE: Allows non-privileged users to gain full privileges; unauthorized
changes to critical system files.
DIAGNOSIS: Scan SYS$LIBRARY for executable called OBJ.EXE or check for
modification of length of SYSMAN.EXE file.
SOLUTION: If SYSMAN.EXE trojan is found a complete re-install of VMS
is recommended.
_________________________________________________________________________
Critical Facts about SYSMAN.EXE Trojan Horse
In Bulletin C-5 we provided information about the SYSMAN.EXE trojan
horse program found in several VMS systems. We have completed
analyzing this program, and now have additional information.
All affected systems identified to date are systems connected to the
European DECnet. To the best of our knowledge, no systems in the DOE
or ESnet community have been implanted with this bogus program. In
addition, we have not received any direct reports of any systems in the
U.S.A. that were effected by this trojan horse program.
The purpose of the SYSMAN.EXE trojan is to grant full privileges to a
non-privileged account. However, this trojan will only grant full
privileges when a particular key string is provided in a certain manner.
It is extremely unlikely that non-privileged users not in possession
of the key string nor its use could use this trojan to gain privileges.
Since this trojan can only be used to escalate privileges, the intruder
appears to assume that re-entry into a non-privileged account in the
future is possible.
The SYSMAN.EXE trojan appears to be manually planted by the intruder in
two steps; the intruder renames the SYS$SYSTEM:SYSMAN.EXE image to
SYS$LIBRARY:OBJ.EXE and then inserts the trojan SYSMAN.EXE into
SYS$SYSTEM. Since installing this trojan requires full privileges, the
intruder must have either breached a privileged account or breached a
non-privileged account and escalated privileges in some manner.
Signs that a VMS system has been compromised by installation of this
trojan are the existance of SYS$LIBRARY:OBJ.EXE, the length of
SYS$SYSTEM:SYSMAN.EXE being 166 blocks, and
"$ ANALYZE/IMAGE SYS$SYSTEM:SYSMAN.EXE" showing an "image name" of "VA6"
in the "Image Identification Information" section. To confirm the
existence of the trojan, log into a non-privileged account, and execute
the following three DCL commands:
$ delete/symbol obfj
Ignore the "%DCL-W-UNDSYM" error
$ run sys$system:sysman
Ignore the "%SYSMAN-F-NOOPER" error
$ show symbol obfj
If the symbol OBFJ is defined as "$SYS$LIBRARY:OBJ.EXE", the VMS system
contains the SYSMAN.EXE trojan horse. If instead you get a
"%DCL-W-UNDSYM" error, the SYSMAN.EXE trojan is not installed.
Because installation of the SYSMAN.EXE trojan requires the intruder(s)
to gain system privileges, CIAC strongly recommends that as a recovery
procedure you do a complete re-install of VMS and all software
installed with privilege or run under privileged accounts. This should
be followed by carefully examining all security features and carefully
screening all accounts, including changing the passwords of all
accounts.
We also request that if you find the SYSMAN.EXE trojan horse, you save
the trojan SYSMAN.EXE image and send a copy of this image to CIAC for
further analysis.
In cases in which circumstances require the VMS system to continue
running uninterrupted for a short period of time, the following
sanitization procedure will remove the SYSMAN.EXE trojan:
$ rename sys$system:sysman.exe sys$manager:sysman.exe-trojan
$ set prot=(s:rwed,o:rwed,g,w) sys$manager:sysman.exe-trojan
and finally:
$ rename sys$library:obj.exe sys$system:sysman.exe
or, better yet:
$ delete sys$library:obj.exe;*
(restore sys$system:sysman.exe from trusted distribution media)
For additional information or assistance, please contact CIAC:
Hal Brand
(510)422-6312** or (FTS) 532-6312
(FTS) 532-6312
brand@addvax.llnl.gov
Send e-mail to ciac@llnl.gov or call CIAC at
(510) 422-8193**/(FTS)532-8193.
**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response team,
DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
The assistance of several users in providing copies of the SYSMAN.EXE
trojan horse is appreciated. Neither the United States Government nor
the University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
