TUCoPS :: Antique Systems :: ciacb8.txt

Detection/Eradication procedures for VMSCRTL.EXE Trojan Horse 



        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin       



        Detection/Eradication Procedures for VMSCRTL.EXE Trojan Horse



November 21, 1990, 1100 PST                                 Number B-8

__________________________________________________________________________

PROBLEM:  Detection of trojan horse and recovery procedures

PLATFORM: VAX/VMS (all versions)

DAMAGE:  Gives unauthorized privileged access to system if trojan

  horse is implanted in system by intruders who have already obtained

  privileged status

DETECTION:  Several methods (described herein), of which finding

  VMSCRTL.EXE in SYS$LIBRARY is the fastest

__________________________________________________________________________

                     Critical Trojan Horse Facts



In bulletin B-6 CIAC warned of a new pattern of intrusions into VMS

systems.  Part of this pattern is placing a file named VMSCTRL.EXE into

SYS$LIBRARY.  CIAC has determined that this file contains a trojan

horse program.  VMSCRTL.EXE also provides a means for the attackers to

gain full privileges from a non-privileged account if this file has

been installed with the CMKRNL privilege. The presence of VMSCRTL.EXE

in SYS$LIBRARY indicates that a VMS system has been compromised and

that the attackers have been able to gain full privileges.



The trojan horse behaviors of VMSCRTL.EXE are:



1.      Copies itself to SYS$LIBRARY:VMSCRTL.EXE



2.      Creates the file SYS$STARTUP:DECW$INSTALL_LAT.COM  This file

contains a standard DEC copyright notice and a DCL command to install

SYS$LIBRARY:VMSCRTL.EXE with CMKRNL privilege.



3.      Modifies the file SYS$STARTUP:VMS$LAYERED.DAT to include the

execution of SYS$STARTUP:DECW$INSTALL_LAT.COM as part of the VMS boot

procedure.



4.      Exits with a (falsified) CLI error message while returning a

status of SYS$NORMAL



The "tracks" left behind by the execution of VMSCRTL.EXE are fairly obvious:



1.      The presence of SYS$LIBRARY:VMSCRTL.EXE



2.      The presence of SYS$STARTUP:DECW$INSTALL_LAT.COM



3.      The file SYS$STARTUP:VMS$LAYERED.DAT will have its MODIFIED

date changed to reflect the time at which VMSCRTL.EXE was run.  Use the

DCL command "$ DIRECTORY/FULL SYS$STARTUP:VMS$LAYERED.DAT" or "$

DIRECTORY/DATE=MODIFIED SYS$STARTUP:VMS$LAYERED.DAT" to determine the

modification date.  Note that this evidence will be destroyed if any

subsequent modifications or listings of SYS$STARTUP:VMS$LAYERED.DAT are

made via the STARTUP command to SYSMAN.



4.      The DCL command "$ MCR SYSMAN STARTUP FILE" will list

DECW$INSTALL_LAT.COM as one of the startup files.  Note that executing

this command will change the modification date of

SYS$STARTUP:VMS$LAYERED.DAT  Be sure, therefore, to do this check after

checking the MODIFIED date as prescribed above.



5.       If the infected system has been rebooted since VMSCRTL.EXE was

run, the DCL command "$ MCR INSTALL /LIST" will reveal that

SYS$LIBRARY:VMSCRTL.EXE is installed with privilege. A full list of

this installed image will show it is installed with CMKRNL.

 

DETECTION



The presence of the file SYS$LIBRARY:VMSCRTL.EXE is definite

confirmation that this trojan horse is present.  Additional

confirmatory evidence includes:



1.      The presence of the file SYS$STARTUP:DECW$INSTALL_LAT.COM



2.      Modification to the SYSMAN STARTUP database file to include the

execution of SYS$STARTUP:DECW$INSTALL_LAT.COM



A search string that can be used to identify VMSCRTL.EXE regardless of

the file's name is "%VCR"    For example, to search your entire system

disk you might enter:



        $ SEARCH SYS$SYSDEVICE:[*...]*.* "%VCR"/WINDOW=1



If VMSCRTL.EXE is detected in a non-system directory, it is likely that

the attackers have penetrated a non-privileged account but have not yet

been able to gain full privileges.



MINIMAL RECOVERY PROCEDURE



If you have detected VMSCRTL.EXE in SYS$LIBRARY, the VMS system has

been compromised by attackers who were able to gain full privileges.

(If these attackers are able to reenter the system, they will again be

able to gain full privileges).  The minimal recovery procedure

described below is provided only as a quick, short-term, "stop gap"

measure.  (The possibility that other damage to the compromised VMS

system was done by the attackers is large--we therefore recommend that

when time permits the full recovery procedure be implemented.) The

minimal recovery procedure is:



1.      Use INSTALL to remove SYS$LIBRARY:VMSCRTL.EXE with the

command:  "$ MCR INSTALL SYS$LIBRARY:VMSCRTL.EXE/DELETE"



Note: It is possible that VMSCRTL.EXE is not installed (yet) and so

this command may produce the appropriate error message.



2.      Remove the startup entry SYS$STARTUP:DECW$INSTALL_LAT.COM from

SYSMAN's database with the command:  "$ MCR SYSMAN STARTUP REMOVE FILE

SYS$STARTUP:DECW$INSTALL_LAT.COM



3.      Delete the file SYS$LIBRARY:VMSCRTL.EXE and the file

SYS$STARTUP:DECW$INSTALL_LAT.COM



4.      Disable all inactive accounts using AUTHORIZE.  For example, to

disable an account named JONES, enter:



   $ SET DEF SYS$SYSTEM

   $ RUN AUTHORIZE

   UAF> MOD JONES/FLAGS=DISUSER

   UAF> EXIT



5.      Change the passwords on all active accounts.



6.      Review all entries in SYSUAF.DAT and make appropriate corrections



7.      Review all SYSGEN parameters and make appropriate corrections



8.      Review all system files for modifications occurring after the

penetration.  The following DCL command can prove very useful in this

endeavor:



                $ DIR/FULL/MODIFIED/SINCE="<actual penetration date>"



        For example, if the penetration date were October 31st, enter:



                $ DIR/FULL/MODIFIED/SINCE="31-OCT-1990"



 

FULL RECOVERY PROCEDURE

 

For the full recovery procedure, follow the complete VMS recovery

procedure given in the appendix to this bulletin.



For additional information or assistance, please contact CIAC



        Hal R. Brand

        (415) 422-6312 or (FTS) 532-6312



        or call (415) 422-8193 or (FTS) 532-8193



        send FAX messages to:  (415) 423-0913 or (FTS) 543-0913



Neither the United States Government nor the University of California

nor any of their employees, makes any warranty,  expressed or implied,

or assumes any legal liability or responsibility for the accuracy,

completeness, or usefulness of any information, product, or process

disclosed, or represents that its use would not infringe privately

owned rights.  Reference herein to any specific commercial products,

process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the

University of California.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government nor the University of California, and shall not be used for

advertising or product endorsement purposes.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



                    COMPLETE VMS RECOVERY PROCEDURE



This recovery procedure should be applied to a compromised VMS system

whenever it can not be determined that the intruders failed to gain

system privilege.



1.      Get a hardcopy listing of your current SYSUAF.DAT   If

SYSUAF.DAT contains an extremely large number of users, it will take

considerable time to restore all accounts (so it may be expedient to

save SYSUAF.DAT to tape or elsewhere so it can be restored, although we

do not generally recommend this procedure).



2.      Remove from all disks all executable code (including DCL

command procedures) run by  privileged accounts.



3.      Initialize the system disk to remove all files.  (This is an

extreme step, but it is guaranteed to remove any damage done by the

intruder.)



4.      Install VMS and all layered products. 

 

5.      Use AUTHORIZE to add only currently active accounts (or restore

the SYSUAF.DAT you saved).  If you restore SYSUAF.DAT you must

scrutinize it very carefully.  To restore SYSUAF.DAT is not generally

recommended.  It is better to re-create only the active accounts,

because this not only removes all dormant accounts, but also guarantees

elimination of bogus accounts and unauthorized modifications.



6.      Restore from TRUSTED backups all site specific files found on

the system disk.  In the event you do not have TRUSTED backups, we

recommend you re-create these files.



Note:  "Trusted backups" are defined as backups in which there is a

high degree of assurance that there were no unauthorized changes made

to any of the files before the backup was made.



7.      Restore from TRUSTED backups all files removed in step 2.  In

the event you do not have TRUSTED backups, we recommend that you

re-create these files.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH