INTRANETWORK MEMORANDUM SPAN MANAGEMENT OFFICE

=============================================================================
INTRANETWORK MEMORANDUM SPAN MANAGEMENT OFFICE
=============================================================================
19-OCT-1989

TO: ALL SPAN ROUTING CENTER MANAGERS AND REMOTE-NODE MANAGERS

FROM: RON TENCATI - SPAN SECURITY MANAGER
GODDARD SPACE FLIGHT CENTER CODE 630.2
GREENBELT, MD. 20771
(301)286-5223

SUBJ: INFORMATION REGARDING THE DECNET WORM AND PROTECTION MEASURES

----------
The following information covers several aspects of the "WANK" DECnet worm
which was released into the "DECnet Internet" earlier in the week.

Information contained in prior reports written by John McMahon of GSFC and
Kevin Oberman of LLNL was used in preparing report. The assistance of
Digital Equipment Corporation is also gratefully acknowledged.

Previous messages regarding this worm appearing on various mailing lists
have indicated that system managers with questions or infected nodes should
call other organizations.

For clarification, any SPAN-connected system that believes itself to be
infected, or attacked should contact ONLY the SPAN management at Goddard
Space Flight Center, Greenbelt, MD. The security effort is being
coordinated by this group and all reports should be directed there. The
contact number is (301)286-7251 or (301)286-5223. Electronic mail should be
sent to NSSDCA::TENCATI or NSSDCA::NETMGR only. Do not send infection
reports to any other node on SPAN.

HEPnet sites should contact FNAL::DEMAR.

BACKGROUND
----------

The worm's mission is to propagate itself randomly across the network,
to seek out systems with poor security, and to establish itself in a
priviliged account whereupon it will modify the system's SYS$ANNOUNCE
banner to the following message:

W O R M S A G A I N S T N U C L E A R K I L L E R S
_______________________________________________________________
\__ ____________ _____ ________ ____ ____ __ _____/
\ \ \ /\ / / / /\ \ | \ \ | | | | / / /
\ \ \ / \ / / / /__\ \ | |\ \ | | | |/ / /
\ \ \/ /\ \/ / / ______ \ | | \ \| | | |\ \ /
\_\ /__\ /____/ /______\ \____| |__\ | |____| |_\ \_/
\___________________________________________________/
\ /
\ Your System Has Been Officically WANKed /
\_____________________________________________/

You talk of times of peace for all, and then prepare for war.

---------
We don't currently see that the WORM is destructive, BUT it wastes
resources, and may result in denial of service by locking out priviliged
users or causing non-infected nodes to consume disk space storing all the
audit records from the failed access attempts.

The worm attempts to establish itself onto a system by exploiting various
weaknesses in the DECnet environment. Some of these weaknesses have been
addressed by previous SPAN directives and guidelines. Systems that have
implemented these guidelines are not at risk.

A random number generator is used to pick the next node the worm will try
to infect. The worm contains an internal list of 82 canned usernames that
it will try against a system.

In addition, it attempts to copy the file RIGHTSLIST.DAT from the selected
target node. This file is normally protected W:R. If this file is
successfully copied, a list of usernames specific to the target system will
be generated and some subset of those will be appended to the "canned"
list. The candidate words the worm uses whether or not it was successful
at accessing RIGHTSLIST.DAT are the following:

ACCOUNITING ACCOUNTS ALLIN1 APPLETALK ARCHIVE
BACKUP CADCAM COGNOS CRAYSTN CUSTOMER
DDSNET DEC DECNET DEFAULT DEMO
DFS$DEFAULT DIGITAL DNS$SERVER DQS$SERVER ETHERNIM
EXOS FIELD GAMES GUEST HASP
IBM INGRES INVENTORY ISSYS IVP
LIBRARY LN03_DLAND LPS$SERVER MAC MAIL
MAILER MANAGER MANUALS MASS11 MBMANAGER
MIS MRGATE MANAGER NETNONPRIV NETPRIV
NEWSMGR NOTES$SERVER OPER OPERATOR ORACLE
OSI PCAPP PCCOMMON PLUTO POSTMASTER
RDBVMS$REM RHM SECURITY SHUTDOWN SNACSV
SPEAR SPM SRS STUDENT SUPPLIES
SYSINF SYSTEM SYSTEST SYSTEST_CLIG TAPESYS
TCP TELEX TEMP TEST TRAINING
TRANSFER USER USER1 USERP VAXNET
VAXSIM VTX VXSYS

The PASSWORDS tried against the set of accounts MAY be the username
ONLY, OR other passwords may be tried (such as DIGITAL, PSIPAD, MANAGER,
etc) apparently depending on the version of the WORM. A bug in the worm
prevents it from testing the null password as previously suspected.

--------------
[The following section provides information relating to the behavior of
the worm. This information was primarily supplied by Kevin Oberman of
LLNL and John McMahon of GSFC]
--------------

1. The program assures that it is working in a directory to which the owner
(itself) has full access (Read, Write,Execute, and Delete).

2. The program checks to see if another copy is still running. It looks for a
process with the first 5 characters of "NETW_". If such is found, it deletes
itself (the file) and stops its process.

NOTE

This check is done using the F$GETJPI system service. The results
vary depending on the amount of priviliges the account possesses.
Non-priviliged accounts which are penetrated will only be able to
return information about their own UIC, so multiple copies of the
worm could be running simultaneously under different usernames.

3. The program then changes the default DECNET account password to a random
string of at least 12 characters.

4. Information on the infected node and account/password used to access the
system is mailed to a central collection point on SPAN.

5. The process changes its name to "NETW_" followed by a random number.

6. It checks to see if it has SYSNAM priv. If so, it defines the system
announcement message to be the WANK banner.

7. If it has SYSPRV, it disables mail to the SYSTEM account.

8. Also if it has SYSPRV, it modifies the system login command procedure
(SYLOGIN.COM) to APPEAR to delete all of a user's files. (It really does
nothing.)

9. The procedure then scans the accounts logical name table for symbols
which contain directory specifications. Each directory located is searched
for command procedures within it protected (W:RWED). Any such procedures
have code inserted at the top which tries to modify the FIELD account to a
known password with login from any source and all privs. This is a
primitive virus, but very effective IF the procedure should be executed by
a priviliged account.

10. It proceeds to attempt to access other systems by picking node numbers
at random. It then used PHONE to get a list of active users on the remote
system. It proceeds to irritate them by causing the PHONE object to send
them a one-line "fortune cookie" type message. The appearance of this
message does not indicate a penetration attempt on that node, more
appropriately, it indicates an "irritation attempt".

NOTE
If your site receives these PHONE messages the source node
information can be found in the NETSERVER.LOG files in your DECnet
default account.

11. The program tries to access the RIGHTSLIST.DAT file as previously
described earlier.

12. It then steps through the list of usernames it has built and uses FAL
to validate the candidate userid/password combination. If a password is
guesses, the worm copies itself over to the target system and starts itself
via the SUBMIT/REMOTE feature of VMS.

13. When the worm finishes with a system, it picks another random system and
repeats (forever).

SECURITY GUIDELINES TO STOP THE SPREAD OF THIS WORM:
====================================================

1. It is IMPERATIVE that all systems protect or remove the DECnet TASK 0
object to prevent reoccurrance of this worm, OR MORE SERIOUS ATTACKS
OF THIS KIND IN THE FUTURE!

The TASK object can be secured by either of the following methods:

Method 1):
Issue the command:

NCP> CLEAR OBJECT TASK ALL

after the network is started up. This command can also be
inserted into the procedure SYSTARTUP.COM (SYSTARTUP_V5.COM on V5.x
systems) after the call to STARTNET.COM. In addition while the system
is running, this command must be executed EACH TIME the network is
restarted.

Method 2):
Issue the following commands ONCE:

NCP> SET OBJECT TASK USER DECNET PASSWORD <a bunch of garbage>
NCP> DEFINE OBJECT TASK USER DECNET PASSWORD <a bunch of garbage>

This causes a login failure to be generated whenever the TASK
object is accessed. Once done, this change will be permanent.

NOTE
We have received one report that TASK 0 is required
for DECwindows. Read your documentation!

2. Under NO circumstances it is acceptable for an account to have a
password the same as the username. Passwords (passPHRASES) should be
created so that they are difficult to guess, multi-word phrases are
preferable. As a precaution, we recommend that all passwords be changed.
Additionally, system managers may choose to revalidate ALL accounts.

If a system had the DECNET TASK 0 protected as above, the DECNET account
protected against SUBMIT/REMOTE (described below) and no user had their
userid as their password, it was immune to this WORM. As a result, the
number of nodes actually INFECTED by this attack is relatively small. The
number ATTACKED however, is large.

3. NETWORK ACCOUNTS
To protect against the SUBMIT/REMOTE attack, run AUTHORIZE and make sure
that all network account flags are set to NOBATCH, NODIALUP, NOLOCAL,
and NOREMOTE.

4. FIELD ACCOUNT
Make sure the FIELD ACCOUNT does not have the password FIELD. DISUSER the
account. You must SEARCH all .COM files for a "field/remote/dialup". If
the search shows it is in .COM files, They have a trojan horse appended
to the files. When the .COM file is executed, This Trojan horse will try
to reset account FIELD to /NODISUSER and password to FIELD. You should
either delete the corrupted .COM file and obtain a good one elsewhere, or
examine the file and remove the affected lines of the command procedure.

5. WORM FILES
The WORM source files are W.COM or a single alphabetic character (C or D)
followed by 4 or 5 numeric characters. (Cnnnnn.COM), ("nnnn" represents a
random number). The WORM will start a process or processes running.
These processes are named in format NETW_nnnn, and should be deleted.
PHONE_nnnn may also be running as the WORM utilizes the PHONE object in
an attempt to send a message to a user on another randomly selected node.

6. ALARMS
Some alarms generated by the WORM are related to PHONE.EXE and FAL.EXE.
The majority of the alarms are login failures as the WORM attempts to log
into specific accounts.

We recommend that alarms be set immediately for logins, logouts, breakin
attempts, modifications to the system and net UAF's, and to changes to
user and system passwords.

DISCOVERY AND CLEANUP
----------------------

1. Log into a "privileged account"
$ SHOW SYSTEM
Look for NETW_dddd (dddd represents 4 or 5 random digits)
IF NETW_dddd is found, note the process ID and do:
$ STOP PROCESS/ID=NETW_dddd

The command procedure included below can be used by system
managers to perform this function in the background. It is
recommended that this procedure be run for the next week or
so until the worm is killed-off.

2. Check the protection on all command procedures. If any are
(W:REWD), check for infection. There should be two versions. The
older one should be OK unless multiple infection has occurred.
Generally the oldest version is OK but this is not guaranteed.

An easy method is to execute the command on every disk:

$SEARCH dev:[000000...]*.COM;* PASS=FIELD

Any infected files will contain the line:

$mcr authorize add field/remote/dialup/network/batch/defpriv=all
/priv=all/flag=(nodisuser,nocaptive,nopwd_expire)/pass=field

3. Redefine or deassingn the SYS$ANNOUNCE logical name. Replace
the correct SYS$ANNOUNCE messages. (Note the initial value of
SYS$ANNOUNCE to identify the infected user account and location of
the false announce message files (on infected systems only).

4. Clean up SYSLOGIN.COM. Remove the bogus file deletion routine.

5. Search all login directories for files named Cddddd.com or
Dddddd.com. Dddddd.COM is a dummy file which precedes the actual
infection. Cddddd.COM is the worm itself (normally both are
deleted by the worm).

6. If your node is attacked or penetrated, please contact the SPAN
Management immediately via MAIL or by phone. Send all messages
to either NSSDCA::TENCATI or NSSDCA::NETMGR. If you do not have
NSSDCA defined in your database, use the node number 6277::. We
need to know which nodes have the worm running on them so we can
coordinate cleanup measures with the appropriate personnel.

NOTE
A tell-tale sign that your node was ATTACKED will be multiple
login failure reports in your operator.log file.

7. DO NOT DELETE ANY OF YOUR LOG FILES OR AUDIT TRAILS. THIS
INFORMATION MAY BE REQUESTED OF YOU LATER IF THIS MATTER IS GOING
TO BE PROSECUTED.

PREVENTION MEASURES
-------------------

1. Ensure all user accounts have good password management. (No
"user user" or null passwords.)

2. No world READ command procedures in user or priviliged
accounts.

3. No TASK objects.

4. Do not use the the account names as the password on network
accounts. (Use the V5.2 approach - separate object userid's)

5. Ensure all network accounts are set NOBATCH, NOLOCAL, NODIALUP,
and NOREMOTE and have a PRCLIM of 1.

6. Audit all changes by AUTHORIZE. Analyze audit trail for changes
to the FIELD account.

7. Place an ALARM ACE on SYS$MANAGER:SYLOGIN.COM;* for
WRITE+DELETE+SUCCESS access. Enable ACL auditing. Analyze the
audit trail for change to SYLOGIN.COM.

8. Make sure ACCOUNTING and OPCOM are running and proper alarms
are set.

9. Protect RIGHTSLIST.DAT against World access. Alternatively
move or rename it and define the logical symbol RIGHTSLIST
to the new file. ($DEF/SYS/EXEC RIGHTSLIST <renamed file>)
This will limit the ability of the worm to determine
actual valid usernames.
----------------------------------------------------------------------------

The following command procedure was written by John McMahon at GSFC. It
can be run as a batch job under a priviliged account. This procedure
searches all processes on a running system to determine if the worm process
is present. If detected, the worm is deleted.

---------------------------- ANTIWANK.COM ----------------------------------
$!
$! Antiwank.Com - This program performs two functions. It kills any
$! copy of the worm currently running (any process starting with NETW_
$! in it's name) and disguises itself as a copy of the worm to help
$! prevent new copies from being created.
$!
$! This program should be submitted to a batch queue under the username
$! SYSTEM. It requires WORLD priv to check the process names on your
$! CPU. It runs continuously, but uses little overhead.
$!
$! This program uses the process name "NETW_AntiWank". It should not be
$! confused as a copy of the worm program itself (which uses
$! NETW_randomnumber).
$!
$! The system manager should add additional userids to the line
$! beginning with SEND_MAIL_TO. If the program detects the worm,
$! it will send a detection message to the userids in SEND_MAIL_TO.
$!
$! John McMahon
$! NASA/GSFC CODE 630.4
$!
$! 18-OCT-1989 16:11:56.21
$!
$! SPAN: SDCDCL::FASTEDDY
$! Internet: [email protected]
$! Bitnet: Fasteddy@Dftbit
$!
$! Phone: 301-286-2045
$!
$ Set NoON
$ AntiWank_Name = "NETW_AntiWank"
$ Process_Name_Prefix = "NETW_"
$ Send_Mail_To = "SYSTEM"
$ Set Process/Priv=(World)
$ Set Process/Name="''AntiWank_Name'"
$ Start:
$ Context = ""
$ Pid_Loop:
$ Check_Pid = F$Pid(Context)
$ If Check_Pid .Eqs. "" Then Goto End_Pid_Loop
$ Check_Prcnam = F$Edit(F$Getjpi(Check_Pid,"PRCNAM"),"TRIM")
$ Write Sys$Output "Process Name: ",Check_Prcnam
$ If Check_Prcnam .Eqs. AntiWank_Name Then Goto Pid_Loop
$ If F$Extract(0,5,Check_Prcnam) .Eqs. Process_Name_Prefix Then -
Gosub Action_Routine
$ Goto Pid_Loop
$!
$ End_Pid_Loop:
$ Write Sys$Output F$TIME()," ANTIWANK is still working for you"
$ Wait 00:10:00
$ Goto Start
$!
$ Action_Routine:
$ Write Sys$Output "Action Routine"
$ Username = F$Getjpi(Check_Pid,"Username")
$ Stop/Id='Check_Pid'
$ Mail NL: 'Send_Mail_To' -
/SUBJECT="Worm Terminated ''$Status' ''Check_Prcnam' ''Check_Pid' ''Username'"
YES
$ Return
---------------------------END OF ANTIWANK.COM-------------------------

Downloaded From P-80 International Information Systems 304-744-2253