_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Detection/Eradication Procedures for VMSCRTL.EXE Trojan Horse November 21, 1990, 1100 PST Number B-8 __________________________________________________________________________ PROBLEM: Detection of trojan horse and recovery procedures PLATFORM: VAX/VMS (all versions) DAMAGE: Gives unauthorized privileged access to system if trojan horse is implanted in system by intruders who have already obtained privileged status DETECTION: Several methods (described herein), of which finding VMSCRTL.EXE in SYS$LIBRARY is the fastest __________________________________________________________________________ Critical Trojan Horse Facts In bulletin B-6 CIAC warned of a new pattern of intrusions into VMS systems. Part of this pattern is placing a file named VMSCTRL.EXE into SYS$LIBRARY. CIAC has determined that this file contains a trojan horse program. VMSCRTL.EXE also provides a means for the attackers to gain full privileges from a non-privileged account if this file has been installed with the CMKRNL privilege. The presence of VMSCRTL.EXE in SYS$LIBRARY indicates that a VMS system has been compromised and that the attackers have been able to gain full privileges. The trojan horse behaviors of VMSCRTL.EXE are: 1. Copies itself to SYS$LIBRARY:VMSCRTL.EXE 2. Creates the file SYS$STARTUP:DECW$INSTALL_LAT.COM This file contains a standard DEC copyright notice and a DCL command to install SYS$LIBRARY:VMSCRTL.EXE with CMKRNL privilege. 3. Modifies the file SYS$STARTUP:VMS$LAYERED.DAT to include the execution of SYS$STARTUP:DECW$INSTALL_LAT.COM as part of the VMS boot procedure. 4. Exits with a (falsified) CLI error message while returning a status of SYS$NORMAL The "tracks" left behind by the execution of VMSCRTL.EXE are fairly obvious: 1. The presence of SYS$LIBRARY:VMSCRTL.EXE 2. The presence of SYS$STARTUP:DECW$INSTALL_LAT.COM 3. The file SYS$STARTUP:VMS$LAYERED.DAT will have its MODIFIED date changed to reflect the time at which VMSCRTL.EXE was run. Use the DCL command "$ DIRECTORY/FULL SYS$STARTUP:VMS$LAYERED.DAT" or "$ DIRECTORY/DATE=MODIFIED SYS$STARTUP:VMS$LAYERED.DAT" to determine the modification date. Note that this evidence will be destroyed if any subsequent modifications or listings of SYS$STARTUP:VMS$LAYERED.DAT are made via the STARTUP command to SYSMAN. 4. The DCL command "$ MCR SYSMAN STARTUP FILE" will list DECW$INSTALL_LAT.COM as one of the startup files. Note that executing this command will change the modification date of SYS$STARTUP:VMS$LAYERED.DAT Be sure, therefore, to do this check after checking the MODIFIED date as prescribed above. 5. If the infected system has been rebooted since VMSCRTL.EXE was run, the DCL command "$ MCR INSTALL /LIST" will reveal that SYS$LIBRARY:VMSCRTL.EXE is installed with privilege. A full list of this installed image will show it is installed with CMKRNL. DETECTION The presence of the file SYS$LIBRARY:VMSCRTL.EXE is definite confirmation that this trojan horse is present. Additional confirmatory evidence includes: 1. The presence of the file SYS$STARTUP:DECW$INSTALL_LAT.COM 2. Modification to the SYSMAN STARTUP database file to include the execution of SYS$STARTUP:DECW$INSTALL_LAT.COM A search string that can be used to identify VMSCRTL.EXE regardless of the file's name is "%VCR" For example, to search your entire system disk you might enter: $ SEARCH SYS$SYSDEVICE:[*...]*.* "%VCR"/WINDOW=1 If VMSCRTL.EXE is detected in a non-system directory, it is likely that the attackers have penetrated a non-privileged account but have not yet been able to gain full privileges. MINIMAL RECOVERY PROCEDURE If you have detected VMSCRTL.EXE in SYS$LIBRARY, the VMS system has been compromised by attackers who were able to gain full privileges. (If these attackers are able to reenter the system, they will again be able to gain full privileges). The minimal recovery procedure described below is provided only as a quick, short-term, "stop gap" measure. (The possibility that other damage to the compromised VMS system was done by the attackers is large--we therefore recommend that when time permits the full recovery procedure be implemented.) The minimal recovery procedure is: 1. Use INSTALL to remove SYS$LIBRARY:VMSCRTL.EXE with the command: "$ MCR INSTALL SYS$LIBRARY:VMSCRTL.EXE/DELETE" Note: It is possible that VMSCRTL.EXE is not installed (yet) and so this command may produce the appropriate error message. 2. Remove the startup entry SYS$STARTUP:DECW$INSTALL_LAT.COM from SYSMAN's database with the command: "$ MCR SYSMAN STARTUP REMOVE FILE SYS$STARTUP:DECW$INSTALL_LAT.COM 3. Delete the file SYS$LIBRARY:VMSCRTL.EXE and the file SYS$STARTUP:DECW$INSTALL_LAT.COM 4. Disable all inactive accounts using AUTHORIZE. For example, to disable an account named JONES, enter: $ SET DEF SYS$SYSTEM $ RUN AUTHORIZE UAF> MOD JONES/FLAGS=DISUSER UAF> EXIT 5. Change the passwords on all active accounts. 6. Review all entries in SYSUAF.DAT and make appropriate corrections 7. Review all SYSGEN parameters and make appropriate corrections 8. Review all system files for modifications occurring after the penetration. The following DCL command can prove very useful in this endeavor: $ DIR/FULL/MODIFIED/SINCE="" For example, if the penetration date were October 31st, enter: $ DIR/FULL/MODIFIED/SINCE="31-OCT-1990" FULL RECOVERY PROCEDURE For the full recovery procedure, follow the complete VMS recovery procedure given in the appendix to this bulletin. For additional information or assistance, please contact CIAC Hal R. Brand (415) 422-6312 or (FTS) 532-6312 or call (415) 422-8193 or (FTS) 532-8193 send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - COMPLETE VMS RECOVERY PROCEDURE This recovery procedure should be applied to a compromised VMS system whenever it can not be determined that the intruders failed to gain system privilege. 1. Get a hardcopy listing of your current SYSUAF.DAT If SYSUAF.DAT contains an extremely large number of users, it will take considerable time to restore all accounts (so it may be expedient to save SYSUAF.DAT to tape or elsewhere so it can be restored, although we do not generally recommend this procedure). 2. Remove from all disks all executable code (including DCL command procedures) run by privileged accounts. 3. Initialize the system disk to remove all files. (This is an extreme step, but it is guaranteed to remove any damage done by the intruder.) 4. Install VMS and all layered products. 5. Use AUTHORIZE to add only currently active accounts (or restore the SYSUAF.DAT you saved). If you restore SYSUAF.DAT you must scrutinize it very carefully. To restore SYSUAF.DAT is not generally recommended. It is better to re-create only the active accounts, because this not only removes all dormant accounts, but also guarantees elimination of bogus accounts and unauthorized modifications. 6. Restore from TRUSTED backups all site specific files found on the system disk. In the event you do not have TRUSTED backups, we recommend you re-create these files. Note: "Trusted backups" are defined as backups in which there is a high degree of assurance that there were no unauthorized changes made to any of the files before the backup was made. 7. Restore from TRUSTED backups all files removed in step 2. In the event you do not have TRUSTED backups, we recommend that you re-create these files.