Managing Network Security

Bonus Article: Incident at All.Net - 1999 Edition

by Fred Cohen


Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.


Background and Introduction

I guess it just comes with the territory... When you spend your career providing information protection services and have great effect, every once in a while, somebody will try to sully your reputation and bring down your Web sites. That's what they tried in late April of 1999.


In Preparation


The Precursors

This incident is not the first at all.net, and it likely won't be the last, but it started near the end of January of 1999. I was teaching a bunch of Cyber-Cops about attack and defense techniques as part of my work at Sandia National Laboratories, when I got a report from the net about a new virus that was designed to steal and transfer PGP keys (via ftp) to the codebreakers.org Web site.

My reaction was to tell the world about the problem, and as is my policy, I attached my name to the report. In my view, it is a matter of integrity that people be willing to put their names on the line when they say something. While there are cases when I don't reveal my name, they are few and far between, and it's usually done to protect a client. The people at codebreakers.org wanted to lash out at me for revealing their association with theft of information, and through public pressure, they were temporarily put out of service. While I had nothing to do with the effort to put them out of service, they blamed me for it and threatened me with retribution. (see the emails included below).

They have tried several times by now, and mostly they have failed. We know who they are, but there's little I can do about them - other than to testify when they are tried and sent to jail. The first attempt was to introduce a Virus that had my name as the author. They released it on alt.sex in a file that included access information on pornography sites - their favorite way to get things distributed. Then they tried a variety of low-level denial of service attacks - all failures. Then, when the Melissa virus hit, they saw their chance.

They quickly got a copy of this virus and modified it in a few ways... First, they changed the subject heading to claim that the message was from me. An obvious lie to anyone who visits the Web site included in the subject - it's my site - all.net - and if you are reading this - you know that I'm not likely to be the source of such malicious code. Then, they added code to the virus to cause every computer that got it to send a large ping packet to both the all.net site and another computer I sometimes use to visit the Internet.

The intended effect was to get millions of packets through the infrastructure aimed at my sites - and as a result - to bring them down. To anyone who has studied the issue, this is not likely to succeed against my sites - and it didn't - but the packets emitted from the 129.137.216.198 IP address did cause somewhat of a problem for the @home network. For one reason or another, they decided to send millions of these packets over the Internet toward my site. While my computer hardly noticed the activity (we block these packets at the firewall), their efforts did, apparently, manage to take down a large part of the @home network in two major cities for about 2 hours. Then - after a few hours of getting the network back up - the packets started coming in from the 207.136.52.136 IP address.

Now, after 2 hours of outage the first time, I managed to get through to the @home folks. Actually, I was on hold for 45 minutes once and then got disconnected - and then was on hold for another 45 minutes and got through. Their messages indicated that Detroit and the Bay area were down, and that people should only stay on the line if they were not from these areas - but I knew that this was related to my site and that telling them the details would help them remedy the situation. When I did get to explain the situation the first time, it was to a fairly low-level technician - who could not get me in touch with a higher level technician because they were all too busy trying to figure out what was happening. I indicated that they should have a high-level person call me back - but they were confident...

At the peak of the packet storm, I was on the Internet over a redundant connection maintained for just such a situation, and the main all.net Web site was operating safe and sound - thanks to the special configuration we have long arranged with Netcom for that site. The FBI and other law enforcement officials were notified and logs of the events were provided while it was under way.

The second time @home went out, my call got through in only about 15 minutes - late in the evening they get fewer calls you know. I still couldn't get a high-level technician, but I did manage to convince the lower level person that I knew how to fix their network, but she just couldn't understand most of what I was saying. She walked over and got a higher level technician who understood a bit more, at least enough to write it down. I again told him to have the higher level people get in touch with me so that I could explain how to fix the set of problems they would be having over the next... forever - unless they took the time to listen to what I had to say. And so it was with some minor concern (for their network - remember - I was online via my alternative channel) that I hung up and figured that this time they might bother to call back. Wishful thinking...

My plan was to tell them that they should filter all ICMP packets bound for games.all.net at their routers. After all - I don't use ICMP - and this way their whole network would be spared the packet floods - not only for now - but for the indefinite future. I also wanted them to track the perpetrators down because by now, they were likely to be thrown in jail because they had surely exceeded the threshold of bothering to arrest and prosecute - hadn't they? I had a pretty good idea of who did it - look at the listings below for more details. I also noticed that there were attempts at Web service just before each of the packet storms - from 131.107.3.76 - a Microsoft address. They would try 2 Web accesses - and then the floods would start just a bit later.

The second time I got through to @home, the packet floods stopped in about 10 minutes. They were getting better at blocking - I guess practice makes perfect - and I had filtered the 131.107.3.76 address so that they would never detect the node as back up. Now - the question was - would this be the end of it...

No way - in San Jose. Actually, they are not in San Jose, but it sounded good. The @home network has its central offices in Silicon Valley near San Jose, and I suppose they get a lot of calls from people that think they know how to solve their infrastructure outages. So it's not surprising that you can never ever talk to their top level technical people. Throughout the night - while I was sleeping - they were working, and when I called in the morning to try to explain it to them again, they still didn't seem to get it - and the packets just kept on coming. The list of IP address sources was now expanding - leading me to believe that the earlier version of this virus (which did not work) had been replaced by one that did work.

To their credit, the @home network has enough bandwidth that the service operated in the morning even with the significant bandwidth being consumed by the PING packets. My system working the whole time, so we only really used the redundant (dial-out) connection for 15 minutes through the whole thing.

By the morning of the 30th, the FBI had gotten back to me. Now normally, I don't call the FBI about such things. After all, there is nothing of any significance that attackers can do to my site. It's just an Internet access point for me - the real service is hosted elsewhere. Add to this a redundant connection when I need it and it's basically optional across the board. But when I see a crime that affects a lot of people, I do try to report it. In the case of the previous PGP key theft virus, I reported it because of the potential for high volume information theft. The FBI tracked down the source, but they didn't seem to be much of a real threat to the world, so the FBI let them go with a phone call warning. But this time, they were impacting Internet traffic on a larger scale. Since we had some good suspects for this thing and the attack was bringing down significant portions of the infrastructure, I figured it was worth an arrest. Of course proving the responsibility for the crime is another matter. And I don't claim to know for certain that any of the codebreakers were responsible - only that they published threats - and the threats were realized soon thereafter.

By 7:30 AM on the 30th, the folks at @home figured out what I was trying to tell them and configured their routers to eliminate the packets from getting to my host - and I assume the rest of their network was also re-rigged to handle the situation. The packet storms keep coming, but @home is now responding more rapidly, and service is not significantly slowed to anyone in the @home network.


To sum up - when you see all.net as part of an attack, you can bet your bottom dollar that it means we have helped to catch some more of the bad guys. They don't like getting caught.

Fred Cohen
Fred Cohen & Associates


Related Stories


New Virus Launches Mini Infowar
March 30, 1999
By Brian McWilliams
InternetNews.com Correspondent
Business News Archives

A new macro virus based on the infamous Melissa has been released into the wild, and it may be the latest phase in an infowar between hackers and a security consultant.

According to virus experts, the so-called Papa virus is transmitted in the same manner as Melissa, sending copies of itself to addresses in a victim's Microsoft Outlook address book.

But while Melissa seemed designed to snarl up computer networks everywhere, Papa targets a specific person, Fred Cohen, a security consultant in Livermore, Calif.

The virus, which is transmitted by e-mail in a Microsoft Excel file named path.xls, attempts to launch a ping flood on Cohen's web site at all.net, as well as on the IP address of Cohen's connection to the @Home Network cable Internet access service.

Cohen was among the first in the security community to publicize information about Caligula, a macro virus capable of stealing a victim's PGP private keyring. PGP is a popular encryption software package.

In a posting to a security mailing list last month, Cohen called on the Internet community to attack the web site of the Codebreakers, a virus writer's group to which Caligula's author belongs.

Cohen Tuesday confirmed the Papa virus is some sort of retaliation for his actions. But Cohen said there's been collateral damage to innocent Internet users, including severe performance degradation to the @Home Network.

"It's not an eye for an eye. They're causing damage to the infrastructure and inconvenience to people who get the virus. If they pester me, I don't care and nobody else cares. But if they take down the infrastructure, they'll go to jail."

@Home Network representatives were not available to confirm whether the attack on Cohen's IP address has impacted performance of the network.

Many antivirus software vendors have already released updates to detect and clean Papa. Keith Peer, president of Central Command, distributor of AntiViral ToolKit Pro said Papa is already spreading fast. His firm is receiving dozens of reports every hour.


Related Stories


Copycat virus follows quickly on Melissa's heels

By Michael Lattig and Dan Briody
InfoWorld Electric

Posted at 11:30 AM PT, Mar 29, 1999

Network Associates has discovered an e-mail virus similar to the Melissa virus that company officials said they believe is even more dangerous than its predecessor.

Dubbed Papa, the new virus is an Excel virus that sends itself in the same manner as Melissa, but sends itself to the first 60 people in a user's address book compared to 50 with Melissa. In addition, Papa sends an e-mail out every time the virus is activated. Melissa only sends the message the first time it is opened.

This time the subject line claims the message is from "all.net and Fred Cohen." The body of the e-mail, which contains an attached document titled "path.xls," then instructs the user not to disable the macros, which is how the virus is activated.

According to Sal Viveros, group marketing manager for total virus defense at Network Associates, the most disruptive aspect of Papa is the fact that it "pings" an as-yet-undetermined external site to make sure there is an available Internet connection. The practice of pinging is not unusual, but Papa pings so many times that it brings the network down.

The biggest concern from a corporate security standpoint is that any document infected with the virus and then e-mailed to another party is distributed in the same way the Melissa virus is, leaving companies vulnerable to having confidential documents distributed unknowingly.

Viveros believes Papa was written by a different person than the author of Melissa, but that it uses the original virus as a road map. This practice of using similar mechanisms to deliver more destructive payloads is not unusual, noted Viveros, which could mean a string of such similar viruses could be on the way. Variants, however, should be less disruptive because virus-detection vendors know what they are looking for. Network Associates expects to post software for detection and cleaning of the Papa virus by Monday afternoon.

The Melissa virus first sprang up in countless e-mail inboxes around the world on Friday, replicating itself to end-user address books and sending an exhaustive list of pornographic Web sites to everyone therein.

According to Viveros, Melissa is the widest spreading virus he has ever seen, hitting approximately 80 percent of Network Associates' major customers, which amounts to almost 100 companies. A significant number of those were forced to take their e-mail systems down.

The Melissa virus hampered -- and in some cases entirely shut down -- e-mail systems for companies the world over. Microsoft, for example, put a halt to all outgoing e-mails throughout the company on Friday to guard against spreading the virus.

"Viruses are a serious issue. We and our partners had to respond pretty quickly last week and now have clear guidelines on how to use the [Exchange and Outlook] software to block the message and stop it from getting around. That message [of a fix] is getting out, and the virus has been addressed," said Bill Gates, CEO of Microsoft, in Redmond, Wash., on Monday.

"These things are very rare. The incidence is going down, but there's work for us," Gates said.

At risk are Microsoft Exchange Servers running Microsoft Outlook. With an ever-changing subject heading of "Important Message From [end-user name]," the attachment to the e-mail is a document entitled "list.doc" with a body of text stating, "Here is that document you asked for ... don't show anyone else ;-)."

Upon opening the attachment, Microsoft Word 97 will ask if you want to disable the macros, to which you should reply yes, or the e-mail will automatically be sent to the first fifty names on each company mailing list.

"If you don't disable the macros, the virus resends itself to everyone in [your] address list," said John Berard, a spokesman for Fleishman Hillard, which was infected by the virus and inadvertently spread it around.

In addition, the virus automatically changes the security settings of an infected system to the lowest possible setting, a slick move that has IT managers wondering if they will have to manually reset every infected PC in their enterprise.

Dan Schrader, director of product marketing at anti-virus software maker Trend Micro, said the virus is easy to detect and not destructive in nature. But it can cause serious bandwidth constraints and contains several quirky characteristics.

One of those is a hidden message from the popular TV series "The Simpsons" that is inserted into any open documents whenever the date and the time - 2:29 on the 29th for instance - match.

A fix for the Melissa virus is now available from most major anti-virus software vendors.

Michael Lattigis an InfoWorld reporter. Dan Briody is InfoWorld's Client/Server editor.


Related Stories


Melissa' virus swamps corporate e-mail

Virus spreads like wildfire, victimizing Microsoft, Intel, many others.
By Mary Jo Foley, Sm@rt Reseller, and Lisa M. Bowman,
ZDNN
March 26, 1999 6:07 PM PT

The virus, which was identified by Network Associates Inc. as 'Melissa,' originated in Western Europe and was first discovered on the alt.sex newsgroup. Computer security experts said the virus wreaked havoc with corporate e-mail as it sped across the Internet on Friday.

"The proliferation of this virus is something we've never seen before," said Srivats Sampath, general manager of Network Associates' McAfee unit.

"Because there's so much e-mail passing through a server, it's basically taking down the servers," Sampath said. He added that twenty large companies had been infected by late afternoon, including one that saw 60,000 users affected.

Microsoft e-mail suspended
At Microsoft, the company suspended all incoming and outgoing Internet mail Friday.

"We're a victim, like any other company on the outside," of this virus, said a Microsoft spokesman.

The spokesman said Microsoft's product support division has been in contact all day via e-mail and phone with Microsoft's customers and partners, alerting them about the virus.

"We made an IT (information technology) decision in the early afternoon and agreed it was pro-customer and pro-partner to shut down our Internet mail portion. As soon as we feel tight on this, probably in the next few hours, we will turn this back on and process all the mail in the queue."

At least one division of Intel Corp. also reported problems resulting from the macro virus. A public relations spokesperson acknowledged that some of the company's e-mail servers had gone down as a result.

A representative at Waggener Edstrom, Microsoft's public relations agency, which also was hit by the virus, according to several sources, acknowledged problems caused by a 'malicious macro virus.'

Melissa's sophisticated bite
The Melissa virus propagates via e-mail. Attached to the e-mail is a Word file that, if opened, launches a macro that replicates a message to the first 50 names in the recipient's Outlook address book. The subject line reads: "important message from," followed by a user name. The body consists of a text message that says, "Here is that document you asked for... don't show anyone else;-)." The infected documents reportedly contain information on porn Web sites.

The virus specifically affects Outlook and does not trigger the multiple e-mails on other messaging platforms, such as Lotus Notes. However, people using e-mail software other than Outlook may be able to spread affected files by sending them to Outlook users, experts said.

McAfee added the virus to its virus database Friday. More information on the virus is can be found on McAfee's site.

It sounds pretty sophisticated," said Peter Deegan of Woody's Office Watch. who'd been notified of the virus but hadn't seen it.

He said the virus sounded unusual because of its effect on mail servers. Usually, such viruses attack individual machines, but this one apparently can overload mail services by sending out repeated messages.

People cannot get the virus by merely opening up a message, only by opening the attached document. "Always be careful of anything that arrives by e-mail," he said.

The virus also appears to turn off Office's macro protection, which could leave users more vulnerable to future viruses. After cleansing their machines of the virus, those affected might need to reactivate the macro protection.

In another twist, the virus causes a specific phrase to pop up when the time of day, matches the date (for example, at 3:26 on March 26). The phrase reads: "Twenty-two points plus triple word score, plus 50 points for using all my letters. Game's over. I'm out of here."

Right now, that feature is benign, but security experts say it could be used to delete files if a malicious hacker creates another version of the virus.

Word 97, Word 2000 vulnerability
Antivirus software vendor TrendMicro noted on its site that the so-called W97M_Melissa virus can attack via both Word 97 and Word 2000 documents. If the virus attacks via Word 2000, says TrendMicro, "it will lower the security setting to the lowest level by modifying the registry and will disable the Word menu commands (MacroSecurity) which allows the user to reinstate security settings."

"This is spreading faster than any virus we've seen before, because we've only seen a few e-mail-activated viruses in the wild before this," noted Dan Schrader, director of product marketing at TrendMicro.

Schrader said the best way for companies to stamp out Melissa is to run virus protection software at the server, not the desktop, level. TrendMicro says it already updated all of its products to detect this virus as of today. The company also is offering a free service on its Web site, allowing administrators and customers to scan their machines for any virus, including Melissa.

Additional reporting by ZDNN's Charles Cooper and Sm@rt Reseller's Deborah Gage.


Related Stories


fc Fri Jan 29 23:11:40 1999
Subject: New attack on PGP keys with a Word Macro
To: risks@csl.sri.com
Date: Fri, 29 Jan 1999 23:11:40 -0800 (PST)
From: Fred Cohen 
Reply-To: fred at all.net
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1963      

I just got a look at a Word file (CALIG.DOC) that contains user IDs and
passwords to pornographic sites.  In addition to these pointers, it has
a Trojan Horse that finds the user's private PGP key ring and ftp's it
to:

        209.201.88.110 (codebreakers.org)
        user anonymous
        password itsme@
        directory incoming
        binary mode
        stored name: NewSecRingFile[0-9][0-9][0-9][0-9]

This Trojan does its job in visual basic and - except for the initial notice
(if enabled) that macros are present - gives no indication of this function
that it performs. I figure the best defense against this is to:

        1) Have thousands of users ftp phoney files to that IP address
        and filename on a regular basis, thus making it impossible to
        get any real PGP keys - preferably send valid-looking PGP keys
        so they have to waste a lot of time cracking them.

        2) Cut off all service for ftp with 209.201.88.110 (codebreakers.org)
        - either at the ISP, at your gateway, or at the borders to your country.

        3) Prosecute for possession of access devices - with international
        cooperation between authorities.

        4) Tell your people that this has been done so they will stop looking at
        pornography listing files fat chance this will work).

At any rate, I hope that you will take prudent precautions within your
organization against this potential attack on the security of your
private keys.


Related Stories




fc Thu Feb  4 19:43:31 1999
Subject: More on the Caligula virus
To: risks@csl.sri.com
Date: Thu, 4 Feb 1999 19:43:31 -0800 (PST)
From: Fred Cohen 
Reply-To: fred at all.net
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 1889      

It now looks like it is definitive that the author of this virus goes by
the handle 'opic' (he has admitted it) and the 209.201.88.110 web site
(codebreakers.org) is actively supporting the attack by altering its ftp
server so that the name space does not get exhausted regardless of names
used by incoming files.  It is now also established that this virus is
spreading 'in the wild'.  The author claims that it was accidentally
released (and that he therefore is not responsible for it).

This change by the codebreakers.org web site means that the defense
involving sending that site files with the names:

        NewSecRingFile[0-9][0-9][0-9][0-9]

no longer works.  The only viable option is to block ftp service with
209.201.88.110 at your firewall.  If you log this, it will also tell you
which of your systems has this virus, enabling you to clean it up more
rapidly.

Naturally, the owners of the codebreakers web site and others friendly
to them have made threats about getting even - here are example quotes:

SPo0Ky :
        'what will you say if you encounter a virus which will make every
        infected user send you hate email.  ask Nick Fitzgerald how he liked it. 

Lord Natas :
        'Don't worry, we are aware and currently dealing with Mr. Cohen'

k-man:
        'Good. I trust that he will be rendered "harmless" quite soon.'


Related Stories


fc Sat Mar 13 21:14:10 1999
Subject: They threatened, and apparently they have caried out part of their threat...
To: risks@csl.sri.com
Date: Sat, 13 Mar 1999 21:14:10 -0800 (PST)
From: Fred Cohen 
Reply-To: fred at all.net
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 3094      
Status: RO

I just go this happy note from a sender who will remain anonymous for
obvious reasons.  Before continuing on, the reader should be aware of
the previous threats made by several virus writers associated with
codebreakers.org (published in a recent Risks) who were offended by the
fact that their ISP decided to shut their site down.  They believe that
I caused this to happen and have decided to get even by associating my
name and Web site with the virus.

I did not write the virus and it has never been to my Web site or on any
of my systems (I don't run Excel or Word).

FC

> Here's a message (see below) I have just posted to the following three
> newsgroups:
> 
> alt.binaries.erotica.gaymen
> alt.binaries.pictures.cocks
> alt.personals.gay
> 
> concerning two word documents which I downloaded containing a virus.
> The file information for both documents listed the author as Fred Cohen and the
> corresponding website as www.all.net
> 
> Just thought you might be interested to be informed.  Perhaps if Mr Cohen wasn't
> the perpetrator of the virus himself, then perhaps he should be aware that his
> system has picked it up from somewhere and passed it on!
> 
> N
> 
> =====================================================================
> 
> 
> I recently (& stupidly?) downloaded two Word documents from, I think, one of
> these
> newsgroups, which supposedly gave details of adult site passwords.
> (Contents
> of files repeated below - both were the same.)
> 
> Although I subsequently deleted these files, my copy of Norton AntiVirus
> (armed with the latest set of virus definitions dated 8 March 1999) later
> detected that these files were infected with a virus. (It detected them
> because, although deleted, they were still present temporarily in the Norton
> protected recycle bin.)
> 
> The virus is called 097M.Jerk and is a Polymorphic macro virus which infects
> Excel97 and Word97 files.  There are apparently two variants, both of which
> causing a message to be displayed in May/June I think.
> 
> Just to warn anyone who might have downloaded these documents also!  Beware!
> 
> N
> 
> ===================================
> 
> The contents of the doc file were:
> 
> 
> Contents:
> 
> AVS,     Login,     Password
> Adult Check Gold, 9478ultrahouse
> Adult Check, 8552valjeanl -
> Adult Check, 3688freebees -
> Adult Check, 3929zeke0001 -
> Sex Key, eric, eric
> Adult Pass, pp, pp
> I Shield, alpha, alpha
> Porno Pass, queethoth, -
> Age Pass, hollywood, hollywood
> Adult Access, aston, villa
> Adult Rated, robin, -
> Privat-Eyes, dick, -


About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fred at all.net or visiting /