CERT-SEI

Continuing Threats to Home Users

Original release date: July 20, 2001
Last revised: July 23, 2001
Source: CERT/CC

A complete revision history can be found at the end of this file.

Need to Protect Home Systems

This year, we have seen a significant increase in activity resulting in compromises of home user machines. In many cases, these machines are then used by intruders to launch attacks against other organizations. Home users have generally been the least prepared to defend against attacks. Many home users do not keep their machines up to date with security patches and workarounds, do not run current anti-virus software, and do not exercise caution when handling email attachments. Intruders know this, and we have seen a marked increase in intruders specifically targeting home users who have cable modem and DSL connections.

Most of the subscribers to the CERT Advisory Mailing List and many visitors to our web site are technical staff responsible for maintaining systems and networks. But all of us know people who have home computers and need advice about how to secure them. We recently released a document on our web site providing some basic security information and references for home users. The document, "Home Network Security," is available on our web site at

http://www.cert.org/tech_tips/home_networks.html

We encourage the technical readers of our mailing list to reach out to your parents, children, and other relatives and friends who might not be as technically oriented, point them to this document and help them understand the basics of security, the risks, and how they can better defend themselves. We have a long road to travel in educating home users on the security risks of the Internet. But all of us working together to educate home users will improve the security of the Internet as a whole.

Worms and DDoS Tools

The CERT/CC is currently tracking the activity of several large-scale incidents involving new worms and distributed denial-of-service (DDoS) tools. Some of these worms include a command and control structure that allows the intruder to dynamically modify the behavior of the worm after it has infected a victim system. In some cases, the command and control structure allows the intruder to issue a single command to all the infected systems without needing to know which systems have actually been infected. This ability to change the behavior of the worm (including wholesale replacement), makes it substantially more difficult to develop "one size fits all" solutions to the problem. Additionally, many of these worms have targeted home users as victims.

With these facts in mind, and the large number of hosts involved in these incidents, it is imperative for everyone to take precautions to patch the vulnerabilities involved and recover compromised systems.

W32/Leaves worm

The W32/Leaves worm, described in IN-2001-07 primarily affects systems that have been previously compromised by the SubSeven Trojan horse program. We have received reports that over 23,000 machines have been compromised by this worm. This worm includes functionality that allows a remote intruder to control the network of compromised machines.

"Code Red" worm

The "Code Red" worm, described in CA-2001-19 exploits a vulnerability in the Indexing Service on systems running Microsoft IIS. Current reports indicate that over 250,000 hosts have already been compromised by this worm.

"Power" worm

A worm, known by the name of "Power" is also compromising systems vulnerable to the IIS Unicode vulnerability described in VU#111677. It uses the Internet Relay Chat (IRC) as a control channel for coordinating compromised machines in DDoS attacks. Based on reports that we have received, over 10,000 machines have already been compromised by this worm.

"Knight" distributed attack tool

An attack tool known as "Knight" has been found on approximately 1,500 hosts. This tool appears to be a DDoS tool and also uses IRC as a control channel. It has been reported that the tool is commonly being installed on machines that were previously compromised by the BackOrifice Trojan horse program. So far, there has been no indication that this tool is a worm; it does not contain any logic to propagate automatically.

Protective Measures

For all of these problems, the deployment and maintenance of some these simple defenses are relatively effective:

1. Install and Maintain Anti-Virus Software

The CERT/CC strongly recommends using anti-virus software. Most current anti-virus software products are able to detect and alert the user that an intruder is attempting to install a Trojan horse program or that one has already been installed.

In order to ensure the continued effectiveness of such products, it is important to keep them up to date with current virus and attack signatures supplied by the original vendors. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.

2. Deploy a Firewall

The CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.

For additional information about securing home systems and networks, please see the "Home Network Security" tech tip at

http://www.cert.org/tech_tips/home_networks.html

If these protective measures reveal that the machine has already been compromised, more drastic steps need to be taken to recover. When a computer is compromised, any installed software could have been modified, including the operating system, applications, data files, and memory. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system from the distribution media and install vendor-recommended security patches before connecting back to the network. Merely identifying and fixing the vulnerability that was used to initially compromise the machine may not be enough.

Often, these worms rely on Trojan horses to initially compromise a system. For more information on Trojan horses, see

http://www.cert.org/advisories/CA-1999-02.html

Additionally, these worms often spread by exploiting vulnerabilities in systems. For information on vulnerabilities affecting popular products, please see

http://www.kb.cert.org/vuls

Author(s): Jeff Carpenter, Chad Dougherty, Shawn Hernan

Copyright 2001 Carnegie Mellon University.

Revision History

Jul 20, 2001: Initial release
Jul 23, 2001: Correct link to the IIS Unicode vulnerability in Power worm section