This is WARNING:-Is-NetNews-Harboring-Trojan-Horses-? in view mode; [Up]
Date: Sun 16-Dec-1991 23:42:58 From: gam@techlaw.com (Gregory) Subject: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? Gentle Readers: We have had an occurence twice here that we need to share with the world. I must say right up front that our management here is ***VERY*** unhappy about it, and it may well force us to discontinue USENET News service. The real problem is, we do not have the bandwidth to deal with this kind of problem; as it is, I am taking valuable time to post this to alert others because we cannot be sure of the impact (if any). While we all happen to be fairly knowledgable here of NeXT and UNIX in general, we aren't of the "guru" caliber when it comes to viruses, intrusions, sendmail, news or uucp. (Side note: is honeydanber available for the NeXT?) HERE IS WHAT HAPPENED On two separate occasions I have discovered a new directory appears in the "/" partition on my machine (which also happens to be our gateway). The directory is entitled "users" And by "cd-ing" my way through it I end up at: /users/staff/petes/next/sounds WE NEVER CREATED THIS PATH! In this directory, in both cases (it happened in September and has happened again), a sound file appears. In this case, the file is named: A_New_Toy.snd Now, we cannot be certain if the sound file triggers further actions upon playing, although coincidentally, the first time this happened (the file then was called "cool.snd"), we subsequently began having a host of trouble with mail and uucp...permissions suddenly being changed on various critical directories, things "breaking, etc.. Again, we cannot VERIFY that the events were related (at this point). So, when again, today, I discovered the same damn thing, I quickly removed the structure on to floppy and loaded it on to a stand alone machine. I played the file and then began exploring for "weirdness." No weirdness can be found so far, and the sound file is some weird voice essentially saying "Wow, a new toy...can I play?" The first sound file in September said something like "This is cool....its terrific!" The sound file today has a creation date of around October at some dark-thirty-in-the-morning time, while the former one had a creation date of May-something at an equally un-godly hour (I recall from the school daze, we'd call the time "hacker's hours" -- always after 2am, and before 5am.) In both cases, the voice has an Autsrailian flavor to it, and is clearly male. Needless to say, without knowledge of who this is from, or why it arrived, my management is less then amused. Here is how we have ascertained it landed where it did: On both occasions, I note the date stamps and permissions of the directories and file. They are owned by me (gam) and the timestamps match very closely to a point in time in which I was known to be reading NetNews with NewsGrazer in comp.sys.next.misc. Secondly, I am a member of the group "wheel." Root owns all directories in "/" and only "root" and members of the group "wheel" are allowed to write into "/" So what we can surmise is that (a) this intruder is somehow hidden (attached) to a piece of netnews; (b) the reader of the news unleashes the intruder; and if said reader has "wheel" privileges, the intruder can successfully "locate" itself by creating the path I describe. Please note that all of our accounting records indicate no record of any intrusion via uucp. Note too, that NO ONE can dial IN to our domain; as a policy and security point we do not give out the number; it would require a random "hit." We call out, and our gateway is UUNET. Note also that at no time during this second occurence has anyone introduced a NeXT floppy or optical. In fact, all we can conclude (only because I can reconstruct what i was doing) is that the intrusion is sourced out of an article in netnews. The irritations here are obvious and I won't waste bandwidth, except to say (obviously) this is a "trepsass" and unwarranted intrusion. ...and if we can ever find the responsible party... :-) Sure, it "appears" that nothing has happened (yet), and I know better than to read news logged in as myself for fear of it happening again (or in the alternative, removing myself from group "wheel" which would slightly burden my sysadmin puttering), but this still constitutes an unwarranted violation. Believe us, we had a hard time believing this really happened the first time; now that it has occurred again, we know that in fact, someone is unleashing something given the right opportunity. One problem is tracking it down. Since I tend to race through through the netnews, I have no way of pinning down which article may have been the culprit. If anyone else has experienced a similar (or same) event, we'd like to know. Obviously, if there is some explanation for this, we'd like to know that too. I'd much rather hear there is some explainable (phenomena) and not a malfeasance (or malicious conduct) on someone's part. COMMENT: I suspect that if, indeed, this is an intrusion from netnews (we really honestly believe it is), then the culprit is probably reading (with delight) this message. To you, the culprit: perhaps you think this is an amusing prank; perhaps you suffer from a sociopathic attitude found in others with more criminal tendancies. Maybe you're a nice enough innocent guy just wanting to have fun. UNDERSTAND SOMETHING: I've spent the better part of ten years convincing non-technical people that UNIX systems are helpful, that mail is powerful, and that the connectivity is great. I have acknowledged the holes and security problems, but worked hard to tactfully evangelize the benefits. And along comes someone like you. Events like this start unnecessary upset in organizations such as mine. The NeXT offers an unprecedented opportunity to deliver the power of UNIX, OO technology, and GUIs to non-technical professional workplaces. These people are super sensitive to age-old wives-tales about UNIX and its lackings. Please THINK before you do things like this; it only serves to un-do all the effort all of us are making to bring UNIX to the forefront of mainstream nontechnical computing for the masses. To the balance of the audience, I'm sorry to have to spend this bandwidth on something like this. I'd like to know if there is some (plausible) explanation for this, but I think not. Creation of directories requiring special privileges and locating unsolicited files of unknown origin in our network is just plain trespassing. Receiving news and mail is not; I willingly open my electronic door for that. But in that case, at least I know who I've invited in. This is no different than the intruder who stows-away on the truck entering the company grounds, only to sneak off and infilitrate, uninvited. We are left with the impression that Netnews is harboring Trojan Horses; if true, we need to know, cause I'll be forced to pull the plug. Thanks for the reading. Hopefully this is informative. Sincerely, Gregory Miller gam@techlaw.com --- Marger Johnson McCollom & Stolowitz Inc. Patent Attorneys & Technology Lawyers 650 American Bank Building 621 SW Morrison Street Portland, Oregon 97205 Telephone: +1 503-222-3613 FAX: +1 503-274-4622 Internet: gam@techlaw.com UUCP: uunet!techlaw.com!gam I don't speak for my employer, and they don't speak for me... kind of a nice arrangement, actually! [except in this case... :-\ ]
Date: Sun 17-Dec-1991 06:11:49 From: eps@futon.SFSU.EDU (Eric P. Scott) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? There is a "security" hole in the publicly available versions of NewsGrazer that, depending on site-dependent permissions, may present a serious risk. It is not inherent in NetNews, nor does it appear in *any* other news reading programs besides NewsGrazer. Since RTF postings seem to be confined to comp.sys.next.* groups, it is _probably_ safe to continue using NewsGrazer elsewhere. It's unfortunate that some people attempt to achieve notoriety by victimizing others. It's also most unfortunate that there may NEVER be a working version of NewsGrazer available--you can read more in comp.sys.next.misc about what may be the most explosive scandal in NeXT's history... We call it "restraint of trade." NeXT calls it "business as usual." You're lawyers--you'd understand. As for discontinuing usenet service, I think that's an overreaction. But discontinuing NewsGrazer use is probably a wise move. Trying to track down the perpetrators is no doubt an exercise in futility; forgeries are commonplace and require little technical expertise. -=EPS=-
Date: Sun 17-Dec-1991 13:01:11 From: Kloppenburg@gmd.de (Jelske Kloppenburg) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? In article <1991Dec16.234258.27670@techlaw.com> gam@techlaw.com (Gregory) writes: > ... > > /users/staff/petes/next/sounds > > WE NEVER CREATED THIS PATH! In this directory, in both cases (it > happened in September and has happened again), a sound file appears. In this > case, the file is named: > > A_New_Toy.snd > > ... > --- > Marger Johnson McCollom & Stolowitz Inc. > Patent Attorneys & Technology Lawyers > 650 American Bank Building > 621 SW Morrison Street > Portland, Oregon 97205 > > Telephone: +1 503-222-3613 > FAX: +1 503-274-4622 > Internet: gam@techlaw.com > UUCP: uunet!techlaw.com!gam > > Disclaimer: > I don't speak for my employer, and they don't speak for me... > kind of a nice arrangement, actually! > > [except in this case... :-\ ] This sound was sent in a posting. I got it in NewsGrazer and when I dragged the icon into the Workspace, I got some message on the console ... cannot create. I then began to search (storing, looking, uudecoding etc.) I found an encoded tarfile. Someone put the sound in it with absolute path (a colleagues comment: a reason for firing). For Your problem: on Your station tar could create the path! Your root directory apparently has write access for all. /NextLibrary/Documentation/NextAdmin/16_Security I think what happened at Your site was a combination of several mistakes not a trojan horse. j.k.
Date: Sun 17-Dec-1991 01:24:38 From: patrice@cs.sfu.ca (Patrice Belleville) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? > > Long message deleted to save bandwidth... > The sound file in question was simply contained in a NewsGrazer post. The file was probably extracted when you tried to play it. As far as I can remember, the poster simply made a mistake and used the full path name (on his system) when he included the file. There was no malicious intent involved. Maybe it's only me, but I make sure that NO ONE except root is allowed to write into /, and would never read news from root [as it is, I am not able to read news from home, and so the problem can not occur; maybe once I get SLIP running...]. I believe that this is a problem with the way your systems are set up [i.e. write permission in /], not with News themselves. Patrice
Date: Sun 22-Dec-1991 01:45:59 From: rwb@alexander.VI.RI.CMU.EDU (Robert Berger) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? Wouldn't the problem with attachments having absolute pathnames also apply to Next Mail? Is there anyway to fix this security hole? Or has NeXT blown it? Do the pending RFC's for multimedia mail have the same problem?
Date: Sun 22-Dec-1991 15:52:21 From: matthews@lewhoosh.umd.edu (Mike Matthews) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? In article <1991Dec22.014559.165702@cs.cmu.edu> rwb@alexander.VI.RI.CMU.EDU (Robert Berger) writes: >Wouldn't the problem with attachments having absolute pathnames also apply to >Next Mail? That wasn't the problem. The problem was NewsGrazer was assuming a certain directory structure and "forcing" it. And, just to make sure it's said, NEWSGRAZER IS NOT AN OFFICIAL PRODUCT OF NeXT. IT WAS WRITTEN BY ONE OF NeXT's EMPLOYEES IN HIS SPARE TIME. Mike
Date: Sun 22-Dec-1991 19:10:28 From: scott@nic.gac.edu (Scott Hess) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? matthews@lewhoosh.umd.edu (Mike Matthews) writes: >In article <1991Dec22.014559.165702@cs.cmu.edu> rwb@alexander.VI.RI.CMU.EDU >(Robert Berger) writes: >>Wouldn't the problem with attachments having absolute pathnames also apply to >>Next Mail? > >That wasn't the problem. The problem was NewsGrazer was assuming a certain >directory structure and "forcing" it. Actually, no, that's not the reason. Or, at least it's no a complete reason. I am unsure how NewsGrazer handles directly-dragged attachments - if it encodes absolute pathnames (Workspace hands you absolute paths, so it's a natural thought), then it's a problem in NewsGrazer. If, instead, it just uses the filename part, then that's not a problem. On the other hand, what happens if you drag a _directory_ into NewsGrazer? What if it tars it up directly from where it's at? That could cause problems. Either way, a scummy hacker could go into a news port, edit the various filename designators, or replace a .tar file here or there, and then let the news continue on it's way. This is not even all that hard - you can submit the modified article using regular user-level programs. So, both methods could result in something like what was seen with the .snd files. In any case, one of the problems can (hopefully) be addressed. Mail.app uses a "safe" tar program: howard> ls -l /NextApps/Mail.app/ total 323 drwxr-xr-x 2 root wheel 1024 Nov 14 1990 English.lproj/ drwxr-xr-x 2 root wheel 1024 Nov 14 1990 French.lproj/ -rwxr-xr-x 1 root wheel 245760 Feb 7 1991 Mail* drwxr-xr-x 10 root wheel 1024 Feb 7 1991 Mail Help/ -r-xr-xr-x 1 root wheel 24576 Feb 7 1991 MailFetch* -r-xr-xr-x 1 root wheel 24576 Feb 7 1991 decode* -r-xr-xr-x 1 root wheel 24576 Feb 7 1991 safetar* howard> One can only assume that this safetar ignores absolute pathnames, so that we don't have the problems with unarchiving tarfiles just anywhere. Perhaps Jayson could use /NextApps/Mail.app/safetar instead of /bin/tar for unarchiving, if it's availiable - considering it ships on all machines, the only time it'd not be there is if someone screws around with the system. Since Adams has not replied to this thread [I believe he's on sabatical, but since I don't speak for NeXT or Adams, I can't verify that], we really cannot tell. Perhaps he _does_ use safetar, and the problems are from somewhere else? Happy Holidays,
Date: Sun 22-Dec-1991 19:35:17 From: sef@kithrup.COM (Sean Eric Fagan) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? In article <10661@umd5.umd.edu> matthews@lewhoosh.umd.edu writes: >And, just to make sure it's said, NEWSGRAZER IS NOT AN OFFICIAL PRODUCT OF >NeXT. IT WAS WRITTEN BY ONE OF NeXT's EMPLOYEES IN HIS SPARE TIME. It is, however, officially endorsed by the company, according to one posting about four months ago.
Date: Sun 23-Dec-1991 15:38:20 From: olson@mcs.anl.gov (Bob Olson) Subject: Re: WARNING: Is NetNews Harboring Trojan Horses (i.e., viral like intrusions)? In article <SCOTT.91Dec22131028@nic.gac.edu> scott@nic.gac.edu (Scott Hess) writes: One can only assume that this safetar ignores absolute pathnames, so that we don't have the problems with unarchiving tarfiles just anywhere. It does. Perhaps he _does_ use safetar, and the problems are from somewhere else? He doesn't. From strings NewsGrazer: cd /tmp; zcat %s | tar xf -; rm -f %s cd %s; tar cf - %s | compress -f | cat > /tmp/.newsgrazer.z Looks like the argument to system() to me. What we did here was edit the NG binary to say: cd /tmp; gnutar xzf %s ; rm -f %s cd %s; gnutar czf - %s > /tmp/.newsgrazer.z since gnutar strips leading /'s when untarring (and tarring as well). We don't need the zcat/compress since the 'z' option to gnutar does that automatically. --bob
These are the contents of the former NiCE NeXT User Group NeXTSTEP/OpenStep software archive, currently hosted by Marcel Waldvogel and Netfuture.ch.