CERT Advisory of Continuing Threats to Home Users - CA-2001-20

CERT released this advisory today at 6pm and states that "this year, CERT has seen a significant increase in activity resulting in compromises of home user machines. In many cases, these machines are then used by intruders to launch attacks against other organizations. Home users have generally been the least prepared to defend against attacks.

Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections...

CERT Advisory CA-2001-20 Continuing Threats to Home Users

Original release date: July 20, 2001

Source: CERT/CC

A complete revision history can be found at the end of this file.

Need to Protect Home Systems

This year, we have seen a significant increase in activity resulting

in compromises of home user machines. In many cases, these machines

are then used by intruders to launch attacks against other

organizations. Home users have generally been the least prepared to

defend against attacks. Many home users do not keep their machines up

to date with security patches and workarounds, do not run current

anti-virus software, and do not exercise caution when handling email

attachments. Intruders know this, and we have seen a marked increase

in intruders specifically targeting home users who have cable modem

and DSL connections.

Most of the subscribers to the CERT Advisory Mailing List and many

visitors to our web site are technical staff responsible for

maintaining systems and networks. But all of us know people who have

home computers and need advice about how to secure them. We recently

released a document on our web site providing some basic security

information and references for home users. The document, "Home Network

Security," is available on our web site at

http://www.cert.org/tech_tips/home_networks.html

We encourage the technical readers of our mailing list to reach out to

your parents, children, and other relatives and friends who might not

be as technically oriented, point them to this document and help them

understand the basics of security, the risks, and how they can better

defend themselves. We have a long road to travel in educating home

users on the security risks of the Internet. But all of us working

together to educate home users will improve the security of the

Internet as a whole.

Worms and DDoS Tools

The CERT/CC is currently tracking the activity of several large-scale

incidents involving new worms and distributed denial-of-service (DDoS)

tools. Some of these worms include a command and control structure

that allows the intruder to dynamically modify the behavior of the

worm after it has infected a victim system. In some cases, the command

and control structure allows the intruder to issue a single command to

all the infected systems without needing to know which systems have

actually been infected. This ability to change the behavior of the

worm (including wholesale replacement), makes it substantially more

difficult to develop "one size fits all" solutions to the problem.

Additionally, many of these worms have targeted home users as victims.

With these facts in mind, and the large number of hosts involved in

these incidents, it is imperative for everyone to take precautions to

patch the vulnerabilities involved and recover compromised systems.

W32/Leaves worm

The W32/Leaves worm, described in IN-2001-07 primarily affects systems

that have been previously compromised by the SubSeven Trojan horse

program. We have received reports that over 23,000 machines have been

compromised by this worm. This worm includes functionality that allows

a remote intruder to control the network of compromised machines.

"Code Red" worm

The "Code Red" worm, described in CA-2001-19 exploits a vulnerability

in the Indexing Service on systems running Microsoft IIS. Current

reports indicate that over 225,000 hosts have already been compromised

by this worm.

"Power" worm

A worm, known by the name of "Power" is also compromising systems

vulnerable to the IIS Unicode vulnerability described in CA-1999-16.

It uses the Internet Relay Chat (IRC) as a control channel for

coordinating compromised machines in DDoS attacks. Based on reports

that we have received, over 10,000 machines have already been

compromised by this worm.

"Knight" distributed attack tool

An attack tool known as "Knight" has been found on approximately 1,500

hosts. This tool appears to be a DDoS tool and also uses IRC as a

control channel. It has been reported that the tool is commonly being

installed on machines that were previously compromised by the

BackOrifice Trojan horse program. So far, there has been no indication

that this tool is a worm; it does not contain any logic to propagate

automatically.

Protective Measures

For all of these problems, the deployment and maintenance of some

these simple defenses are relatively effective:

1. Install and Maintain Anti-Virus Software

The CERT/CC strongly recommends using anti-virus software. Most

current anti-virus software products are able to detect and alert the

user that an intruder is attempting to install a Trojan horse program

or that one has already been installed.

In order to ensure the continued effectiveness of such products, it is

important to keep them up to date with current virus and attack

signatures supplied by the original vendors. Many anti-virus packages

support automatic updates of virus definitions. We recommend using

these automatic updates when available.

2. Deploy a Firewall

The CERT/CC also recommends using a firewall product, such as a

network appliance or a personal firewall software package. In some

situations, these products may be able to alert users to the fact that

their machine has been compromised. Furthermore, they have the ability

to block intruders from accessing backdoors over the network. However,

no firewall can detect or stop all attacks, so it is important to

continue to follow safe computing practices.

For additional information about securing home systems and networks,

please see the "Home Network Security" tech tip at

http://www.cert.org/tech_tips/home_networks.html

If these protective measures reveal that the machine has already been

compromised, more drastic steps need to be taken to recover. When a

computer is compromised, any installed software could have been

modified, including the operating system, applications, data files,

and memory. In general, the only way to ensure that a compromised

computer is free from backdoors and intruder modifications is to

re-install the operating system from the distribution media and

install vendor-recommended security patches before connecting back to

the network. Merely identifying and fixing the vulnerability that was

used to initially compromise the machine may not be enough.

Often, these worms rely on Trojan horses to initially compromise a

system. For more information on Trojan horses, see

http://www.cert.org/advisories/CA-1999-02.html

Additionally, these worms often spread by exploiting vulnerabilities

in systems. For information on vulnerabilities affecting popular

products, please see

http://www.kb.cert.org/vuls

______________________________________________________________________

Author(s): Jeff Carpenter, Chad Dougherty, Shawn Hernan

______________________________________________________________________

______________________________________________________________________

This document is available from:

http://www.cert.org/advisories/CA-2001-20.html

______________________________________________________________________

CERT/CC Contact Information

Email: cert@cert.org

Phone: +1 412-268-7090 (24-hour hotline)

Fax: +1 412-268-6989

Postal address:

CERT Coordination Center

Software Engineering Institute

Carnegie Mellon University

Pittsburgh PA 15213-3890

U.S.A.

CERT personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4)

Monday through Friday; they are on call for emergencies during other

hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.

Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more

information.

Getting security information

CERT publications and other security information are available from

our web site

http://www.cert.org/

To subscribe to the CERT mailing list for advisories and bulletins,

send email to majordomo@cert.org. Please include in the body of your

message

subscribe cert-advisory

* "CERT" and "CERT Coordination Center" are registered in the U.S.

Patent and Trademark Office.

______________________________________________________________________

NO WARRANTY

Any material furnished by Carnegie Mellon University and the Software

Engineering Institute is furnished on an "as is" basis. Carnegie

Mellon University makes no warranties of any kind, either expressed or

implied as to any matter including, but not limited to, warranty of

fitness for a particular purpose or merchantability, exclusivity or

results obtained from use of the material. Carnegie Mellon University

does not make any warranty of any kind with respect to freedom from

patent, trademark, or copyright infringement.

_________________________________________________________________

Conditions for use, disclaimers, and sponsorship information

Copyright 2001 Carnegie Mellon University.

Revision History

Jul 20, 2001: Initial release