-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2001-20 Continuing Threats to Home Users Original release date: July 20, 2001 Source: CERT/CC A complete revision history can be found at the end of this file. Need to Protect Home Systems This year, we have seen a significant increase in activity resulting in compromises of home user machines. In many cases, these machines are then used by intruders to launch attacks against other organizations. Home users have generally been the least prepared to defend against attacks. Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections. Most of the subscribers to the CERT Advisory Mailing List and many visitors to our web site are technical staff responsible for maintaining systems and networks. But all of us know people who have home computers and need advice about how to secure them. We recently released a document on our web site providing some basic security information and references for home users. The document, "Home Network Security," is available on our web site at http://www.cert.org/tech_tips/home_networks.html We encourage the technical readers of our mailing list to reach out to your parents, children, and other relatives and friends who might not be as technically oriented, point them to this document and help them understand the basics of security, the risks, and how they can better defend themselves. We have a long road to travel in educating home users on the security risks of the Internet. But all of us working together to educate home users will improve the security of the Internet as a whole. Worms and DDoS Tools The CERT/CC is currently tracking the activity of several large-scale incidents involving new worms and distributed denial-of-service (DDoS) tools. Some of these worms include a command and control structure that allows the intruder to dynamically modify the behavior of the worm after it has infected a victim system. In some cases, the command and control structure allows the intruder to issue a single command to all the infected systems without needing to know which systems have actually been infected. This ability to change the behavior of the worm (including wholesale replacement), makes it substantially more difficult to develop "one size fits all" solutions to the problem. Additionally, many of these worms have targeted home users as victims. With these facts in mind, and the large number of hosts involved in these incidents, it is imperative for everyone to take precautions to patch the vulnerabilities involved and recover compromised systems. W32/Leaves worm The W32/Leaves worm, described in IN-2001-07 primarily affects systems that have been previously compromised by the SubSeven Trojan horse program. We have received reports that over 23,000 machines have been compromised by this worm. This worm includes functionality that allows a remote intruder to control the network of compromised machines. "Code Red" worm The "Code Red" worm, described in CA-2001-19 exploits a vulnerability in the Indexing Service on systems running Microsoft IIS. Current reports indicate that over 225,000 hosts have already been compromised by this worm. "Power" worm A worm, known by the name of "Power" is also compromising systems vulnerable to the IIS Unicode vulnerability described in CA-1999-16. It uses the Internet Relay Chat (IRC) as a control channel for coordinating compromised machines in DDoS attacks. Based on reports that we have received, over 10,000 machines have already been compromised by this worm. "Knight" distributed attack tool An attack tool known as "Knight" has been found on approximately 1,500 hosts. This tool appears to be a DDoS tool and also uses IRC as a control channel. It has been reported that the tool is commonly being installed on machines that were previously compromised by the BackOrifice Trojan horse program. So far, there has been no indication that this tool is a worm; it does not contain any logic to propagate automatically. Protective Measures For all of these problems, the deployment and maintenance of some these simple defenses are relatively effective: 1. Install and Maintain Anti-Virus Software The CERT/CC strongly recommends using anti-virus software. Most current anti-virus software products are able to detect and alert the user that an intruder is attempting to install a Trojan horse program or that one has already been installed. In order to ensure the continued effectiveness of such products, it is important to keep them up to date with current virus and attack signatures supplied by the original vendors. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available. 2. Deploy a Firewall The CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices. For additional information about securing home systems and networks, please see the "Home Network Security" tech tip at http://www.cert.org/tech_tips/home_networks.html If these protective measures reveal that the machine has already been compromised, more drastic steps need to be taken to recover. When a computer is compromised, any installed software could have been modified, including the operating system, applications, data files, and memory. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system from the distribution media and install vendor-recommended security patches before connecting back to the network. Merely identifying and fixing the vulnerability that was used to initially compromise the machine may not be enough. Often, these worms rely on Trojan horses to initially compromise a system. For more information on Trojan horses, see http://www.cert.org/advisories/CA-1999-02.html Additionally, these worms often spread by exploiting vulnerabilities in systems. For information on vulnerabilities affecting popular products, please see http://www.kb.cert.org/vuls ______________________________________________________________________ Author(s): Jeff Carpenter, Chad Dougherty, Shawn Hernan ______________________________________________________________________ ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2001-20.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2001 Carnegie Mellon University. Revision History Jul 20, 2001: Initial release -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBO1inDgYcfu8gsZJZAQE1iwP7BpBJ4J2aUgjNxgTPdytNiYAeDJC7zKCU jYYumhEGPAjBQgoqVPkVi4zApStfMUMsBBSahSll+S8zBoZfbviblnzLLx1Ac/NN YAw7sq6X8RQ+RQ7kltcwUy0Ut0gJDxZCinPxgg+dyQ0Sww9dzSQesCaKT3uazY4P AkPWGUsE/Ic= =0QKl -----END PGP SIGNATURE-----