TUCoPS :: General Information :: ciaca3.txt

CIAC # A03 Tools available to check the spread of the "Wank" Worm

_______________________________________________________________________



THE COMPUTER INCIDENT ADVISORY CAPABILITY (CIAC) ADVISORY NOTICE

_______________________________________________________________________



    Tools available to check the spread of the "WANK" Worm





October 20, 1989 1130 PST                        Number A-3





Summary



This is a follow-up bulletin to the CIAC advisory notice A-2 dated

October 16, 1989, stating that the "WANK" worm is attacking HEPnet and

the NASA SPAN network on VAX/VMS systems connected via DECnet.  Our

latest information is that  approximately 60 to 70 systems, mostly at

non-DOE sites, have been  infected.  The rate at which this worm is

spreading seems to be slowing, although more detailed information about

the spread of this worm is not currently available.



CIAC now has additional information about the "WANK" computer worm

outbreak.  The worm targets VMS machines, and can only be propagated

via DECnet.  The worm exploits well known security holes within the

DECnet/VMS system in order to propagate itself.  However, most DOE

sites have not yet been affected.  In order to help prevent your site

>from becoming infected, we recommend that you follow procedures

described in this bulletin , and use a tool to check your VAX/VMS

systems for the same weaknesses the worm exploits.  We also are

providing you with a list of the worm symptoms, as well as a tool to

kill the worm if your systems become infected.



If your site is infected, or if you have any questions, please contact

CIAC.  CIAC phone numbers and addresses appear at the end of this

notice.



Advisory Notice



A computer worm written in DCL for DEC-VMS has been attacking the

HEPnet and the NASA  SPAN networks.  This worm can only be propagated

via DECnet.  The primary methods of attack include a brute force attack

on passwords as well as exploiting well known security vulnerabilities

of DECnet/VMS.  One vulnerability is the default DECnet account, which

is a facility for users who do not have a specific login ID for a

machine and want some degree of anonymous access. It uses the default

DECnet account to copy itself to a machine, and then uses the "TASK 0"

and Submit/Remote features of DECnet to invoke the remote copy.   Once

the worm has successfully penetrated a system, it will infect .COM

files and create new security vulnerabilities.  It then broadcasts

these vulnerabilities to another machine.  It may also damage files or

crash systems.



In our last memo we published an analysis of the worm by Kevin

Oberman.  That analysis contained a error that we would like to

correct.  In that notice we printed the quote:



4. Information on the password used to access the system is mailed to

the user GEMTOP on SPAN node 6.59. Some versions may have a different

address.



The actual user is "GEMPAK" not "GEMTOP".



Visible Symptoms



The following information is an extract from a report by John McMahon

on detecting the symptoms of the WANK worm.  This information was

compiled after a thorough analysis of copies of various versions  of

the WANK worm retrieved from different infected sites.  There are

indications that these copies were derived from three different

"starter" versions of the worm.  The worm is self-modifying, and may

also have been manually modified by others.  There may also be other

currently undetected versions of the worm with additional

capabilities.



Specifically, some or all of the following symptoms have been noted on

infected systems:



1) Account passwords have been changed without the knowledge of the

user, or the system manager.



2) Processes are running on your system with the process name NETW_nnnn

(where nnnn is a random number). Check this with the SHOW SYSTEM

command.



3) Command procedures/data file names starting with one or two letters

and up to a five digit number appear in the SYS$LOGIN: directory of an

account. Examples: C12345.COM, A7007.DAT.



   Note: Earlier reports that the file W.COM is created by the worm

   appear to be in error.  Any "anti-worm" procedure involving the

   creation of a blank W.COM;32767 will NOT stop the worm.



4) The SYS$ANNOUNCE message, prior to the USERNAME: login prompt, has

been

   redefined to the following WANK logo.

      W O R M S    A G A I N S T    N U C L E A R    K I L L E R S

    _______________________________________________________________

    \__  ____________  _____    ________    ____  ____   __  _____/

     \ \ \    /\    / /    / /\ \       | \ \  | |    | | / /    /

      \ \ \  /  \  / /    / /__\ \      | |\ \ | |    | |/ /    /

       \ \ \/ /\ \/ /    / ______ \     | | \ \| |    | |\ \   /

        \_\  /__\  /____/ /______\ \____| |__\ | |____| |_\ \_/

         \___________________________________________________/

          \                                                 /

           \    Your System Has Been Officically WANKed    /

            \_____________________________________________/



     You talk of times of peace for all, and then prepare for war.



5) The SYSTEM account can no longer receive mail.  The DISMAIL flag has

been set in SYSTEM's UAF record.



6) Users log into the system and report that all of their files have

been deleted while logging in.  The user observes many %DELETE-I-FILDEL

messages ,and DIRECTORY reports that no files are found.  The system

manager follows up on this report and finds the files are still there,

and that the system login procedure (SYLOGIN, SYS$SYLOGIN) has been

modified.

   Note: Earlier reports that the worm performs mass deletion of files

   appears to be in error.



7) Command procedures have been modified with code to reactivate the

FIELD account if the person running the procedure has SYSPRV.



8) A remote DECnet site contacts you about odd VAXPhone call messages

coming from your node.  The VAXPhone ring messages do not contain a

userid, but a strange "fortune cookie" saying.



   Note: the node id can be found in the NETSERVER.LOG files in your

   DECnet default account.  [CIAC note]: Please note the node number of

the system that sent you the message and pass that information to your

respective network security manager, or CIAC so that the infected node

can be informed.



9) Top-level directories have had their OWNER protection field changed

to O:RWED.



10) A remote DECnet site contacts you about logfails (on several

accounts) on the remote site which were traced back to an account on

your machine. Similarly, a remote site contacts you because a local

account tried to read the SYSUAF/RIGHTSLIST files on the remote node.



 Regardless of whether or not you think you have been infected,

 download the ANTIWANK.COM command procedure and start it running on

your node immediately.  This program will kill copies of the worm that

are running on your node.



You may see the whole list of symptoms and recommended fixes by

obtaining the file WORM-INFO.COM.  See details below.



Procedures to stop the spread of this worm



CIAC recommends that you use the following procedures, quoted from a

message by Ron Tencati (SPAN Security Manager), to stop the spread of

the WANK worm:



1) It is IMPERATIVE that all systems protect or remove the DECnet TASK

0 object to prevent reoccurrence of this worm, OR MORE SERIOUS ATTACKS

OF THIS KIND IN THE FUTURE!



   The TASK object can be secured by either of the following methods:



Method 1)



        Issue the command:



                NCP> CLEAR OBJECT TASK ALL



        after the network is started up.  This command can also be

        inserted into the procedure SYSTARTUP>COM (SYSTARTUP_V5.COM on

        V5.x systems) after the call to STARTNET.COM.  In addition

        which the system is running, this command must be executed EACH

        TIME the network is restarted.



Method 2:



        Issue the following commands ONCE:



        NCP> SET OBJECT TASK USER DECNET PASSWORD <a bunch of garbage>

        NCP> DEFINE OBJECT TASK USER DECNET PASSWORD <a bunch of

        garbage>



        This causes a login failure to be generated whenever the TASK

        object is accessed.  Once done, this change will be permanent.



                NOTE We have received one report that TASK 0 is

        required for DECwindows.  Read your documentation!



2) Under NO circumstances it is acceptable for an account to have a

password the same as the username.  Passwords (passPHRASES) should be

created so that they are difficult to guess, multi- word phrases are

preferable.  As a precaution, we recommend that all passwords be

changed.  Additionally, system managers may choose to revalidate ALL

accounts.



If a system had the DECNET TASK 0 protected as above, the DECNET

account protected against SUBMIT/REMOTE (described below) and no user

had their userid as their password, it was immune to this WORM.  As a

result, the number of nodes actually INFECTED by this attack is

relatively small.  The number ATTACKED however, is large.



3. NETWORK ATTACKS



To protect against the SUBMIT/REMOTE attack, run AUTHORIZE and make

sure that all network account flags are set to NOBATCH, NODIALUP,

NOLOCAL, and NOREMOTE.



4. FIELD ACCOUNT



Make sure the FIELD ACCOUNT does not have the password FIELD.   DISUSER

the account.  You must SEARCH all .COM files for a

"field/remote/dialup."  If the search shows it is in .COM files, They

have a trojan horse appended to the files.  When the .COM file is

executed, This Trojan horse will try to reset account FIELD to

/NODISUSER and password to FIELD.  You should either delete the

corrupted .COM file and obtain a good one elsewhere, or examine the

file and remove the affected lines of the command procedure.



5. WORM FILES



The WORM source files are W.COM or a single alphabetic character (C or

D) followed by 4 or 5 numeric characters. (Cnnnnn.COM), ("nnnn"

represents a random number).  The WORM will start a process or

processes running.  These processes are named in format NETW_nnnn, and

should be deleted.  PHONE_nnnn may also be running as the WORM utilizes

the PHONE object in an attempt to send a message to a user on another

randomly selected node.



6. ALARMS



Some alarms generated by the WORM are related to PHONE.EXE and

FAL.EXE.  The majority of the alarms are login failures as the WORM

attempts to log into specific accounts.



We recommend that alarms be set immediately for logins, logouts,

breakin attempts, modifications to the system and net UAF's, and to

changes to user and system passwords.



Tools available



A series of tools are available to control the WANK worm.  These may be

obtained by anonymous FTP access from node ROGUE.LLNL.GOV

(128.115.2.99). They may also be obtained from SPAN and ESnet.  Contact

CIAC for more information.



[.SECURITY]CHECK_SYSTEM.COM, written by Kevin Oberman, will check your

entire system for the security holes used by the WANK worm.  It then

reports back all system problems so that they can be corrected.



DEC has provided a fix for the well known problem with the default

DECnet account hole called  SYS$UPDATE:NETCONFIG_UPDATE.COM for VMS

V5.2.  It is available from the VMS V5.2 distribution tape.  If you

have this, CIAC recommends that you run it now.  If you donUt have

access or are running an earlier system such as V4., you may obtain

>from ROGUE.LLNL.GOV a program called: FIX-FAL.COM which fixes the

default DECnet account.



The program by John McMahon can be obtained by downloading

ANTIWANK.COM.  This program kills the worm processes.  You can also run

it as a vaccine even if your systems have not been infected.



WORM-INFO.TXT contains an important report by John McMahon .  It

contains a list of symptoms, recommended proceduresand the code for

ANTIWANK.COM.



If your site has been infected, or if you have any questions, please

contact either of the following CIAC team members:



        David Brown, (415) 423-9878 or FTS 543-9878 

        Gene Schultz, (415) 422-8193 or FTS 532-8193

         or send electronic mail to:ciac@tiger.llnl.gov

         CIAC FAX: (415) 422-4294 FTS 532-4294









TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH