TUCoPS :: General Information :: ihg.txt

CIAC Incident Handling Guidelines



1







Table of Contents

1 - Introduction

1.1	Background   	3
1.2	Purpose   	3
1.3	Scope   	3
1.4	Relationship of Incident Handling Guidelines to CIAC Workshop   	4
1.5	Revision of Incident Handling Guidelines   	4

2 - Responding to Incidents

2.1	Definitions  	5
2.2	Causes of Incidents   	5
2.3	Avenues of Attacks   	5
2.4	Effects of an Attack   	6
2.5	Incentives for Efficient Incident Handling   	6
2.6	Priorities in Incident Handling   	7
2.7	Stages /Steps of Incident Handling   	7
			2.7.1	Protection   	7
			2.7.2	Identification   	8
			2.7.3	Containment   	9
			2.7.4	Eradication   	9
			2.7.5	Recovery   	10
			2.7.6	Follow-up   	10
2.8	Division of Responsibility   	10
2.9	Reporting of Incidents   	11
2.10 CIAC's Charter and Role   	15

3 - Responding to Viruses

3.1	Introduction   	16
3.2	Definition of Computer Virus   	16
3.3	Overview of Virus Actions   	17
3.4	History of Viruses   	17
3.5	Basic Mechanisms of Viruses   	18
3.6	Common Viruses and their Symptoms   	19
3.7	How Viruses Work   	25
3.8	Virus Weaknesses   	27
3.9	Virus Platforms   	30
3.10  Responding to a Virus Infection   	30
			3.10.1	Protection   	31
			3.10.2	Identification   	33
			3.10.3	Containment   	37
			3.10.4	Eradication   	37
			3.10.5	Recovery   	38
			3.10.6	Follow-up   	38

4 - Responding to Worm Attacks

4.1	Introduction   	39
4.2	Definition of Worm   	39
4.3	A Brief History of Worms   	39
4.4	Considerations in Worm Attacks   	39
4.5	Basic Mechanisms of Worms   	41
4.6	Recommended Steps for Responding   	42
			4.6.1	Protection   	42
			4.6.2	Identification   	43
			4.6.3	Containment   	43
			4.6.4	Eradication   	44
			4.6.5	Recovery   	44
			4.6.6	Follow-up   	45
4.7	Final Words about Worm Attacks   	46
  
5 - Responding to Hacker/Cracker Attacks 

5.1	Introduction   	47
5.2	Division of Responsibility   	47
5.3	Recommended Steps for Responding   	47 
 			5.3.1	Protection   	47
			5.3.2	Identification   	49
			5.3.3	Containment   	50
			5.3.4	Eradication   	51
			5.3.5	Recovery   	52
			5.3.6	Follow-up   	52
5.4	Automated Hacker/Cracker Attacks   	52
5.5	More on Passwords   	53	
 
6 - Vulnerabilities

6.1	Introduction   	55
6.2 	Types of Vulnerabilities   	55
6.3 	UNIX Vulnerabilities   	56
6.4 	VM Vulnerabilities   	56
6.5 	VMS Vulnerabilities   	57
6.6	MVS Vulnerabilities   	57
6.7 	File Protections   	57
6.8	Concluding Comments   	57
 
7 - Incident Handling Tools
	
7.1	Types of Tools Available   	59
7.2	System Security Tools   	60
7.3	Authentication Tools   	60
7.4	Intrusion Detection Tools   	61

8 -  Exercises and Scenarios   	62

References   	67

 1 - Introduction
 
1.1  Background
 
Responding to computer security incidents is generally not a simple matter.  This 
activity requires technical knowledge, communication and coordination among staff 
responding to the  incident, and adherence to applicable Department of Energy (DOE) 
orders on computer security (i.e., DOE Orders 1360.2A and 5637.1 for unclassified and 
classified computing, respectively).   Incidents over the last few years indicate 
that, if anything, responding to incidents is increasingly more complex.  There have 
been, for example, not one, but three largescale worm attacks since 1988.  Intrusions 
into machines are a serious concern, and increasing sophistication and collaboration 
among network attackers poses considerable threat to the integrity of computing 
resources.   Viruses continue to infect MS-DOS and Macintosh computers, despite 
widespread availability of virus detection and eradication software.

1.2  Purpose

These incident handling guidelines repeatedly mention the importance of establishing 
and following written procedures for handling incidents.  There are several reasons 
for developing such guidelines:

1.	The procedures in these guidelines will help site computer security personnel 
develop more complete and effective contingency response procedures.   

2.	There is usually some degree of confusion during an incident.  Written 
procedures for handling incidents minimize confusion.

3.	During times of increased stress (e.g., during a fast-moving incident), 
people's attention usually becomes more narrow, and memory is more prone to 
failure.  Without a written procedure, the likelihood that someone responding 
to an incident will respond ineffectively increases.

4.	Written procedures can help computer security personnel understand and consider 
the legal aspects of responding to attacks on computer systems.  

1.3	Scope

These guidelines do not comprise an exhaustive set of incident handling procedures.   
A lengthy set of guidelines would be too intimidating to read and to incorporate into 
site contingency response plans.    The discipline of responding to incidents is also 
very much in its infancy.  Because so much is yet to be learned about handling 
incidents, this version of these guidelines will necessarily lack some degree of 
sophistication and detail.  In addition, it is impossible to specify specific 
technical procedures for responding to the many types and versions of computer 
systems within DOE.  This guidelines document contains basic information about 
responding to incidents which can be used, regardless of hardware platform or 
operating system.  For specific technical details necessary to implement many of the 
recommendations in these guidelines, consult your system administrator or vendor.  

NOTE:  These guidelines are written for someone who has a working knowledge of the 
field of computer science.  The beginner in computer science will do well to refer to 
an introductory text in this area to understand many of the computer science concepts 
(e.g., functionality of operating systems) mentioned but not explained in these 
guidelines.
 


1.4	Relationship of Incident Handling Guidelines to CIAC Workshop

Since its inception in early 1989, the DOE's Computer Incident Advisory Capability 
(CIAC) team from Lawrence Livermore National Laboratory has assisted many sites in 
dealing with a large variety of incidents.  These guidelines reflect the corporate 
experience of the CIAC team.   The content of these guidelines also parallels the 
content of the two-day CIAC workshop, "Responding to Incidents," and are designed to 
help those unable to attend the workshop become familiar with the content of the 
workshop and participate in workshop exercises.   For more information about the CIAC 
workshop, contact:

	Thomas A. Longstaff
	University of California
	Lawrence Livermore National Laboratory 
	P.O. Box 808, L-619
	Livermore, CA  94550
	(415) 423-4416 or FTS 543-4416
	longstaf@pantera.llnl.gov

1.5 	Revision of Incident Handling Guidelines

These guidelines will periodically be revised and upgraded.  Send comments and 
feedback  to:

	E. Eugene Schultz
	University of California
	Lawrence Livermore National Laboratory 
	P.O. Box 808, L-619
	Livermore, CA  94550
	(415) 422-8193
	gschultz@pantera.llnl.gov

__________

UNIX is a registered trademark of AT&T.  
VMS and DECNET are  registered trademarks of Digital Equipment Corporation.  
Macintosh and Virus Rx are registered trademarks for Apple Computer Inc.   
Amiga is a registered trademark for Commodore Business Machines.
PC and IBM Scan are registered trademarks for International Business Machines.
PC tools is a registered trademark for Central Point Software.  
Sidekick is a registered trademark for Borland International.
Anti-Viral is a registered trademark for Softhansa of Berlin.
Anti-Virus is a registered trademark for OS Software.  
Code Safe is a registered trademark of ChrisWare.
Data Physician, VIRHUNT and RESSCAN are registered trademarks for Digital Dispatch, 
Inc. 
Ingres is a registered trademark for Ingres Corporation.
Oracle is a registered trademark for Oracle Corporation.
Port of Entry is a registered trademark for Sector Technologies.
Virex is a registered trademark for CE Software.
VirusSafe is a registered trademark for ComNetCo.


2 - Introduction

2.1	Definitions

The title of this document includes the term  incident.   In its most broad sense, 
incident  refers to an adverse event in a computer system or the threat of such an 
event occurring.   Penetrations into computer systems or hoaxes, therefore, fall 
within the definition of incident.  However, not all incidents are of interest to the 
computer security community.  Damage to systems due to power outages, for example, is 
not an incident within the domain of computer security.  For the purpose of this 
guidelines document, therefore, the term incident implies an incident related to 
computer security.    The term incident encompasses the following general categories 
of adverse events:

1. Compromise of integrity (e.g., when a virus infects a file) 

2. Denial of resource (e.g., when an attacker has set a system to single user 
mode, locking out all other users)

3. Penetration  (e.g., when a worm has breached a system)

4. Misuse (e.g., when an intruder makes unauthorized use of an account, or insider 
incidents)

5. Damage (e.g., when a virus scrambles a file or makes a hard disk inoperable)

6. Intrusions (e.g, hacker/cracker incidents)

In contrast, an event is any noticeable occurrence in a system.   A system crash and 
an unusual graphic display are both events.  Events may lead personnel to determine 
that an incident is occurring, although closer investigation of events may or may not 
indicate that something adverse from the standpoint of computer security is 
occurring.

2.2 Causes of Incidents

There are at least four generic causes of computer security incidents.  The first is 
malicious code, such as viruses, worms, trojan horses, time bombs, and pests.  
(Viruses, worms, etc. will be explained in detail shortly.)  The second is called 
procedural failures or improper acts.  Examples include transmitting information from 
a classified to an unclassified system or revealing one's password to someone else.   
A third cause can be called  intrusions or breakins.   For example, an intruder might 
bypass a system's authentication procedure, might attack a system using provided 
services (e.g., using UNIX commands such as sendmail, finger, or rsh), or might 
"snoop" (e.g., wiretapping, network monitoring, or electronic monitoring of 
terminals).  Finally, an incident might be caused by an insider attack.

2.3 Avenues of Attacks

Attacks originate through certain avenues or routes.  If a system were locked in a 
vault with security personnel surrounding it, and if the system were not connected to 
any other system or network,  there would be virtually no avenue of attack.  More 
typically, however, there are numerous avenues of attack, including:


 1. Local networks

 2. Devices connected illegally, such as a non-approved connection to a local   
network

 3. Gateways, which allow an attack to come from outside a network

 4. Attacks through communications devices, e.g., modems, telebits, and integrated   
systems digital networks (ISDN's)

 5. Shared disks (e.g., transmission of a virus from one machine to another)

 6. Downloaded or pirated software (e.g., from an electronic bulletin board)

 7. Others, including direct physical access by an attacker

2.4 Effects of an Attack

There are at least five effects of attacks which compromise computer security:

 1. Denial of service--Examples include network jamming, introducing fraudulent  
packets, and system crashes and/or poor system performance, in which people are   
unable to effectively use computing resources.

 2.  Unauthorized use or misuse of computing systems--System resources are tied  up 
by someone who does not have permission to use the system, or are used for non- 
approved purposes (e.g., playing games on a U.S. Government computer).

 3. Loss or alteration of data or programs--An example would be an attacker who  
penetrates a UNIX system, then modifies the wtemp program so that the intrusion will  
not be detected.  Another example would be an infection by the SCORES virus on  
Macintosh computers resulting in loss of data (the Scores virus may cause destruction  
of files).

 4.  Compromise of protected data--An example in a multi-level system would be  
sending a classified file to an uncleared user's account.

 5. Loss of trust in computing systems--Users may become hesitant to use a  computing 
system which is plagued by virus infections, for example.

2.5 Incentives for Efficient Incident Handling

Learning to respond efficiently to an incident is important for numerous reasons.   
The most important benefit is directly to human beings--preventing loss of human 
life.   Some computing systems are life critical systems, systems on which human life 
depends (e.g., by controlling some aspects of surgery in a hospital or assisting air 
traffic controllers).  

An important but often overlooked benefit is an economic one.   Having both technical 
and managerial personnel respond to an incident requires considerable resources, 
resources which could be utilized more profitably if an incident did not require 
their services.   If these personnel are trained to handle an incident efficiently, 
less of their time is required to deal with  that incident.   

A third benefit is protecting classified, sensitive, and/or proprietary information.   
One of the major dangers of a computer security incident is that information may be 
irrecoverably lost.   The loss of classified information jeopardizes our Nation's 
security.  Efficient incident handling minimizes this danger.

A fourth benefit is related to public relations.    News about computer security 
incidents tends to be damaging to an organization's stature among current or 
potential clients.  Efficient incident handling minimizes the potential for negative 
exposure.   

A final benefit of efficient incident handling is related to legal issues.   It is 
possible that in the near future organizations and/or institutions may be sued 
because one of their nodes was used to launch a network attack.  In a similar vein, 
people who develop patches or workarounds may be sued if the patches or workarounds 
are ineffective, resulting in damage to systems, or if the patches or workarounds 
themselves damage systems.  Knowing about operating system vulnerabilities and 
patterns of attacks, then taking appropriate measures is critical to circumventing 
possible legal problems.

2.6 Priorities in Incident Handling

It is important to prioritize actions to be taken during an incident well in advance 
of the time an incident occurs.  Sometimes an incident may be so complex that it is 
impossible to do everything at once to respond to it; priorities are essential.  
Although priorities will vary from organization-to-organization and institution-to-
institution, the following suggested priorities serve as a starting point for 
defining an organization/institution's response:

 o Priority one -- protect human life and people's safety; human life always has   
precedence over all other considerations

 o Priority two -- protect classified and/or sensitive data; our National safety and   
security is second only to protecting human life 

 o Priority three -- protect other data, including proprietary, scientific, 
managerial and   other data, because loss of data is costly in terms of resources

 o Priority four --prevent damage to systems (e.g., loss or alteration of system 
files,   damage to disk drives, etc.); damage to systems can result in costly down 
time   and recovery

 o Priority five -- minimize disruption of computing resources; it is better in many   
cases to shut a system down or disconnect from a network than to risk damage to   
data and/or systems

An important implication for defining priorities is that once human life and National 
security considerations have been addressed, it is generally more important to save 
data than system software and/or hardware.   Although it is undesirable to have any 
damage and/or loss during an incident, systems can be replaced; the loss or 
compromise of data (especially classified data), however, is usually not an 
acceptable outcome under any circumstances.   

2.7 Stages /Steps of Incident Handling

There are at least six identifiable stages of response to a computer security 
incident.   Knowing about each stage can help you respond more methodically (and thus 
efficiently), and can also help you develop a more complete contingency response plan 
for your organization.  

2.7.1  Protection

Part of handling an incident is being prepared to respond  before the incident 
occurs.  This includes establishing a suitable level of protections, so that 
if the incident becomes severe, the damage which can occur is limited.  
Protection includes preparing incident handling guidelines or a contingency 
response plan for your organization or site.  Having written plans eliminates 
much of the ambiguity which occurs during an incident, and will lead to a more 
appropriate and thorough set of responses.   Second, part of protection is 
preparing a method of notification, so you will know who to call and what 
everyone's phone number is.   For example, every member of DOE's Computer 
Incident Advisory Capability (CIAC) Team carries a card with every other team 
member's work and home phone numbers, as well as beeper numbers.  Third, your 
organization or site should establish backup procedures for every machine and 
system.  Having backups eliminates much of the threat of even a severe 
incident, in that backups preclude data loss.  Fourth, you should set up 
secure systems.  This involves eliminating vulnerabilities, establishing an 
effective password policy, and other procedures, all of which will be 
explained later in this document.  Finally, conducting training activities is 
part of protection.   It is important, for example, to conduct "dry runs," in 
which your computer security personnel, system administrators, and managers 
simulate handling an incident.  

2.7.2  Identification

This stage involves determining exactly what the problem is.  Of course, many 
if not most signs often associated with virus infections, system intrusions, 
etc. are simply anomalies, such as hardware failures.  To assist in 
identifying whether there really is an incident, it is usually helpful to 
obtain and use any detection  software which may be available.  For example, 
widely available software packages can greatly assist someone who thinks there 
may be a virus in a Macintosh computer.  Audit information is also extremely 
useful, especially in determining whether there is a network attack.   It is 
extremely important to obtain a system snapshot as soon as one suspects that 
something is wrong.  Many incidents cause a dynamic chain of events to occur, 
and an initial system snapshot may do more good in identifying the problem and 
any source of attack than most other actions which can be taken at this stage.  
Finally, it is important to start a log book.  Recording  system events, 
telephone conversations, time stamps, etc. can lead to a more rapid and 
systematic identification of the problem, and is the basis for subsequent 
stages of incident handling.  

 There are certain indications or "symptoms" of an incident which deserve special  
attention:

 o System crashes

 o New user accounts (e.g., the account RUMPLESTILTSKIN has unexplainedly   been 
created), or high activity on an account that has had virtually no activity for   
months

 o New files (usually with novel or strange file names, such as data.xx or k)

 o Accounting discrepancies (e.g., in a UNIX system you might notice that the   
accounting file called /usr/admin/lastlog has shrunk, something that should make   
you very suspicious that there may be an intruder)

 o Changes in file lengths or dates (e.g., a user should be suspicious if s/he   
observes that the .EXE files in an MS DOS computer have unexplainedly grown   by over 
1800 bytes)

 o Attempts to write to system (e.g., a system manager notices that a privileged   
user in a VMS system is attempting to alter RIGHTSLIST.DAT)

 o Data modification or deletion (e.g., files start to disappear)

 o Denial of service (e.g., a system manager and all other users become locked out   
of a UNIX system, which has been changed to single user mode)

 o Unexplained, poor system performance (e.g., system response time becomes   
unusually slow)

 o Anomalies (e.g., "GOTCHA" is displayed on a display terminal or there are   
frequent, unexplained "beeps")

 o Suspicious probes (e.g., there are numerous unsuccessful login attempts from   
another node)

 o Suspicious browsing (e.g., someone becomes a root user on a UNIX system and   
accesses file after file in one user's account, then another's)

None of these indications is absolute "proof" that an incident is occurring, 
nor are all of these indications normally observed when an incident occurs.   
If you observe any of  these indications, however, it is important to suspect 
that an incident might be occurring, and act accordingly.  There is no formula 
for determining with 100 percent accuracy that an incident is occurring 
(possible exception:  when a virus detection package indicates that your 
machine has the nVIR virus and you confirm this by examining contents of the 
nVIR resource in your Macintosh computer, you can be very certain that your 
machine is infected).  It is best at this point to collaborate with other 
technical and computer security personnel  to make a corporate decision about 
whether an incident is occurring.

2.7.3  Containment

The third stage of incident handling, containment, should occur only if the 
indications observed during stage two conclusively show that an incident is 
occurring.  The purpose of the containment stage is to limit the extent of an 
attack.  For example, if there is a virus which can damage the disk drive 
after a fixed number of boots, it is important to take action to prevent this 
damage from occurring.   Similarly,  it is important to limit the spread of a 
worm attack on a network as quickly as possible.  An essential part of 
containment is decision making, i.e., determining whether to shut a system 
down, to disconnect from a network, to monitor system or network activity, to 
set traps, to disable functions such as remote file transfer on a UNIX system, 
etc.).   Sometimes this decision is trivial; shut the system down if the 
system is classified or sensitive, or if proprietary information is at risk!  
In other cases, it is worthwhile to risk having some damage to the system if 
keeping the system up might enable you to identify an intruder.

The third stage, containment, should involve carrying out predetermined 
procedures.  Your organization or site should, for example, define acceptable 
risks in dealing with an incident, and should prescribe specific actions and 
strategies accordingly.  Finally, notification of cognizant authorities should 
occur during this stage (see Section 2.9 of this document).

2.7.4  Eradication

Once an incident has been detected, it is important to first think about 
containing the incident.  Once the incident has been contained, it is now time 
to eradicate the cause.   Software may be available to help you in this 
effort.  For example, eradication software is available to eliminate most 
viruses which infect small systems.     If any bogus files have been created, 
it is time to delete them at this point.   In the case of virus infections, it 
is important to clean and reformat any disks containing  infected files.  
(Important note: if a classified system has been infected with a virus, it is 
essential to follow guiadance issued by the DOE Office of Safeguards and 
Security.   We also strongly advise in this case that a low-level format be 
performed to ensure the integrity of classified information.)  Finally, ensure 
that all backups are clean.   Many systems infected with viruses become 
periodically reinfected simply because people do not systematically eradicate 
the virus from backups.

5. Recovery.  Once the cause of an incident has been eradicated, the recovery 
phase defines the next stage of action.  The goal of recovery to to return the 
system to normal.   In the case of a network-based attack, it is important to 
install patches for any operating system vulnerability which was exploited.  
Again, there is special guidance  for recovery in classified computing systems 
from the DOE Office of Safeguards and Security.

6. Follow-up.  One of the most important stages of responding to incidents is 
also the most often omitted---the follow-up stage.  This stage is important 
because it helps those involved in handling the incident develop a set of 
"lessons learned" to improve future performance in such situations.  This 
stage also provides information which justifies an organization's computer 
security effort to management, and yields information which may be essential 
in legal proceedings.

The most important element of the follow-up stage is performing a post-mortem 
analysis.  Exactly what happened, and at what times? How well did the staff 
involved in dealing with the incident do?  What kind of information did the 
staff need sooner, and how could they have gotten that information sooner?  
What would the staff do differently next time?  A  follow-up report is 
valuable in that it provides a reference to be used in case of other, similar 
incidents.  Creating a formal chronology of events (including time stamps) is 
also important for legal reasons.  Similarly, it is also important to as 
quickly as possible obtain a monetary estimate of the amount of damage the 
incident caused  in terms of any loss of software and files, hardware damage, 
and manpower costs to restore altered files, reconfigure affected systems, and 
so forth.   This estimate may become the basis for subsequent prosecution 
activity by the FBI, U.S. Attorney General's Office, etc.

2.8 Division of Responsibility

One of the most important strategies for responding to an incident is to divide 
responsibility among the people involved.   This strategy, which should be 
incorporated into every organization/site's incident handling procedures, minimizes 
duplication of effort, and ensures that the most important tasks will become 
completed in a timely manner.   In a similar vein, some responsibilities are more 
appropriate for some personnel than for others.  At a minimum, for example, technical 
responsibilities should be assigned to technically qualified personnel.   We 
recommend the following division of responsibilities:

1. End users.   End users should notify site computer security authorities of 
problems they notice.  Throughout this document end users will be called the 
"eyes and ears" of computer security--they frequently notice problems before 
anyone else does.  End users also should be told to not shut down a system or 
disconnect from a network without first consulting site authorities.   It many 
cases it is desirable to keep a system running to avoid subsequent damage or 
to stay on a network to attempt to localize attacks to that machine instead of 
risking more widespread attacks.  End users should also monitor and log system 
activities (at least until more personnel are available to assist in handling 
the incident), and obtain a system snapshot or a copy of infected files.   
Finally, end users should follow their organization/site's reporting 
procedures (see Section 2.9).

There are also some "do not's" for end users.  End users should not, for 
instance,  modify the system or application software.  Not only could 
modification produce damage, but it could also destroy evidence and/or 
important clues about the goals of an attack as well as to encourage an 
attacker to penetrate other machines.   It is also important for end users to 
avoid talking to the media.  Anything other than a well-deliberated and 
coordinated response to the media through one's public affairs office is 
likely to be a public relations catastrophe--avoid this mistake.

2. Technical personnel.   Technical personnel have the responsibility of 
verifying that an incident is occurring.  Once it is determined that an 
incident is in progress, technical personnel should follow the applicable 
recovery procedures which have been prepared in advance.  It is important to 
divide work whenever possible--avoid duplication of effort, and ensure that 
the very high priority work gets done.  Thus, it is important for technical 
personnel to communicate among each other frequently and systematically.  
Technical personnel should also log all activities (including recording time 
stamps), and gather information from system logs.  If an incident in a 
classified system is occurring, it is the responsibility of technical 
personnel to protect classified data, and to follow containment, eradication 
and recovery procedures pertaining to a classified system.  Finally, technical 
personnel should avoid talking to the media except through a public affairs 
office spokesperson.

3. Site managers.  Site managers need to prepare everyone else for handling an 
incident.  This process includes identifying key technical personnel, 
maintaining contact lists, and ensuring that effective written procedures are 
written, validated through training exercises, and widely available.  Site 
managers also need to obtain and coordinate technical support during an 
incident.  This may involve arranging for "shifts," since some incidents last 
for days and even weeks.  Finally, site managers need to coordinate with the 
organization/site's public affairs office to determine what information needs 
to be released  to the media.

2.9 Reporting of Incidents

DOE Orders 5637.1 and 1360.2A cover required reporting procedures for incidents in 
classified and unclassified computing systems, respectively.   These Orders contain 
many details concerning time requirements for reporting and what must be reported.  
In overview, reporting of both classified and unclassified incidents must occur 
through a chain of cognizant individuals.  

IMPORTANT NOTE:  Information about incidents and incident handling that pertains to 
classified DOE systems or may have implications for such systems is subject to the 
guidance in CG-SS-2 , the soon to be released DOE Classification Guide on Safeguards 
and Security.  Persons who handle incident reports at DOE sites should familiarize 
themselves with this guidance in order to avoid an inadvertent violation or 
compromise of classified information.  

For a classified incident, an end user or system manager (if there is such a person) 
reports the incident to the Computer Security System Officer (CSSO).  The CSSO then 
works with the Computer Security Site Manager (CSSM) on initial notification to DOE 
and to produce a historical report on the incident.  The CSSM then notifies the 
Computer Security Operations Manager (CSOM) at the applicable DOE Operations Office.   
The CSOM then notifies the Computer Security Program Manager (CSPM) at DOE 
Headquarters.

Suppose, for example, that a virus incident occurs in a classified MS-DOS system.  If 
there is a system manager, the end user would inform the system manager .  The system 
manager (or end user, if there is no system manager) would assess the technical 
problem to determine whether there is an incident.   If the MS-DOS computer is 
infected with a virus, the system manager would categorize the incident as a virus 
infection, then inform the CSSO.  The CSSO would notify the CSSM, who, in turn, would 
notify the CSOM that an incident is in progress.  The CSSM and CSSO would jointly 
produce a historical report.  The CSOM would inform the CSPM in a quarterly report of 
important and routine incidents.

For an unclassified incident, the end user notifies the site's Computer Protection 
Program Manager (CPPM).  The CPPM in turn notifies the Computer Protection Program 
Coordinator (CPPC) at the  DOE Operations Office for that site.  The CPPC then 
notifies the head of unclassified computer security at the Office of Computer 
Security Information Resources  Management (IRM) at DOE Headquarters.  

For example, if a virus infected an unclassified MS-DOS system, the user would notify 
the system manager (if there were one).  The user or system manager would then assess 
the technical problem, categorize the incident as a virus incident, and inform the 
CPPM of the situation.  The CPPM would notify the CPPC, who would notify IRM that an 
incident is in progress.  The CPPC and the head of unclassified computer security at 
IRM would jointly determine support needed to deal with the virus outbreak, and would 
determine how the incident would affect classified computing within DOE.  The CPPC 
would also advise IRM of findings, measures taken, and a plan of action. 

 






















































Example of Reporting Classified Incident within DOE























































Example of Reporting Unclassified Incident within DOE


2.10 CIAC's Charter and Role
 
CIAC is a resource for personnel at DOE sites faced with computer security incidents.  
The CIAC team consists of computer scientists from the University of California's 
Lawrence Livermore National Laboratory who are available to assist on a 24-hour per 
day basis.  This assistance might be in the form of direct technical assistance, 
information, or the names of technical personnel who can help with very specialized 
and complex problems.  CIAC coordinates efforts by DOE sites, other Government 
agencies and teams, and vendors.   CIAC also alerts and advises sites about 
vulnerabilities, potential attacks, and other threats.  Team members have written 
these guidelines, and are developing databases of vulnerabilities, viruses, known 
incidents, etc.  CIAC also engages in training and awareness activities, and has 
developed the two-day workshop on which this document is based.
 


3 - Responding to Viruses

3.1 Introduction
 
"It seems as if  you can't trust anybody these days, at least when it comes to 
software for MS- DOS systems and Macintosh computers. "  You have probably heard a 
friend relate how his or her computer became infected with a computer virus shortly 
after a new program that somebody else loaned him or her  was run.  Even your own 
machine may, in fact, have been affected.  Worse yet, so-called shrink wrap software 
is sometimes infected with computer viruses, as are pre-configured computers from 
manufacturers.  Did the salesperson who just demonstrated software on your machine 
also infect your machine?  You may not have thought about this possibility, but 
vendor demos are becoming an increasing problem in terms of virus infections.

Fear of computer viruses will cause otherwise rational people to take wholly 
irrational actions.  Their fear is understandable; there is a real, evident  threat 
of computer virus infections.  Viruses spread quickly and are often well hidden, and 
viruses can cause irreparable damage (although this is not usually the case).  
However, most people do not really understand what a computer virus is, and how to 
prevent, identify, contain and eradicate these fragments of harmful code.  This 
chapter will define what a computer virus is and will describe how most viruses work.  
This chapter will also acquaint you with computer viruses on common platforms, and 
will apply our computer incident handling methodology to the problem of dealing with 
a computer infected by a virus. 

3.2 Definition of Computer Virus

A computer virus is a segment of unwanted, self replicating code that (similar to its 
biological counterpart for which it is named) spreads from one computer to another by 
attaching itself to an application program or other executable system component.  In 
this manner  the virus survives and reproduces. A computer virus has several major 
characteristics, including:

o Self-replication, that is, it can make exact copies of itself

o Requires a host program to survive, and lives within the host program

o Usurps control of the host programs functions for the virus' benefit

A computer virus spreads through an infected host, usually an infected application.  
The infection spreads to a new computer by executing the infected application on the 
new system.  An infected program can be transmitted to the target system by disk or 
tape, modem or local network, or any other means and is executed on that system. The 
application then becomes infected, and the next time it is run, the virus will 
attempt to again replicate itself.  

While the computer virus and its biological counterpart seem similar, there are 
specific differences.  While a biological virus is a process of nature,  a computer 
virus was created by some malefactor.  The virus is simply a computer program written 
by somebody as an academic exercise, as a form a vandalism, or possibly to gain 
recognition among peers.  We are familiar with the motives of conventional vandals 
(e.g., those who break windows at a school) and terrorists, but creating of viruses 
seems to motivate another kind of person.   Virus writers appear to want a 
programming challenge,  but misdirect their creative ability.  Many virus writers 
also fail to anticipate  consequences of their behavior--the disruption and even 
destruction their "prank" will cause.


3.3 Overview of Virus Actions

There is no such thing as a generic or prototypic type of virus.  Every virus is to 
some degree unique.     There is some commonality, however, in the way viruses work: 

 o Infection of the host and its programs 

 o Survival and propagation of the viral code

 o Transmission of the infection to other host applications

 o Possible destructive side effects caused by the virus.

Most often the virus code will search for other programs that thus far have not been 
infected.  The virus will then select one of these programs and append itself to it 
as demonstrated below.  The virus will next modify the program so that it will 
execute the virus part of the code before  the actual program is executed.  In this 
way the virus will "get a chance to live" before the actual program is run.  With 
many viruses the user will probably not notice anything out of the ordinary initially 
because the requested program will run, and will cause no interference with the 
executing program.  

At this point virus action diverges broadly.  A virus may replicate virtually 
forever, causing no really harmful damage (as in the case of the WDEF virus on 
Macintosh computers).   In a few cases, the virus may be downright malicious, 
damaging applications, data files, or even the operating system, as in the case of 
the Disk Killer virus on MS-DOS computers.  Viruses have even been created to steal 
data and transmit it during non-working hours to another machine, where the virus 
author can peruse the information at his/her leisure.

3.4 History of Computer Viruses

The idea of self replicating code has been around since the late 1940's (see history 
shown  below).  John von Neuman's creating  the first self-reproducing program 
stimulated considerable interest in this topic.    At first developing self 
replicating code was an academic exercise.  Then it expanded into a game in Bell 
Laboratory's "core wars."  When main-frames were the only computing resource, the 
goal was to battle for core, the main memory of the computer.   Two opponent 
programmers were each given a segment of memory and allowed to launch one program.  
The computer  then divided compute time equally, first allowing one program to 
execute, then the other (in a time-sharing manner).  Each program had two goals, the 
first to live, and the second to destroy the other program.  Part of a successful 
survival strategy was for the program to make multiple copies of itself.   During the 
1960's and 1970's there was also a number of books on the topic of self-replicating 
code and the possibility of using this code maliciously.   Interest in self-
replicating code then waned temporarily.     With the increased interconnectivity 
between systems and availability of powerful computers in the last decade, however,  
there has been  increased interest in self- replicating code, and, in particular, 
viruses.  As personal computers became popular, the idea naturally extended itself to 
creating life across separate disconnected machines.   About the same time that 
personal computers were becoming numerous, the previously centralized computer was 
becoming part of a growing network of available hosts.  The growth of the network 
allowed a third form of life to spawn, the worm (which will be covered  in Chapter 5 
of this document).  Malicious code, both self-replicating and non self-replicating, 
began to be found.  An issue of Scientific American even contained an article about 
viruses in 1984.  
 



A Brief History of Computer Viruses


1949 - John von Neuman  A self reproducing program in Theory and Organization of  
Complicated Automata
1960 - Bell Laboratory's Core Wars
1972 - Dave Gerrold, When Harley Was One, First edition only
1975 - John Brunner:,Shockwave Rider
1977 - Thomas J. Ryan, The Adolescence of P-1
1980 - IBM Trojan.    All IBM 4341's stopped at 7:30 AM on 11 April 1980.  Logic bomb  
planted by disgruntled employee
1984 - Scientific American, A.K. Dewdney.   First article written on computer viruses 
1987 - Pakistani or Brain Virus, Lehigh Virus, Jerusalem Virus, IBM Christmas Virus
1988 - Morris Worm
1990 - Many known viruses on microcomputers and mainframes.

 
3.5 Basic Mechanisms of Viruses

Viruses generally work through a four stage process.  First, the virus must be 
transmitted to the host computer through an infected application or other executable 
program.  Once the infected program has been executed on the host computer, the virus 
enters the second stage.  The virus must now try to survive and propagate through the 
computer's file system.  Frequently, the virus will infect both applications and the 
operating system.    Sometimes the virus will also become resident in memory, so that 
it can infect disks when they are inserted (as in the case of WDEF)  or cause side 
effects, such as characters falling to the bottom of the screen, as in the case of 
the Cascade virus on personal computers.  The virus survives by disguising its 
presence (or at least not immediately announcing its presence), and by replicating as 
quickly as possible.  As it replicates it also attempts to infect floppies or network 
mounted file systems, etc., so that it can continue to propagate between computer 
systems.  This is the third stage of the virus' life, the attempt to infect other 
systems by retransmission of the viral code.  At some point in the life of many 
viruses, they enter the fourth and final stage.  Either by malicious or poor design 
practices, the virus causes interruptions in the processing of data or the corruption 
or destruction of data.


3.6	
Common Macintosh viruses

Names	
Resources
Type	ID	Size 	
Comments
ÒPeaceÓ , MacMag virus	 INIT	6 	unknown   DR 	First virus on the Macintosh.  Displays 
ÒPeace on
EarthÓ message on March 2, 1988 and removes
itself the next day.  Distributed via a HyperCard
stack. An XCMD installed the INIT into the
System.  Its presence did cause problems with
some programs.  Remove the INIT Resource with
ResEdit.
nVIR Family of viruses
nVIRa, nVIRb, nVIRc, AIDS, Hpat,
MEV#, FLU, Jude (J-nVIR)	See below for specifics	This virus is named after its resources. 
There
are two general variations of this virus a and b. 
See below for specifics.
nVIRa	nVIR infected system file:
INIT	32	366     
nVIR	0 	2 
nVIR	1	378
nVIR	4	372      
nVIR	5	8       
nVIR	6	868       
nVIR	7	1562   

nVIR infected Application:
CODE	256	372      
nVIR	1	378
nVIR	2 	8        
nVIR	3	366      
nVIR	6	868       
nVIR	7	1562   	In the case of both nVIRa and nVIRb, the virus
first  copies the INIT 32 resource into the
System file, there after any system restart
causes the virus to become memory resident after
which any application launched will become
infected.   After a set time period nVIRa will
announce its presence by beeping or saying ÒDonÕt
PanicÓ, if MacInTalk is present .
nVIRb, Hpat, MEV#, AIDS	nVIR infected system file:
INIT	32	416
nVIR	 0	2
nVIR	1	428
nVIR	4	 422
nVIR	5	8
nVIR	6	66
nVIR	7	2106

nVIR infected Application:
CODE	256	422
nVIR	1	428
nVIR	2 	8
nVIR	3	416
nVIR	6	66
nVIR	7	2106	nVIRb is similar to nVIRa, however it doesnÕt use
MacInTalk.  

To detect either strain open the suspected
application with ResEdit and look for a CODE 256
resource of size 372 or 422 for nVIRa or nVIRb
respectively.

MEV# and AIDS are identical to nVIRb, except the
resource type will read MEV# or AIDS instead of
nVIR.

Hpat is the same as nVIRb except it adds a code
of 255 instead of 256 and has a resource type of
Hpat.
Dukakis		Written in HyperTalk on a HyperCard stack called
"NEWAPP.STK".  Adds itself to Home Card and other
stacks.  Flashes a message saying, "Dukakis for
President in 88, Peace on Earth, and have a nice
day."  This virus can be eliminated by using the
Hypertalk editor and removing the well commented
virus code.  
Scores, NASA	Scores infected system files:
INIT	6	772	1, 2, 3
INIT	10	1 020	0, 1, 4
INIT	17 	480	1, 3
atpl 	128	2410	0, 1,  4
DATA	400	7026	0, 1

Corresponding system files are:
0 = Desktop, 1 = System
2 = Note Pad,  3 = Scrapbook Files
4 = Scores

Scores infected applications:
CODE      n+1    7026
Where n = the id of the first unused
CODE resource. 	Most virulent of the known viruses. Written by a
disgruntled employee of EDS.  Replicates rapidly
and can cause unpredictable behavior.  Looks for
files of Creator VULT, TYPE ERIC. (Note the
desktop is ERIK, not ERIC)These files were
internal projects of EDS and not actual programs. 
Does not intentionally do damage, but causes
problems in other programs by being present.  
Sexy Ladies Trojan		Not a virus, but a Trojan Horse.  Given away at
1988 San Fransisco MacWorld Expo;erased whatever
hard disk or floppy disk it was on when it was
launched.
INIT29	
INIT29 infected system files:
INIT           29        712

INIT29 infected applications:
CODE      n+1    712
Where n = the id of the first unused
CODE resource. 	Infects disks the moment they are inserted into a
Mac with an infected system.  Its sole purpose is
to replicate itself , but has the unfortunate
side effect of  obliterating any legitimate INIT
29 in any file it infects. It will infect any
file with resources.  This makes it the only
virus (so far) which will attack documents as
well as applications.
WDEF-A, WDEF-B1	Infects the Desktop.  Need not run an
application to be infected, but can
spread on disk insertion.	Cases both the Macintosh IIci and the portable to
crash, severe performance problems on AppleTalk
networks with AppleShare servers, frequent
crashes when users try to save files in
applications under MultiFinder, problems with the
proper display of font styles (the outline style
in particular), damage to disks, Macintoshes with
8 megabytes of memory to crash,  Erratic system
behavior due to  incompatibility with the
"Virtual" INIT from Connectix.
MDEF, Garfield virus	Virus Detective DA, search string:
Resource MDEF & Name "Garfield"
Resource MDEF & ID = 5378
	MDEF or Garfield spreads through system and
application files, causes serious damage to the
menu system.  Causes both the Macintosh 128K and
512K to crash.  On the Macintosh IIci and IIfx,
the MDEF virus spreads from infected applications
to uninfected system files, but does not
propagate from infected systems to uninfected
applications. Vaccine will inform the user that
the system file has been infected, but is only
partially effective in preventing this virus from
infecting the system file, this may damage the
system.
Steroid trojan horse
QuickDraw Accelerator
	TYPE: INIT
CREATOR: QDAC
Code Size: 1080
Data Size: 267
ID: 148
Name: QuickDraw Accelerator
File Name: "  Steroid" (First 2
characters are ASCII 1)

	The purported purpose of Steroid is to make
QuickDraw run faster on computers with 9 inch
screens.    Steroid is actually an INIT that
contains malicious code to check for the system
date and to erase all mounted disks if this date
is July 1, 1990 or afterwards.  Examine system
folder; if Steroid is there, save a copy and then
drag the icon to the trash folder and empty
trash, restart the Mac.

Common Macintosh Viruses


Common MS-DOS Viruses

Name	Strains	Mode of Infection,
Attributes	Size
	Potential Damage	Comments
Pakistani Brain, Ashar, Shoe	8	RES,FDB	Boot
(7K)	BOT,RUN,DAT,FMT	Some variations corrupt  File 
Allocation Table.  Infects
Floppies Only.
Merritt, Alameda, Yale,	
Golden Gate 		8	RES,FDB	Boot
(1K)	BOT	Golden Gate variation will 
reformat drive C: after n
infections.  Infects Floppies
Only.
South African, Friday 13 the
COM	2	COM	512	PRG	Deletes host program if run on
Friday the 13th
Lehigh	1	RES,CC	OVER	PRG,FMT	
 Vienna, 648, Lisbon, Vienna-B,
Austrian, Dos-62, Unesco	12	COM	648	PRG	62-B variant deletes infected
files. Program errors cause
file fatalities.
Jerusalem,  New Jerusalem,
Jerusalem-B, Payday, Black
hole, Blackbox	13	RES, COM,EXE,OVR	1808	RUN,PRG	
April-1-COM, Suriv-01	1	RES,COM,	897	RUN,PRG	Message: ÒAPRIL 1ST HA HA HA HA
YOU HAVE A VIRUSÓ , Deletes
host file.
APRIL-1-EXE, Suriv-02	1	RES,EXE	1488	RUN,PRG	Same message, but causes system
lock-up instead of deleting
host file.
Suriv-03	1	RES,COM,EXE,OVR		RUN,PRG	
Ping-Pong,Bouncing Ball,
Italian 	3	RES,FDB	Boot	RUN,BOT	Bouncing dot appears on screen. 
No other intentional damage.
Ping-Pong-B	 	RES,FDB,HDB	Boot	RUN,BOT	same as Ping-Pong
Marijuana, Stoned,New Zealand,
Australian	2	RES,FDB,HDP	Boot
(1K)	RUN,BOT,FAT	Message: ÒYour computer is now
stoned.  Legalize Marijuana.Ó 
Affects partition record on
hard disk.  No  intentional
damage is done.
Agiplan, 1536, Zero Bug,
Palette	1	RES,COM	1536	RUN,PRG	
1701,Cascade, Autumn,
Blackjack, Falling Leaves	7	ENC,RES,COM	1701	RUN,PRG	Characters fall to the bottom
of the screen.  Both 1701 and
1704 versions are also known
as: Autumn, Blackjack, Falling
Leaves
1704,Cascade-B		ENC,RES,COM	1704	RUN,PRG	
1704 Format		ENC,RES,COM	1704	RUN,PRG,FMT	
Oropax, Music, Musician	1	RES,COM	2756+	RUN,PRG	Plays musical melodies
repeatedly.  File size varies
from 2756 to 2860
DenZuk, Venezuelan, Search	6	RES, FDB	Boot	RUN,BOT	Displays a purple DENZUK
graphic on a CGA, EGA or VGA
screen.   Overwrites FAT.  SYS
variation modifies the SYS
command to preserve viral code
against destruction.  Infects
Floppies Only
Dbase	1	RES, COM	1864	DAT,RUN,PRG	
DataCrime, 1280	4	COM,ENC	1280	PRG,FMT/FAT	Attempts to format the disk, on
some systems this will fail,
but the attempt to format will
destroy the FAT or worse.  Will
require a low level format to
repair.
DataCrime-B		COM,ENC	1168	PRG,FMT/FAT	Same as above
DataCrime II	 	COM,EXE,ENC	1514	PRG,FMT/FAT	Same as above
DataCrime II-B		ENC,CC,COM,EXE	1917	PRG,FMT	
405		1	COM	Over	PRG	
FuManchu	1	RES,COM,EXE,OVR	2086	RUN,PRG	
Ohio	1	RES,FDB	Boot	BOT	
Icelandic, Disk-eating virus	3	RES,EXE	642	RUN,PRG	Marks hard disk clusters as 
bad
Icelandic II		RES,EXE	632	RUN,PRG	
Saratoga		RES,EXE	661	RUN,PRG	
December 24th		RES,EXE	848-863	RUN,PRG	infects one out of every ten
.EXE files run. If an infected
file is run on December 24th it
will stop any other program run
later, displaying the message
"Gledileg jol" (Merry
Christmas)
Israeli Boot, Swap	1	RES,FDB	Boot	BOT	Reverses order of letters typed
creating typographical errors.
Typo	1	RES,FDB,HDB	Boot	BOT,RUN	
Traceback, 3066	1	RES,COM,EXE	3066	PRG	
Disk Killer	1	RES,FDB,HDB	Boot	BOT,RUN,PRG,DAT,FMT	
Vacsina	1	RES,COM,EXE,OVR	1206	RUN,PRG	
Mix1	1	RES,EXE	1618	RUN,PRG	
Syslock, 3551	1	COM,EXE,ENC	3551	PRG,DAT	Some claim this is 3555 bytes
in size.
Pentagon	1	FDB	Boot	BOT	
Dark Avenger	1	RES,CC,COM,EXEOVR	1800	FAT,RUN,PRG,	Infects every executable file
that is opened.
AIDS	1	COM	Over	PRG	
2930	1	RES,COM,EXE	2930	PRG	
Yankee Doodle	1	RES,COM,EXE	2885	RUN,PRG	
Alabama	1	RES,EXE	1560	FAT,RUN,PRG	
Ghost 	2	COM	2351	BOT,PRG	
Ghost - Boot 		RES,FDB,HDB	Boot	BOT,RUN	
Typo/Fumble	1	RES,COM	867	RUN,PRG	
Sunday	1	RES,COM,EXE,OVR	1636	RUN,PRG	
Do-Nothing	1	COM	608	PRG	
Sylvia/Holland	1	RES,COM	1332	PRG	
Amstrad	1	COM	847	PRG	Adds code to front of any .COM
file in the current directory. 
The virus contains an
advertisement for Amstrad
computers.
Devil's Dance	1	RES,COM	941	RUN,PRG,DAT,FAT	
4096	1	RES,CC,COM,EXE,OVR	4096	RUN,PRG,DAT,FAT	Infects every executable file
that is opened.
Chaos	1	RES,FDB,HDB	Boot	BOT,RUN,PRG,FAT	
W13	2	RES,COM	534	PRG	
		RES,COM	507	PRG	A virus from Poland. Infected
programs are padded so their
length becomes a multiple of
512 bytes. Then the virus adds
637 bytes to the end of the
file.  It will also intercept
any disk write and change it
into a disk read.
Vcomm	1	RES,EXE	637	PRG,	
Perfume (alias 765 or "4711")	1	RES,COM,CC	765	PRG,RUN	May ask a question,  won't run
infected file unless the answer
is
"4711" (the name of a perfume). 
In a common variant, the
questions have been overwritten
with garbage.
Virus-90	1	RES,COM	857	PRG	

The Columns
	
Name:  List the most common name of the virus and any
aliases.  Also lists direct mutations of the virus.
	Size:  The infected file will increase in size by this
number of bytes.  Note some viruses are not as
consistent as others.  See the comments.  Over: means
that the virus overwrites the application and does not
add its code to the application.
No. of known strains:  List the number of known
relatives in this family of viruses.  Since people
mutate viruses frequently this number is not guaranteed
to be accurate	Comments:  Notes on unique characteristics of the
virus.

Mode of infection: Attributes: Describes the modus
operandi of the virus:
EXE	Infects .EXE files
COM	Infects .COM files
OVR	Infects program overlay files
FDB	Infects Floppy disk boot sectors
HDB	Infects Hard disk boot sectors
HDP	Infects Hard disk partition table	Potential Damage: Describes what kind of damage the
virus will attempt to do when it strikes.
BOT 	Overwrites (corrupts) the boot sector
RUN	Interferes with application while running
PRG	Corrupts program or overlay files
DAT	Corrupts data files
FMT	Attempts to format the hard disk
FAT	Corrupts file linkage or the FAT table
	RES	    Memory resident 

	Comments:  Notes on unique characteristics of the
virus.

Common MS-DOS viruses




3.7	How Viruses Work

An overview of virus mechanisms has already been presented.   In review, once a 
computer virus is transmitted to a new host via an infected application, it can then 
infect the new system.  After infecting the new system,  the virus will generally 
attempt to stay hidden by employing a variety of strategies.  At some point the virus 
may activate and can cause damage to the host.  This section is designed to help you 
understand in far greater detail how viruses work, including how virus actions are 
based on assumptions made about the host.   

1.	Transmission.   Computer viruses are programs.  They may enter a computer 
by any route used to transfer a computer program.  The most commonly used 
route is via a floppy disk.  Viruses can also be transmitted via a modem or a 
local area network.   We are aware of at least one computer manufacturer from 
Taiwan that even shipped computers infected with the Disk Killer virus-- quite 
a time saver!  Shrink wrap software is becoming increasingly unsafe in terms 
of risk of virus infection, and public domain and shareware software always 
carries a risk.  

The source of infection can vary.  Some people's machines become infected when 
someone borrows their computer for "just a minute to print a report," or "to 
show you something very quickly."  Others become infected when they purchase 
shrink-wrap software.  Even software houses are not immune from infection.  
These distributors  can pass software on to unsuspecting buyers, or (more 
commonly)will take back used  or demo'd software and repackage it, complete 
with a new shrink-wrap outer coating.  The disk may look as good as new, but 
the previous user's machine may have been infected with a virus.  You may 
innocently use software from a shared file server that has been infected, or 
use a shared computer connected to a central resource such as a laser-printer 
that has been infected.
 
2.	Infection.   Once an infected program is copied to the hard disk or onto 
one of the floppy disk drives, the target machine is usually not infected yet.  
In most cases the user  must actually run the infected software to release the 
virus on that machine.

3.	Execution.  When an infected program is run, the computer virus interrupts 
the normal execution of the program.  The virus quickly takes control, 
executes its viral code, then returns execution to the original program.   
Most viruses execute so quickly that a user will not notice the delay.   
Knowing about the structure of a program helps in understanding how a delay 
may not be detectable.   A program  consists of a linear list of machine op-
codes that the computer will execute one at a time  (see figure on next page)  
When a virus infects an executable, it often adds the viral code to the bottom 
of the program.  This increases  the program's length and changes its cyclic 
redundancy check (CRC), or in unused stack space, only changes the CRC.  The 
virus must then patch the first line of the program with a jump statement to 
the first line of the viral code.  Finally, the last line of the viral code is 
modified to return execution to the original program.

                                              

Computer virus infection

4.	Masquerading.  Once a virus infects a system it must try to survive both 
accidental encounters with the operating system or the user as well as 
purposeful search and destroy operations the user may attempt.  To accomplish 
this the virus may use several tactics.  The first is to lay dormant.  A 
biological virus that kills its host immediately has little chance to spread; 
the same principle applies to computer viruses.    A computer virus may wait 
for some specific trigger point, e.g., a designated number of boots on the 
infected machine to occur before it causes any destructive or disruptive 
effects to occur.  This gives the virus time to spread throughout the host 
system as well as to other systems with which the host has had contact before 
someone is likely to notice the virus and eradicate it.

Viruses often employ some form of encryption to make them harder to discover. 
For example, the DataCrime (Columbus Day) virus is almost completely encrypted 
except for a small section of code that decrypts the rest of the program.  A 
search program could easily miss this viral code.  Besides trying to hide from 
detection programs, viruses can actively fight detection by modifying common 
detection programs.  Viruses also find innovative ways to hide, such as in the 
stack space of other programs, or by marking disk sectors as bad and storing 
the virus code in these sectors.  
 
5.	Activation.  The activation mechanism checks for the occurrence of a 
specific event.  Not all viruses have an activation mechanism.   If the virus 
has one and the specific event occurs, however,  the virus will try to 
accomplish the objective of its author.  A virus may activate based on two 
major types of events.  If the activation mechanism checks for a specific date 
and time, the virus is called a time bomb.  Examples of viruses which have 
time bomb mechanisms are DataCrime (the Columbus Day) virus and the Jerusalem 
virus on MS-DOS computers.  If the virus checks for specific circumstances, 
such as the number of system boots, then the virus is called a logic bomb.  An 
example of a logic bomb is the Lehigh-2 virus, which counts the number of 
infections that have occurred.  Unfortunately, viruses can activate on the 
basis of either  logic or a  time bomb, or both, depending on the skill and 
motives of the  virus author.   Other viruses are never intended to do 
intentional harm.  An example is the WDEF virus for the Macintosh computers.   
However, even these programs can create real havoc such as slowing down or 
disrupting a computer system, or can even result in loss of data.  

6.	Damage.  The actual damage a computer virus may do is extremely  variable.  
Many viruses try to damage the data on the host's hard disk.  Remember from 
Chapter 2 that losing data on a computer system generally is more of a loss 
than damage to the system itself and/or its hardware.  If there are no 
backups, any data loss can be permanent.  Other viruses are intended to damage 
specific targets.  For example, the Scores virus was written by a disgruntled 
employee  who was searching for a specific program used only internally within 
a particular company.  The program looks for the files of creator VULT and of 
type ERIC.  Theoretically, Scores should not  affect other computers, but due 
to incompatibilities on systems infected by Scores, Scores can damage files.  
Other viruses accidently do damage due to bugs/programming errors.    No 
matter what the damage, however, a computer virus will steal cycles, that is, 
it takes away time and memory that other programs should have.

3.8	Virus Weaknesses

Viruses may be a formidable challenge, but they are not undefeatable for three 
reasons.  First, viruses must make assumptions about their hosts.  If these 
assumptions fail, the computer will crash due to system incompatibilities, the virus 
may be easily detected, and/or the virus will fail to spread.  Second, a virus may 
try to masquerade its presence, but it can never disguise itself perfectly, because 
viruses need a place to live and a time to run.  Many viruses increase the original 
file size of the hosts they infect.  In addition, they usually modify the CRC, a 
special code used to check the integrity of files, leaving viruses prone to 
detection.    Finally,  the third virus weakness is that because a small portion of 
virus code must remain constant, viruses leave fingerprints, i.e., observable 
characteristics that allow them to be identified and subsequently eradicated.

Most anti-viral software takes advantage of one of these three weaknesses.  The most 
common scanning software looks for fingerprints within all system executables by 
searching all mounted media for a specific binary pattern for each known virus.  The 
problem with scanners is that they only work for known viruses.  Another class of 
anti-viral software uses the other two weaknesses of viruses to detect changes in the 
file size or file CRC.  Even unknown viruses will probably have to modify one of 
these two file characteristics.  If the viruses do, they can be detected.

NOTE:  You can implement some anti-viral protection without using anti-viral 
software.  Since most viruses affect file size, you can keep a record of original 
files sizes, then  can compare current file size if you ever suspect that something 
is amiss.

3.9 Virus Platforms

We will look at two platforms that have been the most common target for computer 
viruses, MS-DOS based computers, and the Apple Macintosh computers.  In addition we 
will look at the possibility of computer viruses infecting multi-user computers, such 
as UNIX- or VMS-based machines.

1.	MS DOS computers.   Computers running the MS-DOS platform present a 
tempting target to the virus author.  One major weakness of the MS-DOS machine 
and its non-compatible cousins such as the Atari and Macintosh is that these 
types of machines run in a single state.  Running in a single state means that 
the operating system is not protected from its applications by the hardware, 
as is the case with UNIX and other multi-user operating systems.  In a single-
state machine, for example, when an application gets control, as signified by 
the program counter pointing to the application code, it never has to give the 
program counter back.  In multi-user machines, a particular application may 
try to keep the program counter, but the operating system can take it back, 
giving the user or software a chance to kill the errant process.

Since any application can take control of the personal computer at any point, 
MS-DOS is susceptable to infection in any of the following:

	o boot record

	o system files

	o application files

Boot infectors attach viral code to the boot record or even replace the boot 
record altogether.  The boot record exists on every single MS-DOS disk, and 
contains just enough information for the computer to load the rest of the 
operating system.  If one of these boot sector viruses infects a machine, the 
virus will take control when the machine is initially booted, and will control 
the machine from that point on.  These programs often stay in memory and 
infect other programs as well as possibly disrupting the system substantially.  

A virus that stays in memory is very similar to a memory resident utility such 
as Sidekick or PCtools.  This type of virus uses one of the many ways a 
program can terminate and stay resident (TSR) to stay active and control the 
program counter and the interrupts.  A resident virus can monitor all 
interrupts and trap all system events.  If the virus is  monitoring a system, 
it can be programmed to take a number of sophisticated measures to accomplish 
its task.  For example, it can hide if it appears that a detection program is 
being run.  It can modify or destroy data, or create havoc with system 
activities and performance.

System infectors infect the operating system  (which is actually a very 
special application).  Examples in the PC arena include IBMDOS.COM, 
IBMBIOS.COM and in the case of the IBM version of PC-DOS, COMMAND.COM .  Many 
are not familiar with the first two files mentioned.  When you format a disk 
with the /s option, as in:

		FORMAT A: /S

IBMDOS.COM, IBMBIOS.COM  are created on the new disk as hidden files.  Some 
viruses specialize in infecting these three special files.  Most often, if the 
hidden system files or the equally hidden boot record is infected, the virus' 
effects will not be noticeable to the user.  Because IBMDOS.COM and 
IBMBIOS.COM are hidden files, most users will not recognize if the size of 
these files grows.  Just as with boot infectors, the system infectors can 
monitor all system activity, look for new disks to infect, and even take total 
control of the systems activities.  
  
Application infectors can infect any application program.  The first viruses 
infected only .COM files because the code was somewhat more simple to write.  
Later some viruses were modified (or mutated, to use the analogy of biological 
viruses) to infect only .EXE files.  The next extension of this malicious work 
was evidenced by newer viruses that could infect both .EXE and .COM files.  
The code for infecting both .EXE and .COM files was even more complicated.  An 
example of this is the DataCrime (Columbus Day) virus.

DataCrime, 1280	4	COM,ENC	1280	PRG,FMT/FAT	Attempts to format the disk, on some
systems this will fail, but the
attempt to format will destroy the
FAT or worse.  Will require a low
level format to repair.
DataCrime-B		COM,ENC	1168	PRG,FMT/FAT	Same as above
DataCrime II	 	COM,EXE,ENC	1514	PRG,FMT/FAT	Same as above
DataCrime II-B		ENC,CC,COM,EXE	1917	PRG,FMT	

The DataCrime Virus Family


DataCrime was originally written as a .COM infector.  Later it was mutated to 
become both a .COM and .EXE infector.  We call slightly different viruses by 
the same family name if the code is substantially the same.  In the case of 
the DataCrime virus, the major infectious and destructive portions of the code 
remained the same.  Only the method of attaching the code was changed by 
determining if the file was a .EXE or .COM file, then branching to the 
appropriate routine to cause the infection.  Because the code is fundamentally 
similar, if your computer were infected by DataCrime, the outward symptoms of 
the infection would be virtually indistinguishable.  However, close analysis 
would reveal whether .EXE or .COM or both types of files were infected, and, 
thus, the particular family member which infected your machine.

2.	Macintosh computers.  The operating system of the Macintosh is 
fundamentally different in architecture from MS-DOS machines.  Nevertheless, 
Macintosh computers are also especially vulnerable to virus infections because 
they also have single-state execution.  In fact, the application structure of 
Macintosh programs and the event queue structure of the operating system 
greatly facilitate adding a virus to a Macintosh application.  An application 
on the Macintosh can be infected by adding viral code to the resource bundle 
of the application.  The virus can then have itself scheduled in the event 
queue.   In this manner the virus can obtain a certain portion of central 
processing unit (CPU) time for its own malicious activities.

In the case of the nVIR virus, for example, the virus adds a CODE resource 
#256.   The virus then patches the jump table so that it will get executed 
first.  After infecting the computer, the virus returns control to the 
application, so the user is not aware of the infection.  After the viral code 
is executed,  nVIR first copies the INIT 32 resource into the system file.  
Now any system restart causes the virus to become memory resident,  after 
which any application launched will become infected.   After a set time 
period,  nVIRa announces its presence by beeping or, if MacInTalk is present,  
saying ÒDonÕt Panic.Ó

Similar to the boot record of a MS-DOS PC, the Macintosh has a hidden file 
called the desktop.   However, the function of the desktop is to remember the 
position of all the files, and the windows of that disk.  The desktop is a 
program and its run anytime something that affects the desktop is changed, 
e.g., opening a folder or disk, or moving a file.  The WDEF virus takes 
advantage of this operation.  Even if you only accept data-disks from other 
people, and even if you never run unsafe software, your machine can 
nevertheless get WDEF.  WDEF spreads from sharing floppy disks, including any 
Macintosh disk containing data or applications.  If an infected disk is 
inserted into a machine and the desktop is run, e.g., by copying a file, other 
desktops on the machine, e.g., the hard-disk desktop, will be infected.

3. 	Mainframe computers.   Larger computers, such as those running UNIX or VMS, 
can also in theory be infected.  However, although several claims of virus 
infections of mainframe computers have been made periodically,  no mainframe 
viruses have as yet been detected and publically verified.  If a mainframe 
virus were to be released, it  could reproduce itself in three possible ways, 
namely by:

	o Modifying source code

	o Patching executable code

	o Infecting data files

The first method would involve modifying the source code of an application.  
Since programs are often shared as source, a virus could be written to modify 
the source of other source programs on the computer.  An especially ripe 
target would be the compiler itself, such as cc (the C compiler).  

Another method would be to infect executable applications, much as PC viruses 
do, by adding executable code to an application binary.  Fortunately,  some 
link editors in UNIX and VMS make code unrelocateable, making this method of 
infecting a mainframe computer nearly  impossible.

Another possible avenue of attack would be to modify a data file.  Many data 
files contain executable meta-commands that are interpreted by a pre-
processor.  If a preprocessor or screen formatting process such as curses is 
interpreting data, it could be vulnerable to attack.

Because mainframe viruses do not appear to exist outside of the closed, 
laboratory environment at this time, greater detail about these viruses is not 
warranted.   Fortunately, because mainframes are not single-state machines and 
because their operating and file systems are more complex, mainframes make 
difficult targets for viruses.  As mentioned above, executable code is often 
unrelocateable on a mainframe.  In addition, code usually cannot be executed 
in a data segment.  Finally, to be modified, files must have write access by 
the program .  The built-in safeguards of these operating systems provides 
some protection against the ravages of potential viruses.

3.10	 Responding to a Virus Infection

Some primary considerations for handling a computer virus infection include:

o Determining that your machine has actually been infected

o Containment and isolation of the infected host(s)

o Evaluation of the actual virus, and forming an eradication plan

o Cleaning up all media with which the infected host had contact 

o Notifying all computer users that have had contact with the system 

Dealing with a virus will be greatly aided by your using a notebook.  You should 
start your notebook by recording your current system configuration.  List any network 
services you use as well.  Then jot down symptoms that your computer experienced 
before and after you suspected a virus infection.  Also create a list of media or 
network contact that you may have made recently.  If you use scanning software, 
include printouts from the scanner with your notebook.  If you are running more 
advanced, database-driven virus software, include any warning messages, or printouts 
displayed.

The first thing you should remember when you suspect that your computer has been 
infected by a virus  is that errors in applications, misconfigurations, or 
interactions between hardware and software can create pseudosymptoms of viruses.  For 
example, you may load your applications from a shared file server for execution on 
your local machine.  Often an advantage to this system is that the application can be 
upgraded for all users at one time.  Unfortunately, the reverse side is that the 
upgrade may not be compatible with your particular machine.  If you are not aware of 
software upgrades and new incompatibilities created by the software, you may be 
experiencing a psuedosymptom of a computer virus.  Another psuedosymptom frequently 
observed  is due to media, especially hard disks, approaching capacity.  Some 
applications do not have a fail soft mechanism for a full hard disk.  Defective 
media, again especially hard-disks, can also cause data corruption.  Ironically, 
people have had to deal with scrambled file allocation tables (FATs) on hard-disks 
and floppies long before computer viruses were a problem!  

We recommend that you  maintain a curious and somewhat skeptical mind-set while 
exploring the symptoms you are experiencing.  First, compare your symptoms to the 
known symptoms listed in the appendix of this document.  Do the observed symptoms 
match those of any known virus?  If not, your computer may still have a virus, 
because new viruses are being discovered almost every month.  Contrawise, your 
machine may not have a virus.  It may pay to pursue other strategies as well.  This 
chapter will help you understand more about handling a computer virus incident, and 
how to apply these methods to arrive at a valid answer.
 
3.10.1  Protection 

The first and most important stage of computer virus incident handling is to 
as much as possible avoid becoming infected in the first place.  At the same 
time,  it is important to be prepared if your computer does become infected by 
a virus.

Backups of all of your valuable programs and data are the best insurance you 
can purchase for a speedy recovery from a virus infection.  Backups help in 
three ways.   First, if a virus destroys the data on your hard-disk, you may 
lose many months if not years of work.  Why risk your labor to a faulty 
mechanical drive, or a computer virus?   If data or information is important 
to you, back-it up.   Secondly, backups help you return your machine to an 
earlier state. If you suspect that a virus has erased your hard-disk, it is 
too late to make a determination after it happens .  A backup (even if 
infected) will allow you to restore your machine for additional analysis.  
Finally, even if your backup is infected, all  viruses known to date do not 
infect data, so you can still restore the infected back-up.   Copy the data to 
clean media, then reformat the disk.  (Note:  with this procedure, you cannot 
save your applications).

Some programs can restore an application after the application has become 
infected.  However, it can be risky trusting an application that has been 
repaired by a virus-tool, especially with PCs.  A better approach is to 
protect (write-protect) your distribution disks, and make backup copies of 
every application when you take it out of its box.  Except when there are 
certain copy protection schemes, their is absolutely no reason why you should 
insert a write-enabled disk into a computer to copy an application to your 
hard-disk.  Every application that you insert in your machine should be write-
protected.  No known virus can circumvent the hardware that does write 
protection, so if it is write-protected, it is safe!  

This suggests procedures that are similar to a good insurance plan.   First, 
always write- protect your applications as soon as you get them.   Then make a 
backup copy from the write-protected original.   Next periodically backup your 
data.  With your applications safely protected on write-protected media, you 
don't necessarily need to backup all of your applications.  If you back-up 
only data with an incremental back-up, it will take very little time or 
effort.

Virus protection programs can also be very useful.   A whole new software 
market has been created by the need for anti-viral software products.  One of 
the first types of products is a guardian program that warns users when an 
application tries to write to the hard disk.  While useful in analysis, this 
kind of software is usually not good for day-to-day operation because it tends 
to generate a large number of false alarms (false detections).  Consequently, 
the user may bypass this package with the result that  there may be no 
protection against virus infections.  The next class of anti-viral software to 
come on the market recently is the scanner.  A virus scanner or hunter quickly 
examines each byte of every application on the media you are examining.  The 
scanner has a database of virus signatures.  If this type of product finds the 
signature (e.g., an identifying string) embedded in an application, it gives a 
warning, and (usually) some option to remove the virus.  For example, a 
fictitious scanner might display  the following:


Anti-vir 23.3 running...........

Black-hole virus found in the application runme
Do you want to remove this virus? (y/n) y

Black-hole removed

 
Scanning software can make your job easier.  However, it is dangerous to 
depend on such a product, because scanning software has many pitfalls.  One 
problem (possibly the most critical one) is that scanning software can find 
only the viruses it knows about.  If a new virus or one of which the author of 
the scanning program was not aware infects your machine, the scanner will pass 
it by without a warning.   A second class of software actually watches for 
changes to your file system.  This kind of software will detect new viruses, 
since it does not depend on file signatures.  Examples of commercially 
available software in this class  includes  Data Physician by Digital Dispatch 
Inc. and  CodeSafe by ChrisWare.


Some Common Anti-Viral Software Packages


¥PC Prevention Programs
	flushot+
	DDI Data Physician
	Chris Ware CodeSafe


¥MAC Prevention Programs
	Virex
	Dukakis Vaccine
	GateKeeper/Gatekeeper Aid
	RWatcher
	Vaccine
	VirusWarning INIT


 
 
When installing new applications, do not take unnecessary chances.  Whether 
you download software or purchase it shrink-wrapped, you should now know that 
you should suspect this software.  Examine the software before you load it.  
Look at the application package.  Does it look professionally prepared, and is 
the documentation typeset?  Read the license and at least some of the 
introductory text.  Is this software  suspicious?  

For example here is a portion of a license agreement from a disk that purports 
to be an  information package about the AIDS disease:

``In case of your breach of this license, PC Cyborg reserves the right to 
take any  legal action necessary to recover any outstanding debts payable to 
the PC Cyborg Corp. and to use program mechanisms to insure termination of 
your use of these programs. The mechanisms will adversely affect other 
programs on your microcomputer.''

Does this look suspicious?  It should.  This is the license agreement that was 
enclosed with the PC Cyborg AIDS trojan.  If loaded and executed, this trojan 
would hide all of your computer's files, and then would demand a payment to 
get them back.  The message you would see after this malicious code had hidden 
the files would ask you to send a $387 fee to a Panama City address.

If you are an extra careful type of person, you might consider rigorously 
examining a working copy of a new application with something such as Norton or 
Mace Utilities.  Look at the messages in the software.  While you may not 
always be able to obtain conclusive evidence, this procedure will help you 
spot many viruses that use unencrypted message strings.

Before actually installing the program, you should use a virus scanning 
program to check the media.  Another optional step is to use an isolated test 
machine, if you have one at your disposal.  You should consider exercising the 
package on the test machine for at least 30 days before you install it on your 
operational computer.  Before running the package, record the original file 
sizes and  the CRCs, then compare them to current values.
 
To summarize, when you install new software onto your system you should take 
the following actions:

o Back-up the computer
o Write protect the original disks
o Examine the software package
o Run an anti-viral scanner on the distribution media
o Install the software on a test machine
o Install the package
 
3.10.2  Identification  

Even if you follow the prevention strategy above, we cannot  guarantee that 
you will never get a virus.  If you suspect that your machine has become 
infected by a computer virus, the next step is to identify the problem.  As 
discussed previously, not all problems (e.g., anomalies, poor performance) 
that you encounter with your computer will be a virus.  In fact, polls in the 
industry suggest that the probability of becoming infected by a computer virus 
is only about four percent.  

Before you proceed any further, you may want to create a fresh back-up of your 
system.  This ensures that if you or the virus actually damage any data, you 
can return to a known state.   Do not overwrite your old backup, but create a 
new one.  Remember, even if your back-up is infected, you probably can recover 
the data files.

To identify the virus or problem,you should first record in your notebook the 
symptoms you have observed in the past and are observing now.  Then you should 
look at the list of viruses and their symptoms (see Section 3.6)  to determine 
if the symptoms you are currently observing in your computer  match those of 
any given virus.  If they do and you have eliminated other reasons for unusual 
system behavior, then you should proceed to the next step, containment.





















































Virus identification tools
 



Virus identification tools (see figure above) have become so useful that they 
are almost indispensable in the modern anti-viral arsenal.  While tools are 
not absolutely necessary, they can make dealing with a virus considerably 
easier.  Identification tools are not foolproof, since they can only identify 
the viruses that they are programmed to identify.   For such viruses, however, 
these tools give almost positive proof that your machine is indeed infected.  
Many of the programs listed above can also help eliminate the virus and repair 
damage as well.

Let's look at a hypothetical example.  Let's suppose you are about to use the 
shared MS-DOS computer in your office when you notice characters falling from 
their position on the screen, onto a heap at the bottom of the screen.  You 
suspect something is amiss.  Upon inspecting the tables in Section 3.6 of this 
document, you find the entry:

1701,Cascade, Autumn, Blackjack,
Falling Leaves	7	ENC,RES,COM	1701	RUN,PRG	Characters fall to the bottom of the
screen.  Both 1701 and 1704 versions
are also known as: Autumn, Blackjack,
Falling Leaves

You now strongly suspect that your PC has the 1701 or Cascade virus.  You also 
notice as you press the return key that the screen returns to normal, and you 
are in the middle of an application.  You quit the application (e.g., 
Interleaf) and return to the DOS prompt.  Just to be sure, you decide to try 
your trusty, if a little bit rusty, virus scanning program.  You take the 
program and write-protect the disk so that it will not become infected.  You 
now insert the disk into the A: drive and execute it.  The drive whirls; you 
get reassuring words that its working; but upon completion the program 
indicates the machine is clean.

What can this mean?  You look at the documentation for the scanning program.  
You find that the program detects the 1701 virus, so what could be wrong?  Two 
things could be happening.  First, this could be a mutant of the 1701 virus 
that your scanning tool is not programmed to detect.  Second, you may not have 
a virus.  Some screen-saving programs, such as the one in Interleaf, can have 
virtually the same behavior as some viruses.  It pays to be careful, but in 
this case what appeared to be a virus infection was actually just the normal 
action of a program.

The previous example probably best illustrates why virus identification is 
still a "black-art."  The best way to attack the problem of identification is 
with appropriate knowledge and procedures for dealing with viruses.  You 
should know your platform, your applications, and how platforms and 
applications  interact.  Note strange behavior on your system and develop 
hypotheses to be tested.

Another example actually happened to a CIAC team member while he was getting 
an estimate to repair his car.  The clerk was looking up some part numbers and 
availability of these parts on a Macintosh IIx.  The CIAC team member noticed 
that the machine was slower than should be the case for a CPU such as the 
Macintosh IIx, and was also aware that the WDEF virus was becoming very 
prevalent in the San Francisco Bay Area.   He asked the clerk if it would be 
o.k. to check the Macintosh for viruses.    Using Disinfectant (a Macintosh 
virus detection tool),  the CIAC team member found the WDEF-A virus on the 
machine, as well as all the rest of the Macintoshes in the immediate work 
area.

To repeat, software tools are very useful.   Remember, however, that knowledge 
and good analysis procedures are at least as important in identifying and 
dealing with viruses.

3.10.3  Containment

 A virus is not fundamentally like a worm that replicates independently of 
what users do.   Responding to a virus, therefore, is not as dependent on the 
speed of your reaction (except, perhaps, when a virus attacks something such 
as a central file server machine).  If you suspect your machine has a virus, 
do not automatically reach for the off switch on your computer.  Turning your 
machine off is extremely unlikely to solve any problems.   We recommend that 
unless you know it is better to turn your machine off, leave it on.  If a 
virus has infected your computer and the virus counts the number of boots 
(waiting for the count to reach a certain number), your action might push the 
count over, causing it to attack your machine the next time you turn it on.  
For example, in the case of the Disk Killer virus it is actually better to let 
the virus finish its actions before you do anything.  After the virus finishes 
damaging the data on your hard disk, Disk Killer actually writes information 
about what it affected .   Some anti-viral utilities, therefore, can actually 
restore the disk.  There are a few other viruses, however, for which the best 
response is to turn off your machine as fast as possible.   This will give you 
a chance to recover the entire disk.   Again, being familiar with viruses and 
their actions is a critical component of dealing with viruses.  

When you suspect a computer virus has infected a computer, you should 
immediately establish a quarantine.  Disconnect the infected machine from any 
network, then display a sign to caution people against using the computer.  
Once you have verified the infection, tighten the quarantine--do not let 
anyone use the computer until it is verifiably clean.
 
3.10.4  Eradication  

Eradication is the process of removing a computer virus from your  system.  
The surest way to recover from a computer virus is to start with a clean 
system again.  A clean system is one in which the memory (both RAM and EEPROM) 
is clear,  and the hard-disk has been low-level formatted.  Since some viruses 
hide in the partition table or other specific portions of the disk, to fully 
recover it is important to erase the entire disk (including system- 
and hardware-specific areas such as the partition table).  

Since a low-level format is completely destructive of all data on your disk, 
you will want to first make a full back-up of your data files.  Some viruses, 
such as the Dukakis virus (which infects Hypercard stacks), actually infect 
data-files .  This is, however, a rare case.  In most cases data cannot be 
infected from currently known viruses.  For the most part, therefore, you are 
safe from reinfection if you restore your data from an infected disk.  
However, the applications must come from clean source disks, not your hard 
disk if you wish to be safe.

It is important to be careful how you reformat your disk.  You cannot simply 
issue the reformat command while the virus is in memory.   You must power down 
the system, and then reboot from some trusted source, perhaps a diskette if 
the diskette boots first.  Then issue the formatting instructions from that 
trusted diskette or other clean source.

Some anti-viral products will also remove known viruses from applications.  
Usually on Macintosh computers it is safe to allow these utilities to work.  
This is because the process of adding code in a Macintosh application is quite 
clean, and so is the removal.  On the MS-DOS machines, however, automated 
recovery has mixed results.  If you are unsure, check the documentation.  Most 
anti-viral vendors are very straightforward in describing the particular 
viruses for which their products are effective.  

NOTE:  If a classified system has become infected by a virus, it is essential 
to follow  guidance issued by the DOE Office of Safeguards and Security.  In 
addition, we strongly recommend doing a low-level format on your classified 
system's hard disk.

3.10.5  Recovery

 Recovery is the process of returning to normal operation. Once you have clean 
hardware, you can begin restoring your system.  Take out your original write-
protected applications disks and rebuild your file structure.  If you have 
scanning software, scan your hard disk to ensure that none of the original 
disks were infected.  Then carefully copy the data disk back to the hard disk.  
Don't allow any executable that might have found its way to the back-up disks 
to be copied onto the hard disk.

Scan one more time to make sure no infected applications made it back on the 
hard disk.   You have now returned the file system to a clean state.  If you 
practiced a good backup strategy, you should have all of your files and data 
as clean as new.  If you are exhausted from all the work, you can take comfort 
that at least your hard disk is not fragmented.  Loading all software over 
reduces hard disk fragmentation considerably.

There is one more recovery issue.  Remember to check all backup floppy disks 
for virus infections!  In many cases massive reinfections of a virus occur 
because someone forgets to disinfect backups.  Any floppy disk which contains 
a virus should  be erased and reformatted before it is used again.  If this is 
not possible, use a dependable eradication program to remove or repair 
infected files.

NOTE:  Again, if a classified system is involved, follow the guidance issued 
by the DOE Office of Safeguards and Security to ensure that classified data 
are not compromised.
 
3.10.6  Follow-up

Just because your system is now clean does not mean that all the work is over.  
What about all the other people with whom your system has had contact (e.g.,  
vendors or clients)?    People who may have mailed you an infected disk, and 
your co-workers should be told.  If you don't practice this important follow-
up, then the virus will probably spread more, and your system is very likely 
to become infected again.   Inform others that you had a computer virus on 
your machine and that they should check theirs.  Tell them how you discovered 
it, what the symptoms are, and how you recovered.  

Now might be a good time to review your virus procedures and tighten scanning 
of all disks entering machines in the area, at least until the "coast is 
clear."  How did the virus infection start?  How adequate was the anti-virus 
software that you used?   How many person-hours did this effort require?  Was 
adequate technical assistance available?  These questions must be answered and 
any open issues must be resolved before your follow-up activity is complete.


4 - Responding to Worm Attacks

4.1  Introduction

Imagine thousands of computers connected to a communication network suddenly all 
screeching to a halt.  This actually happened in November, 1988, and the cause was a 
worm-- the Internet (Morris) worm.  Public awareness of a relatively unknown computer 
threat jumped to a high level, with national news coverage and front page newspaper 
articles.  From this point in time onwards, computer worms have been a major concern 
of all computer users connected to networks.

This section will concentrate on computer worms.  Worms will be defined, and a brief 
history of worm attacks will be given.  The remainder of the section will outline a 
methodology for handling a worm event as it happens.  The handling of a worm event 
follows the same pattern as other computer system attacks, and may be characterized 
by the six stages of incident handling described in the overview section above.  This 
model will be used in describing the methodology for handling a worm attack.

4.2	Definition of Worm

A computer worm is a computer program in the category of malicious code with the 
following characteristics:

	o  Is self-replicating
	o  Infects hosts rather than programs (unlike a virus)
	o  Attacks using automated hacking techniques to penetrate a host and begin 
execution
	o  Exists as an autonomous process or set of processes

In general, a worm is very much like a virus, but with the primary distinction that a 
worm will infect a host rather than an application.  A worm will spread using 
communication channels between hosts such as phone lines, networks, or gateways to 
access services on another host.  The worm will then use these offered services to 
copy itself to the victim host and begin execution.  The services used by the worm 
will vary, depending on the specific worm, but may include electronic mail, remote 
login, and remote file service.

The ability of worms to threaten thousands of computers is a direct result of the use 
of network communication between these computers.  When computers were mostly 
isolated, worms could not easily jump between hosts.  Today, the trend is for more 
and more computers and networks to be interconnected to provide easy access and 
distributed services.  Worms take advantage of these advances in computer science to 
threaten the worldwide computing environment.

Once a worm has penetrated a system and begins execution, it may alter the operating 
system for its own use, cause damage, or simply access information and pass it back 
to the wormÕs creator.   Previously known worms have stolen user accounts and 
passwords, installed trojan horse programs in the infected host, and caused denial of 
service by utilizing all of the available computing resources.  To date, only the 
worms with relatively small disruptive potential have been released.  

4.3	A Brief History of Worms

While the Morris Worm is the best known network based worm, it was not the first or 
only network worm.  Because it is the best known, however, other worms are dated in 
relation to this one (see figure below).  


                                                         

 A Chronology of Worms


The first recognized network-based worm was launched at Christmas time, 1987 and was 
known as the Christmas Card Worm.  This worm attacked IBM mainframe computers running 
the VM/CMS operating system.  It spread using the electronic mail system.  When this 
ÒChristmas cardÓ arrived at a person's account, it would exploit a feature that would 
automatically forward itself to everyone in the person's mailing list.  This resulted 
in a denial of service over a large section of the internal BITNET of IBM due to the 
large number of these ÒChristmas cardsÓ around the net.  It did spread to the 
external BITNET, but was not successful due to the loose coupling outside of the IBM 
Corporation.  

The Morris Worm has already been mentioned.  It was released in November, 1988, and 
spread through a nationwide TCP/IP network known as Internet.  Several operating 
systems, all variants of the UNIX operating system (such as BSD and Sun OS), were 
successfully attacked by this worm.  Four vulnerabilities in UNIX services were 
exploited to spread the worm.  One involved  the electronic mail system (sendmail), 
two more involved an authentication bypass mechanism (.rhosts and hosts.equiv), and 
still another vulnerability involved a utility to find out who the users of a system 
are (finger).  The worm would also attempt to guess passwords on a penetrated system 
and spread using the passwords it successfully guessed.  The result of the Morris 
Worm was a tremendous slowdown of all successfully penetrated systems due to a bug in 
the code that caused the worm to replicate at a faster pace than intended.    
Thousands of hours of system administration nationwide was required to eradicate and 
recover from this worm.

Christmas, 1988 saw the first known VMS worm released.  Named Father Christmas, this 
worm had many of the same characteristics as the Internet Worm, and was obviously 
influenced by the Internet Worm.  The worm attacked a national DECNET,  the Space 
Physics Analysis Network (SPAN), and used a few well-known exploitable features in 
VMS to copy itself between nodes and begin execution.  This worm would send any user 
names and accounts to a known location for later retrieval by the author.  This worm 
would first delete the file used to start the worm, thus leaving no trace in the file 
system of the wormÕs presence.  The worm would send a message to each user on a 
system on Christmas Eve from ÒFather Christmas,Ó  the basis for this worm's name.

In 1989, another VMS worm attacked a number of nationwide DECNET systems.  Known as 
the WANK/OILZ worm, this worm used many of the techniques found in other worms.   
WANK/OILZ  was quite complex.  It would guess passwords, install trojan horses in the 
penetrated system, add privileged accounts as back doors, and write annoying messages 
to users of remote systems.  The first variant, the WANK worm, was quickly followed 
by the OILZ worm.  The differences between the two was clearly intended to evade the 
common scripts used to eradicate and prevent against the WANK worm.  The intended 
damage of this worm was severe.  The worm would attempt to alter all of the 
executable DCL scripts in the system to add accounts, and changed the user passwords 
of all penetrated accounts.

4.4	Considerations in Worm Attacks

The major concerns in dealing with worm attacks are:

o Speed of reaction
o Indiscriminate spread
o Bugs contained in the worm code
o Reaction of worms to your incident response strategies
o Coordination between sites

The most pressing concern in reacting to a worm attack is the speed of response.  
Because worms are automated attacks, they will proceed at the speed of the host 
computer.  In order to respond to them effectively, the worm must be quickly 
identified and a correct reaction initiated to minimize the damage resulting from the 
worm.

Worms usually do not follow any particular boundaries when choosing a victim machine.  
Therefore, a worm will spread indiscriminately to any other host to which it can 
connect and from which it can request services.  In order to contain a worm, all 
connections to other hosts must be discontinued.  Note that simply because a 
connection is not usually used (i.e., between a companyÕs computer and a Government 
lab) does not change the fact that a worm could use a common network to spread along 
this route.

It is difficult (if not impossible) to write error-free code, and worms are no 
exception to this principle.  All of the worms detected to date have had programming 
errors (bugs) of one kind or another.  In the most well- known case, the Morris worm, 
the error in the code caused the worm to replicate itself within a host so rapidly 
that no other processing on the host was possible.  This caused an easy detection of 
the worm, and led to a significant denial of service.

When dealing with a worm attack on a particular system, there is no need to take into 
account the ÒfeelingsÓ of the worm.  This is unlike a hacker attack, in which if you 
respond rudely to a hacker, you may increase the possibility of damage to your 
system.  With a worm attack, the removal of the worm by any means at your disposal 
cannot foreseeably change the reaction of the worm.  The worm can neither adapt nor 
react to your incident response strategies.

While it is always important to coordinate with other sites during an incident, the 
nature of worms makes this coordination essential to a favorable resolution to a worm 
incident.  Because worms spread along network and other intra-site connections, 
failure to coordinate your response with other sites will prevent complete recovery 
to the worm attack.  Worm attacks must be dealt with on the level of the 
interconnections between the hosts.  In the case of a worm on the Internet, the 
entire Internet community must cooperate to completely eradicate the worm.

4.5	Basic Mechanisms of Worms

The basic mechanism of a worm is a two stage process.  First, the worm must copy 
itself to the victim host, and secondly, the worm must begin an execution of the copy 
on the remote machine.  To copy itself to another machine, the worm makes use of 
services provided by the victim computer that are designed to accept information from 
the attacking machine.  These are services that both have proved useful to users and 
are widespread (e.g., electronic mail, remote file service, ÒtalkÓ or ÒphoneÓ 
services, and ÒfingerÓ services that will allow information about the users of a 
system to be provided).  

In order to complete the process, the attacking worm must be able to start the 
execution of the worm on the victim machine.  This is accomplished by exploiting 
other services that are provided for this purpose.  Examples include rsh (remote 
shell execution for UNIX) or batch job submission.  Other services not intended for 
remote execution may contain bugs or features that allow remote execution without 
authentication as well.  Such bugs exist in many services such as sendmail, finger, 
and network file systems.   Each operating system has its own set of services that 
may be exploited.  This usually means that a worm is specific to a particular 
operating system,  or a set of systems providing common services.

4.6	Recommended Steps for Responding

This section will apply the methodology introduced in Chapter 2 to handling a 
network-based worm attack.  In review, this methodology includes the following 
actions:

o  Protection
o  Identification
o  Containment
o  Eradication
o  Recovery
o  Follow-up

Each of these will be discussed in detail below.
	
4.6.1  Protection

Protecting against worm attacks involves a number of issues, but the primary 
goal in protection is to assume that sometime you will experience a  worm 
attack in which your system will be penetrated.  Given this assumption, a 
worst-case scenario may be described, and  countermeasures may be prepared.  
This is not to say that prevention is impossible.  All of the known worm 
attacks to date could have been prevented if principles of good system 
administration were followed, including:

o  Sound password management
o  Closing known vulnerabilities and installing provided patches
o  Running the latest version of the operating system
o  Assuring that the systems had been properly configured

In addition, good system administration practice will aid in the process of 
recovery from a worm attack.  Preparing for a worm attack includes:

o  Preparing a set of procedures applicable to a worm attack
o  Following a regular backup schedule
o  Monitoring the system activity for unusual behavior

This methodology will aid in preparing a set of procedures for handling a worm 
attack.  However, a set of procedures that take into account site specific 
considerations should be prepared ahead of time.  These procedures should 
include the names and phone numbers of persons to contact in emergency 
situations involving worm attacks (as well as other incidents described in 
this document).   

As in other types of incidents, procedures are more important than software 
solutions.  For worms, this means that you should not rely on a software 
protection package to assure that you will not have to handle a worm event.  
Assume that a worm will get through your software defenses and determine the 
countermeasures from that point of view.  Of course, this does not mean that 
you should not use software tools or install security patches to the operating 
system, but always consider the worst case scenario as the basis for your 
procedures.

4.6.2  Identification

Identifying a worm attack will require a careful analysis of the state of your 
system.  Some of the things to look for are:

o Unusual names for processes on your system
o Newly created files in special directories such as system, user, and 
temporary directories.  This is especially true if these directories are 
world writeable or in unused accounts
o New or altered accounts
o Unexplained performance problems on your systems

Be sure to document all observations.  You may compare situations where no 
worm was found to exist with a new anomalous situation.

Some other important considerations in the identification of a worm event are 
to keep in touch with your local computer security department and CIAC.  You 
should get an indication of a specific symptom for which to search from these 
sources if a wide-spread worm event is underway.  CIAC and other coordinating 
groups will use the information you provide to aid other sites in getting the 
worm under control.  If this is not done, the worm will be free to attack your 
systems again once you finish your recovery procedures.

In addition, be sure that your user community should be well aware of your 
policy concerning worm identification.  Chances are that your users will 
detect anomalous behavior before you get a chance to monitor the system.  User 
education will allow you to have a network of worm detectors available 
whenever a user is logged into the system.

4.6.3  Containment

Once it has been decided that a worm incident is under way, the most important 
goal of the containment stage is to stop the spread of the worm beyond the 
machines in which the worm has been detected.  This is an exercise in getting 
the situation back under control.  A controlled environment is required in 
order to effectively apply the subsequent stages of incident handling.  

During the containment stage, you will have to make many important decisions 
and gather valuable information on the situation.  Planning is essential since 
you will have to react quickly,but effectively.  You will need to capture the 
baseline state of your system in order to save it for future analysis.  It is 
probably not the case that you will be able to correctly analyze the worm 
before it is under your control, so you should plan to record as much 
information on the state of the system as you can.  If practical, begin a full 
backup at this time (being careful to mark the backup tapes as infected with 
worm code).  List and halt all nonessential processes on the system.    If 
classified information is involved, be aware of and immediately deal with the 
threat involving disclosure of the information across any connected networks.

In order to gain control over your system, you may want to disconnect it from 
all forms of external networks.  This is probably an effective way to prevent 
the spread of the worm, but realize that it may limit your ability to 
communicate information about the worm as well.  During the attack of the 
Internet Worm, those systems that disconnected themselves from the Internet 
were not able to receive critical information concerning how to destroy the 
worm.  If you do choose to disconnect from your normal communication networks, 
be sure to keep in touch via telephone, FAX, or other media to CIAC or some 
other coordinating group.    CIAC is dedicated to providing solutions and 
technical advice during such an attack.

Finally, do not neglect your appropriate reporting procedures during a worm 
attack.  Quite aside from technical issues that arise during a worm event, a 
widespread worm will attract the attention of the national media.  Following 
the proper reporting procedures and allowing your public affairs group to 
handle the press will help you keep your situation under control.  

4.6.4  Eradication

Once the situation is under control and contained, it is important to 
eradicate all traces of the worm from your affected systems.  This may be 
partially accomplished by removing processes (as described in the preceding 
section), but there may also be other residue left from the worm.  In 
particular, be sure to check for:

o New accounts added by the worm, especially privileged accounts (such as root 
accounts for UNIX systems, or privileged accounts on VMS systems)

o New files added by the worm--these files may be used during a reboot of the 
system to restart the worm, and should be removed

o Files for proper ownership and protections--it is common for worms to leave 
back doors in a system for the author to use later

o Trojan horses added by the worm--if possible, compare all executable files 
to files from a trusted source (e.g., backup tapes or distribution media)

Use any eradication scripts provided by CIAC or other trusted source to aid in 
the process of completely eradicating the worm code.  Be sure to document all 
of your actions during this process.  Not only will this allow you to describe 
precisely how your system has evolved, but gives you some additional 
confidence that you have left no steps out in the eradication process.  

For some systems, especially those involving classified processing, it may be 
appropriate to completely erase the on-line storage and recover using clean 
backup tapes and the original distribution of the operating system.  Be 
careful in this case to not only erase the disks, but shutdown the system to 
clear the internal dynamic memory.  If your system uses static memory as part 
of its storage system, be sure that this is cleared as well.

4.6.5  Recovery

Before you can return to operational status, you must recover the state of the 
machine to  before the worm attacked.  During this recovery, you want to 
assure that the worm is eradicated from the system, and that it cannot 
reinfect the system.  To accomplish this, you must plan to install security 
patches to close vulnerabilities exploited by the worm .  (This may involve 
changing user passwords or disabling a system service.)   Use your records 
from the eradication and detection stages to identify any modified or deleted 
files, and restore these files from an uninfected backup copy.  Restore 
whatever system services you can, and restart the normal user services 
unrelated to the worm infection.

After you have brought your system back to normal, you may consider placing it 
back on the network (assuming that it was taken off the network in the 
containment stage above).  Before this step, assure that the worm infection 
has been eradicated from the network and that it is safe to restore network 
services.  Coordinate with CIAC or other computer security groups to assure 
that the time has come to restore your network connection.

4.6.6  Follow-up

Once you have restored the normal operation of the system, you enter the 
follow-up stage of incident handling.  This is an often neglected, but very 
important stage for a number of reasons described in Chapter 2.   In addition, 
the substantial effort used to handle the worm incident will have to be 
justified to management, and information that could be used to prosecute the 
author of the worm must be properly handled.

An important goal in the follow-up stage is to analyze what happened.  We 
recommend that you create a report detailing the chronology of the incident, 
actions taken, and lessons learned.  This is the time for the detailed 
analysis of the specific occurrences and information taken during the 
incident.  If the report is completed soon after the event, information that 
was not chronicled during the event may be reconstructed.  This report may be 
used for a number of different purposes, so it is important that it be as 
complete as possible, and that it contain a true chronology of events.

If you have any indication of other specific systems attacked, be sure to 
notify the appropriate system managers as soon as possible.  This may not only 
help save additional systems from the damage and/or inconvenience the worm may 
cause, but may also lead to reconstructing a path that the worm took through 
the network.  This, in turn, could help  trace the worm back to its point of 
origin.  CIAC may be of great assistance during this activity to contact sites 
and coordinate between investigating agencies.

It is often the case that one of the lessons learned is that if a particular 
tool had been installed, the incident would have been easier to handle, or 
perhaps would not have occurred at all.  The follow-up stage is the time to 
evaluate these tools and to decide which ones should be installed permanently 
on the system.   Be aware, though, that too many invasive security tools tend 
to burden the user and will degrade the day-to-day operation of your system.  
Choose which tools you will install carefully, and be aware of the tradeoffs.

It is very important to remove any on-line copies of the worm from your system 
at this time.  It is common for hackers to break into systems known to have 
been attacked by a worm with the sole purpose to find a copy of the worm and 
re-release it.  There are many hackers who do not have sufficient knowledge to 
write a worm themselves, but may modify an existing worm to evade a common 
protection mechanism.  This was the case with the OILZ variant of the WANK 
worm.  Lock up or otherwise isolate any copies of malicious code you may 
obtain.

Finally, issue an Òall clearÓ message to your user base.  With all the "hype" 
associated with a worm incident, there may be many users who are confused 
whether they can get back to a normal usage schedule.   If you are working to 
coordinate a number of systems, other system managers must be notified as 
well.

4.7  Final Words on Worm Attacks

Network-based worm attacks are a natural extension of malicious code to the current 
trend of interconnected, trusted systems.  While it is currently impossible to 
prevent all future worm attacks, following an effective set of procedures will help 
you to deal with a worm event in a practical fashion and without panic.  The national 
attention these incidents receive will make handling a worm event tricky, but 
following the procedures described in this chapter should keep the disruption of the 
system to a minimum.
 


 5 - Hacker/Cracker Attacks

5.1	Introduction

The term "hacker" is in many ways a misnomer.   The term "hacker" can be used to 
refer to someone who  constantly plays with computers.  A "hacker" can also imply a 
computer expert.  In the context of this manuscript, "hacker" is used somewhat 
inappropriately to refer to someone who breaks into one or more computer systems.  
"Hacker" is nevertheless useful, in that it is a commonly used term within the world 
of computer security--few computer security experts fail to agree to some extent on 
what people mean when they say that a hacker broke into a system.   On the other 
hand, "cracker" refers to someone who breaks into a system with malicious intent 
(e.g., someone who breaks in, then trashes a user's files).

Dealing with hacker and cracker attacks is a special challenge.  Along with internal 
sabotage, hacker/cracker attacks are the most potentially destructive form of attack 
to a single system.  A worm may attack a network, and it may virtually close that 
network.  However, a worm is nothing more than an algorithm.  Once the algorithm is 
understood, the worm attack can be terminated.  In a hacker/cracker attack there is 
an intelligent human being back of a keyboard somewhere.  Although the ethics of 
their activity must be seriously challenged, critics often admit that 
hackers/crackers are frequently resourceful and elusive.   You can shut down the 
machine that is being attacked, but the attacker is likely to simply hit another 
machine.   Furthermore, hacker/cracker attacks are far more frequent than people 
realize.  Hackers/crackers are often very careful to "cover their traces," so that it 
may be difficult to notice the attack at all.   Finally, there are international 
hacking clubs and hacker bulletin boards.  Communication among hackers/crackers makes 
them better organized and increases information available to them, making them more 
capable of succeeding in whatever goals they have.
 
There are many misconceptions about hacker/cracker attacks.   One misconception is 
that there is a single type of hacker or cracker, usually a frail teenage male with 
weak social skills.  Another is that hackers/crackers usually destroy and/or steal 
files.  Yet another misconception is that to break into a system requires 
considerable knowledge about computer systems.  All of these misconceptions are far 
from reality!   There is no single type of hacker or cracker--some hackers/crackers 
are young, and some are considerably older.  Some are quite knowledgeable about 
computer science, whereas others know very little and mostly rely on bulletin boards 
and "word-of-mouth" to break into systems.
 
5.2	Division of Responsibility

Responding to a hacker/cracker attack generally requires a great deal of coordination 
from users and administrators of a system.  Managers must implement and fund a 
security plan, and must ensure that this plan is followed.  System administrators 
must fix security vulnerabilities and must take the lead in installing and 
maintaining security tools on their systems.  Users must be aware of a security plan, 
and must operate their computer in a responsible manner.  This may mean, among other 
things, not using all the available features/utilities of their system if some 
features introduce vulnerabilities.  This may also mean furnishing the system manager 
with pertinent information, such as information about numerous failed login attempts 
on a user's account.

5.3	Recommended Steps for Responding 

	5.3.1	Protection 

Protection against a hacker/cracker attack requires considerable effort.  Taking 
protective measures can never provide absolute assurance that your system(s) will 
not be attacked, however.  Additionally, some protective measures may be 
characterized as proactive measures to ensure that responding to a hacker/cracker 
attack will go more smoothly if and when such an attack occurs.  (Remember, it is 
essential to avoid viewing your system as invincible, and to devote a good 
portion of effort to ensure that things will go smoothly when the inevitable 
happens--your networked system is attacked by a hacker!)  Protective or proactive 
measures include having effective password management, obtaining and installing 
special purpose hardware, creating backups, eliminating security holes, obtaining 
and installing monitoring tools, and developing effective procedures.

Effective password management is so important that there is a separate section 
devoted to this topic at the end of this chapter.  Password management is, in 
fact the single most effective protection mechanism for systems connected to a 
network.  At the most basic level, it is essential to require the use of 
passwords for logins, regardless of whether the login is coming from a terminal 
connected directly to a host machine or  from a remote location.  In the case of 
logins from a modem, it is important to require a separate password for using the 
modem!  At the next level, it is critical to ensure that user accounts have 
effective (i.e., not easily guessed) passwords.  For example, passwords such as 
TOYOTA, JENNIFER, and WEENIE are very easy-to-guess passwords--ask most any 
hacker!

Special purpose hardware is also useful in protecting systems against 
hacker/cracker attacks.   This hardware may require the users to carry and use 
some hardware (e.g.,, a plastic card or authentication device) before the login 
sequence appears.  When properly implemented, special purpose hardware can be 
effective because it can virtually eliminate the threat of intrusion from afar.   
Special purpose hardware, however has some drawbacks.  The hardware can be 
expensive, and it is often inconvenient to use a special card or electronic 
device to gain access to a system.  In addition, users with many accounts must 
keep track of many devices.  For this reason, special purpose hardware is not 
widely used.  We recommend such hardware when there is sensitive and/or 
proprietary information on a system, or when there is another special need for 
extra security.  Another example of the wise employment of this hardware is when 
organizations and agencies require its use when there is an unusual threat, such 
as a recent rash of hacker/cracker attacks on the network to which that 
organization/agency's machines are connected, but not at other times.  

File protections are important in protecting systems against hacker/cracker 
attacks.  In general, files need to have protections such that only the users or 
programs needing access to a given file have access.  In particular, assure that 
file protections for system binaries and home directories are not world-
writeable, and that sensitive files are not world readable or writeable.  Also, 
be aware of unexpected public files and directories with world read or write 
privileges, and files in a user's directory not owned by the user.

Backups are also essential.  You can do many things wrong as far as computer 
security goes, but if you backup your system frequently, you will at least not 
lose data.  If you have frequent backups off-line, any attack can damage at most 
only your on-line data.  (Backups are good not only for handling hacker/cracker 
attacks, for also for other incidents which could lead to a loss of data.)  You 
need an effective backup strategy to make backups work for you.  As part of this 
strategy, make sure that you back up every important file, and that you perform 
the backup on non-volatile media.  Use long backup cycles (e.g., backup once a 
month), since it may take a considerable amount to time to detect a mistake in 
backing up your data.  Use separate media for each backup, and take the time to 
verify that your backups are correct.

Another important step in protecting against hacker/cracker attacks is 
eliminating security holes.    Although this topic will be covered in more detail 
in Chapter 6, it is introduced here to emphasize the role of unpatched holes in 
hacker/cracker attacks.  Many operating systems have numerous holes, whereas 
others present opportunities for hacker/cracker attacks only if they are 
improperly configured.  In general, it is better to run the most recent version 
of an operating system unless you know that the newest release introduces new 
vulnerabilities (which, unfortunately, sometimes happens).  Sun OS 4.1 is 
considerably  more secure than is Sun OS 3.4.  For the sake of system security, 
upgrade to Sun OS 4.1 in this case!!  Keep in touch with information about 
security holes distributed through user groups, emergency response teams such as 
CIAC, etc., and take appropriate action (e.g., install the patches that are 
available).

Obtaining and installing monitoring tools is another important protective 
measure.   There is a variety of monitoring tools available, and it is wise to 
have a number of these tools.  (Refer to Chapter 7 for more specific 
information.)  Now is the time to obtain and install these tools--you may find 
that once a hacker/cracker attack starts, it is impossible to quickly obtain and 
install the tools you need!

Developing effective procedures for responding to hacker/cracker attacks is 
essential.   These procedures should include call lists, lists of people to be 
contacted during an incident.  These lists should include both work and home 
phone numbers, since emergencies often happen at inopportune times.  (CIAC team 
members have a laminated card containing phone numbers of other team members, our 
site computer personnel, our operations office managers, and people at DOE 
Headquarters!  We wear this card with our badges.)  Procedures should reflect 
realistic time-distance considerations.  If there is a hacker/cracker attack 
during non-working hours, some people who will help respond to the hacker/cracker 
attack may have to travel farther than others.  Procedures should have those who 
are closest to the site of response coordination initially doing all the work or 
the most urgent tasks.  Other considerations for developing effective procedures 
include specifying who users should notify, how to get information out to users, 
and what to tell users.   Dealing with the media is also important.  How should 
calls from the media be handled, and what kind of information, if any, should be 
given?   Procedures should address shut-downs and when a system should be taken 
off a network.    When to prosecute and when not to prosecute should also be 
covered, as well as the types of evidence that needs to be gathered if you decide 
to prosecute.  Procedures should address the need for keeping timestamps, 
especially since hackers and crackers may change computer records.  Who keeps the 
"master clock?"    Finally, it is important to decide how to create, change and 
distribute your incident handling procedures, and to specify the tools or other 
computing resources needed to implement your procedures.

We also recommend another simple protective measure.  If practical to implement, 
modify your system banner to delete any words or phrases which welcome users to 
your system.  At the same time, warn intruders with a message such as the 
following:

	WARNING:  Unauthorized access to this computer system is prohibited, and is 
	subject to criminal and civil penalties.

Changing your system banner may not deter all or even most hackers, but it is 
likely to deter some hackers.  In addition, removing welcome messages in your 
system banner may be important in that in a court of law welcome messages may be 
considered invitations to intrude into systems.
 
	5.3.2	Identification 

Identifying a hacker/cracker attack can be an immense challenge.   Good 
hackers/crackers are incredibly good at avoiding detection, often by writing and 
planting routines to mask their presence in systems they attack.  There are a few 
general clues that a hacker/cracker intrusion is occurring.  A  general clue is 
that hacker/cracker attacks often occur during the night or early morning when 
few users are on the system, or when the system manager is not on the system.  
Cooperative users are the "eyes and ears" of computer security--keep in touch 
with them, and encourage them to report unexplained failed login attempts and 
other specific evidences of a hacker/cracker attack.    Finally, detection tools 
(covered in Chapter 7) are available to help identify an intrusion.

There are also specific indications of a hacker/cracker attack.  Look for 
combinations of the following:

	o New, unauthorized user accounts

	o Processes owned by unfamiliar users

	o New files or file modifications

	o Accounting discrepancies (e.g., charges for using your system do not 
coincide 	     with compute time)

	o Changes in system files (e.g., password files)

	o Modified/deleted data

	o Denial of service (e.g., your system suddenly goes into single user mode, 
	   	     locking you out)

	o Poor system performance

	o Anomalies (e.g., compiling new programs in a temporary directory)

	o Suspicious probes (e.g., rlogin attempts) and/or browsing (e.g., file to 
file)

	5.3.3	Containment 

Once you have identified that there is (or probably is, in many cases) a 
hacker/cracker attack, the next step is to contain the attack.  Containment may 
not exactly be the correct term to describe all of the goals and procedures 
necessary during this stage of response.   Goals, for example, include 
identifying the intent of the hacker/crack attack.  Is this a malicious attack, 
are system files being changed, or is the intruder just browsing?   During this 
stage it is also appropriate to start trying to identify the intruder.  Intruders 
have identifiable patterns of attack, and it is important to learn about other 
ongoing hacker/cracker attacks to compare the pattern of your intrusion with 
others.  CIAC can be very useful to you at this stage, and you should also help 
CIAC help others by notifying CIAC about your current situation periodically.  
(CIAC will not reveal the name of your site to others.)   It is important to 
gather evidence to be used against the attacker (e.g., logfiles with timestamps).  
Assessing damage incurred is also important both in gathering evidence for 
prosecution, but also for urgent decisions to be made (covered in next 
paragraph).   

The containment stage involves a critical decision.  You could pull the plug to 
the compromised machine, or disconnect that machine from the network.  This would 
immediately terminate the attack, and would at least superficially relieve your 
anxiety.  In some cases this is the preferred decision, especially when files are 
being destroyed or your machine is being used to launch many attacks on other 
systems.  In many cases, however,  it is not wise to turn off your machine or 
disconnect from the network.   If you immediately terminate the attack, for 
example, you may never know what the hacker/cracker has really done to your 
system.  Furthermore, the intruder will probably  just find another machine to 
attack, perhaps even a machine in your organization or site.  If you can keep the 
hacker on your machine without incurring substantial damage to that machine, you 
can assess damage, gather evidence to identify and prosecute the intruder, and 
probably save a lot of other system managers and users a lot of grief.  

When we  recommend that it is generally better to monitor the intruder's 
activity, we assume that you will already have created system backups, and that 
you will protect sensitive files and users' data.  Additionally, you should never 
risk compromising classified information.  If there is any reasonable probability 
that classified information could be compromised, it is imperative to turn your 
system off or disconnect from the network.  You will also have to determine the 
extent of user interruption that can be tolerated while monitoring occurs.  You 
may need to remove computer service from the user community, and/or to inform 
users that the system is being attacked.  In general, we recommend the following 
monitoring strategy.--try to keep the hacker on one machine.  To do this you may 
have to plant "treasures," games and/or bogus but interesting files (e.g., " 
Highly protected data on nuclear arsenals").  Also, while you are monitoring be 
sure to check periodically for phone messages.  The intruder may try to call you!   
Another consideration is that sophisticated intruders often get into protected 
parts of a system and redirect electronic mail (e-mail)---the intruder may be 
able to read the e-mail messages you send!  Finally,  if you notice that an 
intruder has gotten into your system, do not taunt the intruder or order that 
person off your machine.  Do not turn a casual attacker into a dedicated 
opponent!  Encourage the intruder to call you, and find out what the intruder 
wants.   In several cases hackers have apparently permanently ceased hacking 
activity when they were politely asked to do so, and when they were informed of 
the extent of the problems they had caused.  These now former hackers have on 
several occasions, in fact, helped several emergency  response teams correctly  
determine that hacking attacks were occurring and which hackers were involved.

There are a few final considerations about monitoring activity.  Be sure to 
document everything (keystrokes, timestamps, the actions you take, etc.).    You 
will need the information you record to ensure that you communicate accurate 
information to others with whom you are coordinating your response to the 
hacker/cracker attack.  (Remember, people under considerable stress are not 
particularly good at retrieving information from memory.)  Your documentation 
will also be critical in subsequent stages of handling the incident.  If your 
monitoring efforts are unsuccessful, consider contacting the hacker directly 
before you take any other measures such as turning your machine off.  Finally, 
remember that you should deal with the media only through your public affairs 
office.  Your taking on the media yourself may not only be against your 
organization or site's rules, but also may be an invitation for catastrophe 
unless you have specific training in dealing with the media.
 
	5.3.4	Eradication 

Eradication means ending the hacker/cracker attack.  As mentioned previously, you 
can eradicate the attack by turning off the attacked machine or disconnecting it 
from the network.   Hopefully, however, you can achieve a better solution---
identification and apprehension of the attacker.  A third set of outcomes is 
possible, too--the hacker/cracker might get bored or suspicious and terminate the 
attack.  Similarly, the hacker/cracker might obtain the data or programs that he 
or she wants, and might then terminate the attack.  Finally, the intruder might 
voluntarily agree to terminate the attack.

For eradication to be complete, you need to take additional actions.  If 
applicable, remove the hacker from the system login files.  Also, remove any 
processes left by the intruder.  Backup your system again to preserve any trail 
the intruder may have left.  (Again, remember  that many hackers/crackers are 
often very adept at covering their traces.)  If you have a current backup, you 
may seriously want to consider performing a complete restore. 

	5.3.5	Recovery 

The recovery means that you or the system manager will restore the attacked 
system to its "normal" state after the attack has been eradicated.  The first 
action is to perform a final damage assessment.  You should now have more time 
than with the previous stages of incident handling, because the hacker/cracker 
attack has been eradicated.   After determining the extent of the damage, close 
any security vulnerabilities that the intruder exploited.  For example if the 
intruder entered your system through a sendmail hole, ensure that you obtain and 
install a patch for this hole.    Next, restore data.  An attacker may change the 
date and time stamp, so doing a full restore may require a full removal of all 
files and a full restore from backups.  Next, restore all services, and inform 
users that the system is no longer being attacked and has been returned to normal 
status.  Finally,  determine what tools used to handle the incident you should 
leave in place.   In general, discontinue using tools useful mostly or only in 
dealing with the particular attack that occurred, but leave in place tools which 
might be able to both help you detect intrusions and capture data early in the 
incident handling process without severely taxing system performance.

	5.3.6	Follow-Up 

The follow-up stage is critical.  If law enforcement agencies are not pressing 
for prosecution, it is probably appropriate at this point to debrief the attacker 
(if possible).  Again, it is important to politely inform the attacker of the 
effort handling the intrusion has required, and to learn any additional 
information which may help you (e.g., other systems in your organization/site 
which may have been attacked, methods and routes of attack, etc.)  Be sure to 
record all of the information you learn.  Alternatively, you may need to assist 
in prosecution efforts.  In this case you should not talk to the attacker, but 
should submit your logfiles and documentation of your efforts in dealing with the 
incident to law enforcement agencies which ask for evidence.  Regardless of 
prosecution efforts, you need to determine time and resources used as well as 
damage incurred, and should produce a  monetary cost estimate.   This estimate is 
critical in a court of law, but it is also critical in justifying the importance 
of adopting appropriate security measures and having an incident response team to 
your management.  In addition, determine how the incident happened.  You know 
have a valuable set of "lessons learned" which you can incorporate into a post-
mortem report--something to which you and others can refer during training, when 
you revise your incident handling procedures, or when you have a similar incident 
in the future.    Review and revise your protection program, including your 
procedures, password management policy, and arsenal of tools.  Be sure among 
other things that you are not introducing new security measures purely in 
reaction to the recent hacker/cracker attack.  Don't introduce unduly restrictive 
policies or install numerous tools which diminish system performance simply 
because an attack occurred !
 
5.4	Automated Hacker/Cracker Attacks
 
Some intruders have created tools to help them break into systems.  For example, 
password cracker programs that attempt to match candidate passwords with actual 
system passwords are rather common.  Some of these programs have very large 
dictionaries.  The success of these programs is an important reason why effective 
password management is a must (see Section 5.5).  Worms, discussed extensively in 
Chapter 4, are another form of automated hacker/cracker attack.  There are also 
programs used to find system protection problems to enable hackers/crackers to break 
into that system.    (Note:  these tools may also be used by computer security 
personnel to locate vulnerable systems and make them more secure.)  There are also 
network snooping programs to help intruders locate systems to attack, and programs to 
check for libraries that contain old bugs.  These programs can be linked into other 
programs to break security.
 
5.5	More on Passwords

By now you have seen how important a role passwords play in allowing intruders to 
break into systems.   The overwhelming problem is not really so much the individual 
user as much as failure on the part of management to develop and implement an 
effective password policy.  Unfortunately, we have found that many organizations or 
sites have no password policy at all!   An effective password policy should mandate 
that the following types of passwords and procedures are eliminated:

o "Joe" Accounts, in which the account name and password are identical (e.g., 
WILLIAMS and WILLIAMS)

o Same passwords for one user on different machines (e.g., WILLIAMS uses the 
password tsr80p on SAMVAX and on BAKVAX).  Intruders into a system often realize 
that same passwords are frequently used on different machines, and capitalize on 
this knowledge to break into other machines once they have initially broken into 
a user's account.  In general, using the same password on different machines is 
the greatest problem when the hosts are run by different organizations, the 
hosts have different levels of security, or the hosts have different operating 
systems.

o Accessible password files.  At a minimum, these files must be hidden.  
Unfortunately, some older systems had a publicly known reversal to the 
encrypting algorithm, thus making all accounts available once a hacker stole the 
password file.  Remember, if the encrypting scheme is known and the password 
file is accessible, guesses can be made at the convenience of the attacker!

o Easily guessed passwords, including words found in Webster's dictionary, car 
names, people's names, computer jargon and nicknames, "trendy" words, etc.  Your 
password policy should disallow these classes of words.  Make sure that your 
training and awareness program gets this message to users.  Also, you should 
consider using software to restrict users' choices of passwords, so that users 
are forced to adopt more difficult-to-guess passwords.  Remember, "brute force" 
attacks in which password after password is tried are now easy because of 
password cracker programs.

We also recommend that your password policy include the following:

o Checking for easily guessed passwords.  Checking can be done when a user 
chooses a password and/or at regular intervals (e.g., once every 30 days).    
You can have the system manager disallow weak passwords when users choose 
passwords.  You can also obtain a password checking tool.  (CIAC, for example, 
can help you obtain a password checker for either UNIX or VMS.)  Your policy 
should include procedures for finding and changing easily guessed passwords.

o Using machine-generated passwords.   There are advantages and disadvantages to 
machine-generated passwords.  These passwords, which may be letters, numbers, 
syllables, or phrases, are difficult to guess.  On the other hand, they are 
more difficult to remember, especially when there are multiple accounts for 
one user on several machines.   Users tend to write down machine-generated 
passwords (see below).  If you are from a DOE site, DOE Order 5637.1 requires 
that machine-generated passwords be used with classified computing systems.   
Also, passwords for classified computing systems are classified at the same 
level as the system.

o Obtaining and installing special purpose hardware (discussed previously).

o Adopting a password aging policy.  In general, it is important to require users 
to change passwords on a regular basis (e.g., every month in the case of 
sensitive/proprietary systems, and every four to six months otherwise).  For 
one thing, if an attacker steals the password file, it will take time to crack 
the passwords.  Changing passwords from time-to-time may foil crackers' plans.   
A password aging policy can also flag and lead to the removal of dormant 
accounts.    One disadvantage, however, is that users who are forced to change 
passwords regularly may choose easier-to-guess passwords, because the user has 
to create and remember new passwords.

o Developing a policy for writing down passwords.  Sites and organizations often 
prohibit writing down passwords because writing down passwords leads to 
increased probability that passwords will be compromised.   Slips of paper 
with passwords, for example, are often put in wallets, which may be lost.   
Also,  it is important to remember that writing down a password for a 
classified system requires following your classification guidelines!    On the 
unclassified side of the picture, there must be a policy for protecting 
written passwords if writing down passwords is allowed.  Writing down 
passwords has one major advantage--it allows users to have passwords which are 
harder to remember and guess.  

Selecting a good password requires some inconvenience on the part of users.  It is 
more difficult to choose and remember a more difficult-to-guess password than an 
easy-to-guess password.    We concur with Wood and Kochan's (1985) recommendation to 
use a four letter word, then a control character, then a four letter word which is 
unrelated to the first word (e.g., dust&book).  Such a password is easy to remember, 
but is very difficult for an intruder to crack.  Another sound technique for 
constructing a password is the first letter method, in which the password consists of 
the first letters of each word in an easily remembered sentence.  For example, "my 
Country tis of thee...sweet land of liberty" becomes mctotslol, which is easy to 
remember but almost impossible to crack.  Again, an effective awareness program which 
motivates users to choose appropriate passwords is critical.   

The "bottom line" is that your organization or site needs to create a password 
policy.  This policy will vary, depending on requirements of users and the particular 
system involved.  We have found, however,  that the following additional guidelines 
are applicable to most sites and organizations:

o Be sure you have a policy for detecting and removing "Joe" and dormant 
accounts.

o Explicitly state a policy covering the periodic, mandatory changing of 
passwords.

o If your site or organization uses machine-generated accounts, have a policy 
for written password management.

o Include a password policy for installing accounts and machines.  Remove or 
disable all demo, default and guest accounts.  When adding a new user to a 
system, do not allow system managers to furnish users with an initial 
password which can be easily guessed--users often do not change passwords!

o Build user education into your site or organization's password policy.  User 
education is time-consuming, but is critical in gaining user support and 
giving users sufficient knowledge to avoid giving attackers easy access to a 
system through weak passwords.  Your user education plan should include 
actually helping users select proper words such as non-dictionary words, 
initial letters from phrases, etc.



6 - Vulnerabilities
 
6.1  Introduction
 
The terms "vulnerabilities" and "holes" have by now been used dozens of times in 
these guidelines.  All computer systems have some features that can be exploited by 
an attacker.  The emphasis of this chapter is upon these features.  First, let's get 
our terms straight.  A vulnerability is a feature or bug in a system or program which 
enables an attacker to bypass security measures.   For example, suppose that there is 
an operating system which, unbeknown to the developers of this operating system, 
allows an unprivileged user to suddenly become  privileged simply by hitting 
CONTROL/C at a certain point in using one of the operating system's utilities.   We 
consider the difference between a vulnerability and hole to be an issue of semantics, 
not one of practical significance.  We, therefore, define a hole as a vulnerability.  
A "Joe" account, previously covered in Chapter 5, is an account in which the account 
name and password are identical.  A default account is an account shipped with the 
system that has a default password.  (Unfortunately, system managers too infrequently 
change default account passwords.)  A patch is a modification to a program (e.g., an 
operating system) to correct a bug or vulnerability.  (Note:  patches may have 
undesirable side effects, unfortunately, depending on how a system is configured.)  A 
workaround is a "kluge," a makeshift, temporary solution to a vulnerability.  For 
example, if there is a system utility which allows unprivileged users to read other 
users' files, a workaround might be to disable that utility (which, unfortunately, 
may inconvenience many users).

There is generally (but not always) a tradeoff between the amount of functionality 
that a system delivers and the number of exploitable features.   For example, one of 
the reasons that UNIX has traditionally had more exploitable features than many other 
operating systems is that UNIX offers  a great amount of functionality.  Networking 
functions, which are built into UNIX, offer attackers opportunities to jump from UNIX 
machine to UNIX machine, to steal files, etc.  It is essential that you know your 
system well.  You need to learn about the exploitable features in your system, and to 
close these features within the constrains of user needs, manpower limitations, etc.  
For example, you would do well to disable a seldomly used utility with a well-known 
security hole because few, if any, users would miss that utility anyway.  Disabling a 
frequently used utility with an obscure hole may not be as advisable.  Remember, too, 
that one machine in a network which has unpatched vulnerabilities can become a 
"launching pad" for attacks throughout the network.  Regardless of whether you are a 
user or system manager, you have a responsibility not only to protect your own 
machine but also to be a responsible citizen of the network!

There are many misconceptions about vulnerabilities and how a person's system can be 
attacked.   One of the most common misconceptions is that if one's machine runs a 
particular operating system (e.g., VMS) but the network to which that machine 
connects runs different communications protocols (e.g., TCP/IP), the VMS machine 
cannot be exploited through that network.  The truth is that common communications 
protocols and applications create common vulnerabilities.  Thus, sites running TCP/IP 
may be exploited regardless of the particular operating system run in machines 
connecting to the TCP/IP network if there is a vulnerability in TCP/IP.

6.2 Types of Vulnerabilities

Needless to say, there are many types of security vulnerabilities in computing 
systems.  Poor passwords (see Section 5.5) comprise by far the largest class of 
vulnerabilities.   Dormant accounts and orphan machines (machines which are not 
currently maintained) comprise another significant class of vulnerabilities.  If 
dormant accounts and orphan machines also have poor passwords, this constitutes an 
even greater security problem.    Holes in operating systems are another type of 
vulnerability.  Security holes in applications are another set of vulnerabilities.  
For example, Stoll (1989) gives an interesting account of a hacker attack launched 
through a vulnerability in a word processing program.  The main focus of this chapter 
is on operating system vulnerabilities because these vulnerabilities are so 
frequently exploited by attackers.  (Please note that the following descriptions of 
vulnerabilities include only the outcomes of exploiting each vulnerability, rather 
than the actual mechanics of exploiting each vulnerability.  We take this approach to 
avoid disseminating information that attackers might use.)

6.3 UNIX Vulnerabilities

As discussed previously, UNIX systems generally have numerous vulnerabilities.   
Because there are many flavors of UNIX (e.g., Sun OS, BSD UNIX, ULTRIX, System V, 
etc.) and usually many versions of each flavor, a particular UNIX vulnerability 
seldom is universal.  In fact, it takes careful investigation to discover exactly 
which vulnerabilities are and are not present in any given UNIX system.  We recommend 
that, at a minimum, you become aware of the following vulnerabilities frequently 
found in UNIX systems:

o set-uid (user  id) scripts - if set-uid scripts are not set set up properly, an 
intruder can obtain unauthorized root access

o anonymous ftp (file transport protocol) - some versions of UNIX have bugs or 
have anonymous ftp set up incorrectly, which can allow unauthorized file 
modifications (e.g., unauthorized modification of /etc/passwd)

o tftp (trivial file transport protocol) - some versions of UNIX have bugs in 
tftp, or tftp may not be set up correctly, allowing an attacker to steal any 
publicly readable file (including /etc/passwd)

o login (the program that logs a user into a system) - susceptible to trojan 
horses

o fingerd - there are several vulnerabilities, some of which enable attackers to 
obtain unauthorized root access.  Intruders  can also use fingerd to locate 
user accounts to attack.

o sendmail (the program that delivers mail to the user) - new vulnerabilities in 
this function seem to be discovered frequently.  Some of the vulnerabilities 
include allowing an attacker to corrupt non-root owned files, or, when sendmail 
is used in connection with .rhosts, allowing unauthorized root access

o uudecode - vulnerabilities in this function allow an attacker to overwrite 
files (including .rhosts)

o nis (network information system, formerly yp--yellow pages) - problems in this 
function make multiple attacks within a cluster of machines easier

o nfs (network file system) -  problems in nfs also make multiple attacks within 
a cluster of machines easier

Remember, too, that in UNIX systems  there are demo, user, and guest accounts that 
may have no passwords or "Joe" passwords.
 
6.4 VM Vulnerabilities

VM is a relatively secure operating system, and the exploitable features in VM of 
which we are aware are not severe threats to system and/or network security.   Some 
versions of VM have an option to allow the user name and password to be displayed in 
clear text on the login line.  This allows someone else in the same room as the user 
to view the passwords entered during logins.  Some versions of VM may flag a bad 
userid without asking for a password.  This enables an attacker to learn which 
accounts are and are not viable to attack.  Finally, older releases of VM have 
several additional exploitable features, including echoed passwords as they are 
entered  and a default password on the DURMAINT account.

6.5 VMS Vulnerabilities

Exploitable features in VMS are, for the most part, configuration problems; VMS is 
reasonably secure if configured properly.  Default accounts such as the default 
DECNET account in pre-5.0 version releases of VMS as well as SYSTEM and SHUTDOWN 
accounts on some VMS systems present a problem.   Applications such as INGRES, ORACLE 
and mail running on VMS systems also have default accounts which, if unchanged, allow 
an easy avenue of entry.  The VMS phone object does not check authorizations before 
allowing someone to write to another terminal.  This utility can, therefore, be used 
to trojan horse an account.   (The phone object has also been used by DECNET worms to 
write offensive messages to users.)  The Task 0 object (which allows, among other 
things, functions to run remotely ) may be configured to allow users with no account 
on a machine to run applications.   (Note:  to misuse Task 0, an intruder must first 
gain access to a system.  It is debatable, therefore, whether Task 0 is, in and of 
itself, the real problem.)

6.6  MVS Vulnerabilities

MVS systems are seldom attacked, probably because other operating systems such as 
UNIX are considerably more popular and thus well known.  However, the MVS operating 
system is, according to many experts, very vulnerable to attack unless C2 features 
are added (RACF).  In addition, DSMOM provides attackers with sensitive information 
from the authorized caller table.  The encryption module, SYSL2PALIB (which does RACF 
encryption), can easily be broken.  Finally, problems with the PARMLIB and EXAMINE 
functions within RACF need to be fixed in most MVS systems.  

6.7 File Protections

File protections constitute a special set of security considerations.  File 
protections determine who may read, write or execute a file.  Simple file protection 
measures can prevent many opportunities for misusing a system!  Publicly writeable 
binaries and system directories allow an attacker to modify the system.  Protections 
should be set accordingly.   Readable restricted system files allow an attacker to 
discover other trusted computers or other privileged information.  Writeable home 
directories allow trojan horses to be planted.

6.8 Concluding Comments

The information presented in this chapter is not just some theory.   Taking action on 
the information in this chapter will probably save you considerable time, 
frustration, embarrassment,  and effort, including the effort to "pick up the pieces" 
after a major hacker/cracker or worm attack on your system.  At any given hour of any 
day there are dozens of computing systems being attacked because people have not 
learned about vulnerabilities or have not done anything about them.   Learning of the 
vulnerabilities in your operating system and applications, then patching them is the 
key to avoiding catastrophe.  The CIAC team is especially anxious to lend assistance 
to help anyone in the DOE community who has a question about vulnerabilities, or who 
needs help obtaining and/or installing a patch.  The CIAC team also needs to learn as 
rapidly as possible about any vulnerabilities you may discover so that we can start 
working with vendors to close these vulnerabilities as quickly as possible.










































Scenario For The "Big Fall"

7 - Incident Handling Tools

Throughout this document, it has been stressed that procedures are more important 
than software.  This does not, however, diminish the value of software when used as 
part of an incident handling procedure.  There is an increasing number of prevention 
and incident handling tools available.  In this section, some currently available 
tools will be discussed, where to find them, and their usefulness.

7.1  Types of Tools Available

Currently available tools can aid in dealing with incidents at each stage of the 
incident handling model outlined previously.  These stages include:

o Preventing
o Detecting
o Containing
o Eradicating 
o Recovering
o Following up

There are many different types of tools available.  In general these fall into the 
categories of software solutions, hardware solutions, and integrated products.  
Software solutions are layered software products that do not require any additional 
hardware to function.  These would include additional passwords for authentication, 
checksums for file integrity, etc.  Hardware solutions are devices that attach to 
your system or network to provide some security function without affecting your 
software on the system.  Examples of these are network monitors that snoop your 
network, or printers that attack to a dial-in port to record traffic.  Integrated 
products are combinations of software and hardware on your system.  Hand-held 
authenticators or encryption boxes are examples of integrated products.

Aside from the types of security tools that you can add to a system, there are 
systems that are more inherently secure than others.  Often these systems are based 
on a trusted operating system (TOS).  These systems are formally proven to be secure 
to a particular level.  In the Department of Defense, these systems are rated 
according to criteria outlined in a standardized document on computer security (the 
Orange Book).  For the DOE, no such document exists, but security considerations are 
outlined in DOE Orders 5637.1 and 1360.2A.  

TOSs are useful in a number of situations including dedicated network controllers, 
data base or file servers, or human safety controllers.  However, TOSs are not a 
panacea.  TOSs are not in widespread use because of a few serious drawbacks 
including:

o It can take an extensive amount of time to certify a TOS
o Security is often gained at a restricted functionality
o The assumptions used in certification cannot be applied in some situations
o There is often a unique or archaic user interface
o  The application base is too small to provide off-the-shelf solutions

Anti-virus software is a category all in itself.  There are many good anti-virus 
packages available (see the section on viruses for more details).  These packages can 
save many hours of recovery time, and have proven to be useful.  The main 
considerations for obtaining and using a virus tool are:

o Be careful of your source
o Run the most recent version
o Never entirely trust the virus software (procedures are more important than 
software)
o Maintain a good backup policy

Encryption is a useful tool for computer security.  There are many tradeoffs in using 
encryption however.  Be aware that encryption cannot be used to solve computer 
security problems in general, but may only be used in particular situations such as 
virus detection, communications, and authentication.  Using software to perform the 
encryption can be slow and something must be trusted to do the encryption--if that 
something is corrupted, the entire system is corrupted.  Dedicated hardware to 
perform the encryption helps, but this may be expensive and difficult to integrate 
into the system.

The remainder of this section will be devoted to a listing of tools available to aid 
in computer security incident handling for multi-user systems.  These tools are 
categorized as either system security tools providing added security features to a 
system, authentication tools  that specifically provide additional authentication 
support, and intrusion detection tools that provide detection and identification of a 
system penetration.

7.2  System Security Tools

SPI (Security Profile Inspector)

This tool aids system managers in maintaining the security and integrity of UNIX and 
VMS systems.  It provides password checking, file integrity checks, and checks for 
correct file permissions.  The VMS version adds, in addition, checks for using  
identifiers and for accessibility of files based on UIC, identifier, and privileged 
access.

For information on SPI/UNIX or SPI/VMS, call Doug Mansur, LLNL, (415) 422-0896 or 
(FTS) 532-0896, or send e-mail to mansur@tiger.llnl.gov
 
COPS (Computerized Oracle and Password System)

COPS is a UNIX security checking tool.  It uses configuration information in special 
files to check for the read/write permissions of all important files.  It will also 
check for superuser access and passwords, as well as other aspects of computer 
security.  For information, contact Dan Farmer (412) 268-7080, or send e-mail to 
df@cert.sei.cmu.edu

SecurePak

SecurePak is a commercial package for VMS systems from DEMAX software.  It will check 
many security features on VMS systems, and provides a much nicer interface to the 
authorize function.  Contact DEMAX software for more details on this package.

Matt BishopÕs password program

This is a tool that will search for easily guessed passwords based on a dictionary 
search.  It also may replace the passwd function on UNIX systems to restrict the 
initial selection of an easily guessed password.  It contains a fast DES 
implementation that will improve the performance of the password functions above the 
standard UNIX implementations.  Contact Bill Kramer, NASA Ames, (415) 604-4600, for 
additional information on this package.

7.3  Authentication Tools

Kerberos

Developed within the Athena project at MIT, this is a UNIX tool (which has been 
ported to other operating systems as well) to provide authentication in a distributed 
environment.  This tool's  goals are to provide network authentication without 
sending clear text passwords across the network, or storing them on the individual 
hosts.  Every connection may be authenticated using kerberos, and it is designed to 
be used transparently with other network services.  For additional information or to 
obtain the tool, contact geer@athena.mit.edu or 
info-kerberos@athena.mit.edu

DES Encryption and Secure nis

Both DES encryption and secure nis are provided with the Sun operating system.  These 
systems aid in protecting files with a user-defined key, and protecting network 
communication by encrypting the information used in the distributed authentication 
provided by dns (domain name service).  For more information on how to use this tool 
on Sun systems, see your Sun documentation.  

7.4  Intrusion Detection Tools

Haystack

This is an intrusion detection tool that will run on an IBM PC to monitor Sperry-
UNISYS mainframe computers for intrusions.  It was developed by Steve Smaha of 
Haystack, Inc., under contract by the Air Force.  For additional information, contact 
Capt. Tim Grance, AFCSC, (512) 925-2386.

Wisdom and Sense

This is an intrusion detection tool that will run on a Sun computer to monitor a VMS 
system.  It will layer the appropriate software on the sun to monitor DECNET traffic 
and determine if there is a deviation from normal operation.  For information on this 
tool, contact Hank Vaccaro, LANL (FTS) 843-3382.

CSM (Computer Security Monitor)

The CSM is a rule-based monitor that will detect penetrations based on statistical 
analysis of normal usage patterns.  In addition to the statistical analysis, 
deterministic rules may also be applied to determine if a user is performing an 
unauthorized function.  The rules are system dependent, and have been developed for 
Sun OS 4.0 and IBM MVS systems.  Rules may be developed for other platforms as well, 
since the CSM is designed to be operating system generic.  For information, contact 
Chip Hatfield, LLNL, (415) 422-8567 or (FTS) 532-8567.

Midas

Midas is an intrusion detection based on an expert system.  The system runs on a 
Symbolics Lisp machine, and is used to monitor a MULTICS system.  It was developed by 
the National Computer Security Center (NCSC), and is based on the IDES research into 
user profiles and events.  It is widely recognized as one of the best intrusion 
detection systems available, and is likely to be ported to other systems (e.g., UNIX) 
to assist other vendors in the certification process.  For additional information on 
how to obtain this product, call Eric Shellhouse at (301) 859-4513.
 


8 -  Exercises and Scenarios

Chapter Two - Overview of Incident Handling

1.	Certain stages of the six stages of responding to incidents might be more 
important for some types of incidents than others.  Explain why.

2.	Which of the six stages is most likely to be overlooked?  Why is it important to 
not overlook this stage?

3.	Suppose you were handed a disk and were told that it contained a new virus called 
SPREAD, but the routine used by the virus to replicate itself had been removed.  
a) would the malicious code left on the disk best be called a virus, worm, or 
trojan horse?  b) How would you analyze the code on the disk, and what precautions 
would you take during this process?

4.	Below is a list of symptoms of three types of incidents, virus infections, hacker 
attacks, and worm attacks.  For each symptom determine the type of incident with 
which it is most closely associated by placing a check in the appropriate box.  
For example, if you think that the first symptom, system crashes, is most 
indicative of a virus infection, check the first box to the right of "system 
crashes" (under "virus").  If you think that system crashes are most indicative of 
a hacker attack, check the second box to the right of "system crashes" (under 
"hacker"),  instead.
 

 
Chapter Three - Responding to Viruses

1.	Suppose that your personal computer's disk crashes every third boot.  How could 
you determine whether your machine has a virus?

2.	a) How could you assure that your virus eradication tool is not itself infected?  
b) How could you know that it eradicates the virus which has infected your 
machine?  c) How could you know that you have the latest version of this tool?

3.	You have determined that your PC has been infected by "Disk Killer."  Should you 
turn your machine off immediately?  Explain. 

4.	Given a virus that masks all interrupts into the operating system, how would you 
write an anti-virus code to detect/eradicate this virus?

5.	Can two or more viruses infect a single machine at one time?  Explain.

6.	While editing a classified file on a Macintosh you notice that the file is 
infected by nVIR.  What procedures should you follow to recover?

Chapter 4 -  Responding to Worm Attacks

1.	A user who accesses a mainframe from his Macintosh discovers that his account has 
been penetrated by a worm.  He immediately turns his Macintosh off and calls the 
system manager.  What advice should his system manager give him?  Now the system 
manager confirms that there is a worm and turns the attacked host off.  What 
advice would you give the system manager?  

2.	Suppose that there is a worm in a classified network.  What additional actions 
must be taken to deal with a worm that might not have to be taken in an 
unclassified network?

3.	Given the PS list (below), what are the suspicious processes?  Would this indicate 
a worm, hacker or virus?
























Chapter Five - Responding to Hacker/Cracker Attacks (Scenarios)

1.	A system programmer notices that at midnight each night, someone makes 25 attempts 
to guess a username-password combination.  What should the programmer do next?  
What is your organization/site's procedure?

	Suppose that the programmer decides to do nothing.  Two weeks later, the password 
guessing attempts continue.  The programmer checks the log and finds that each 
night the same username-password combination is being used.  What should you do, 
based on your procedures?

2.	A system programmer gets a call reporting that a major underground cracker 
newsletter is being distributed from the administrative machine at his center to 
five thousand sites in the U.S. and Western Europe.  What do your procedures say 
he should do?  What should you do?

3.	A user calls in to report that he cannot login to his account at 3 a.m., Saturday.  
The system staffer cannot login either.  After rebooting to single user mode, he 
finds that the password file is empty.  What should be done?

	By Monday morning your staff determines that a number of privileged file transfers 
took place between this machine and a local university.  What should be done now?

	By Tuesday morning a copy of the stolen password file is found on the university 
machine along with password files for a dozen other machines.   What has happened?

4.	You receive a call saying that a break-in to a Government laboratory occurred from 
one of your center's machines.  You are requested to provide accounting files to 
help track down the attacker.  Do you have a policy for helping others?  What 
should you do?

5.	You hear reports of a computer virus that paints trains on CRTs.  You login to a 
machine at your center and find such a train on your screen.  You look in the log 
and find no notation of such a feature being added.  You notice that five attempts 
were made to install it, each exactly one hour apart.  What should you do?

6.	You notice that your computer connected to the Internet has been broken into.  You 
find that nothing is damaged.  A high school student calls up and apologizes for 
doing it.  What should you do?

7.	A reporter calls up asking about the breakin at your center.  You haven't heard of 
any such incident.  Three days later you learn that there was an intrusion due to 
a poorly chosen password on one account.  What should you do?

8.	A change in system binaries is detected.  Thanks to your good prevention policy, 
the binaries are changed back to the original.   The next day the binaries are 
changed again.  This repeats itself for several weeks.  What should you do?


Answers to Exercises and Scenarios

Chapter 2

1.	There will be a wide range of acceptable answers.  For example, detection is 
extremely critical (and difficult) in many hacker/cracker attacks.

2.	Follow-up.  This stage provides lessons learned, justification of the incident 
handling activity to management, etc.

3.	a) The code would best be called a trojan horse, since it is malicious code that 
is not self-replicating.  b) The code should be run in an isolated, backed-up 
machine and its symptoms should be recorded.  Tools to monitor memory or 
disassemble the code may be used.  Precautions must be taken to isolate the code, 
since there may be more than one method of replication.

4.

























Chapter 3

1.	There is no 100 percent guaranteed detection procedure.  Some possibilities 
include:  1) check file sizes against a write-protected backup (but remember, the 
backup may be infected), 2) use a virus detection package, and 3) watch for 
unusual activity, such as odd disk access or disks that do not exist, unusual 
graphic displays, etc.

2.	a) Run the tool on itself (but be sure to use a write-protected disk) or check the 
tool against a trusted source.  Some manufacturers have authentication tools to 
verify their product.  b) Use your detection procedures after using the tool.  c) 
Get the tool from a trusted source, or from the originator of the tool.  You could 
also read Virus-L, contact CIAC, or find a knowledgeable person.

3.	No.  In the case of disk killer, there is information stored on completion of the 
virus that will aid in the recovery of the original files.

4.	Many methods exist.  The important thing to realize is that if you provide the 
correct vector addresses in your program, the virus could intercept them and 
substitute its own values.  The correct values must be computed and compared to 
the actual vectors to assure that the virus is not present.  Also, care must be 
taken to not use interrupt services in the program.

5.	Yes.  nVIR A and nVIR B (Macintosh viruses) may infect the same application on a 
host, and, in this case, would create a new variant, nVIR C.

6.	You should save the infected application on a WELL LABELED floppy, then re-format 
the disk and re-install all your applications and data from a recent backup.  Then 
check for the virus again.

Chapter 4

1.	Turning off the Macintosh is ineffective.  A worm invades the host machine, not 
terminals or terminal emulators used to access the host.  Notifying the system 
manager is an important action, however--users are one of the most important 
"detection tools."  The system manager's actions are good ones.  There are many 
things which now should be done, among which are:  a) follow the site's reporting 
procedures, c) call CIAC to report the attack and to obtain 
immunization/eradication scripts, c) locate or check the latest backup, d) 
disconnect the system from all networks, and e) bring the system up in a 
restricted (i.e., single user) mode.

2.	DOE Order 5637.1 does not specifically address the problem of a worm attack.  
Actions depend on whether the worm has changed the accessibility of classified 
information.  We generally recommend that you start from a clean backup (assured 
to be worm-free).  If the worm has caused any unauthorized disclosure of 
classified information, all disks on a system should be purged.

3.	The ftp processes should be examined.  This could be a hacker or a worm.

Chapter 5 

1.	The fact that the same username-password combination is used repeatedly suggests 
that this is not an intrusion attempt.  

2.	In this case, eight weeks later the authorities called to inform that the 
information in one of these newsletters was used to disable 911 in a major city 
for five hours.  (This is a true story.)  Your procedures should require that 
management should be notified of the type of information in this scenario.

3.	A week later you find that your system initialization files have been altered 
maliciously.  Recovery will be complicated, but at a minimum, passwords for all 
users should be changed on any systems with stolen passwords.

4.	A week later you are given a list of machines at your site which have been 
compromised.  Once you authenticate the caller, determine whether the caller has a 
need-to-know.  If so, it is important to supply the needed information.

5.	This is a "false alarm."  Three days later you learn that the unusual graphic 
display was put up by a system administrator locally who had heard nothing about 
the virus scare or about your concern.

6.	There is no outcome to this scenario.  We have found, however, that persuading the 
hacker to meet you in person (if possible), acquainting the hacker with the 
problems he or she caused, and getting him/her to promise to quit this activity 
and possibly to assist you in subsequent attacks is very worthwhile.   In this 
case, in which the hacker initiated contact and apologizes, your following through 
with law enforcement agencies is not necessarily advisable unless there is reason 
to believe that the hacker has damaged other machines or caused considerable 
trouble elsewhere.

7. 	In this case there was a breakin due to a poorly chosen password.  Do not 
talk directly to the reporter.  It might be good to have your public relations 
office contact the reporter and find out how the reporter learned the information 
related to you, however.  

8.	This is a potentially complicated situation.  You need to attempt to rule out 
plausible causes for this unusual system behavior other than the work of an 
intruder.  In this case, there was no intrusion.






References



Stoll, C. (1989) Tracking a spy through the maze of computer espionage:  The cuckoo's 
egg.  New York:  Doubleday.

Wood, P.H., & Kochan, S.G. (1985) UNIX system security.  Hasbrouck Heights, NH:  
Hayden.




 



RESPONDING TO COMPUTER
SECURITY INCIDENTS:
GUIDELINES FOR INCIDENT HANDLING 


 








E. Eugene Schultz, Jr. 
David S. Brown
Thomas A. Longstaff


University of California
Lawrence Livermore National Laboratory







July 23, 1990


 
1 Must use GateKeeper Aid, Disinfectant 2.0, or other software that specifically recognizes WDEF 
to 
eradicate this virus.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH