-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN The Glacier Backdoor April 27, 2001 23:00 GMT Number L-077 ______________________________________________________________________________ PROBLEM: The Glacier backdoor program allows an intruder to remote control a Windows computer. The intruder can see the desktop, click on files, and type on the keyboard of the remote computer. PLATFORM: Windows computers: Windows NT and Windows NT Server. Possibly also on Windows 95,98,ME, and Windows 2000. DAMAGE: An intruder can remote control a system. He can access any file, run code, type on the keyboard and generally do whatever he wants on a system. The intruder could capture the passwords of any system you log into and send mail as you using your e-mail program. SOLUTION: Some antivirus programs detect this program. Do not run attachments to e-mail messages or download and run executables from hacker sites. The server program must be delivered to and run on the machine being attacked. To remove the code, delete the files and reset the registry keys as described in this bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. While the package gives an intruder full ASSESSMENT: control of a system, the server must be downloaded and run on that system by the system owner or the system must be broken into by some other method and the server installed. ______________________________________________________________________________ CIAC has information that the Glacier Backdoor/Remote Control program is being used to compromise sites on the Internet. Glacier is a backdoor/remote control program with capabilities that are similar to Back Orifice. After a Glacier server is installed on a host the Glacier client is used on a remote host to control the server. The screen of the server system can be seen on the client system. The client can move the mouse pointer on the server and typing on the client's keyboard appears on the server as if it were typed on the server's keyboard. Other options include changing the registry, initiating dialog boxes, collecting keystrokes, simulating errors, and shutting down the server. The server software can be delivered to a machine as an attachment on an e-mail message or as a download from a web or ftp site. Running the server installs it. After installation, the server attempts to phone home to smtp.sina.com, a Chinese language mail server. The server installs itself in two places and changes several keys in the registry to restart it whenever the server is restarted and whenever an executable program is run. Operation of Glacier ==================== The Glacier Server - ------------------ The default name of the Glacier server program is G_server.exe though that could be changed by an intruder to any provocative name that might get you to run it. When the Glacier server program is run on a host, it makes two copies of itself. %SystemFile%\System32\Update.exe %SystemFile%\System32\SysSet.exe where %SystemFile% resolves to the path to the current system directory (c:\Windows or c:\Winnt on most systems). Glacier then makes changes to the registry to insure that it is restarted whenever a system is rebooted or an executable file is run. It adds the value: WindowsUpdate = C:\WINNT\System32\UPDATE.EXE to the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices The path in the value points to where the Update.exe program was saved. These two changes try twice to run update.exe whenever the system is rebooted. The server then modifies the following key: HKEY_CLASSES_ROOT\exefile\shell\open\command from "%1" %* to "c:\winnt\system32\sysset.exe" "%1" %* This change causes sysset.exe to be run whenever any .exe file is run. Keep this in mind when cleaning up a system as running any executable program notepad.exe, regedit.exe, etc., runs the backdoor program again. The server then modifies the following key: HKEY_CLASSES_ROOT\txtfile\shell\open\command from %SystemRoot%\system32\notepad.exe %1 to NotePad.exe %1 This change does not do anything useful (for the backdoor) that we can see. It may be something the backdoor writer was going to implement but didn't. The system next does a query for smtp.sina.com, a Chinese language mail server. If it gets an IP address for this site, we believe it will send a mail message to that site advertising the address of the compromised system to a mail user on that server. The server then starts listening on port 7626 for connections from a Glacier client. The Glacier Client - ------------------ The Glacier client has the Chinese language GUI interface shown below. Note that the GUI is run on an English language system so the Chinese characters appear as unicode characters. The disks and documents showing in the window are files on the server system. *****Image of the Glacier GUI Interface******* The client contains a scanner for searching subnets for systems with the Glacier client listening on port 7626. It also contains commands for configuring the glacier server, including changing the port it listens on and adding a password for connections. The small window on the lower left of the image above shows the server machine being controlled. That window can be enlarged to full size and then mouse clicks in that window are executed on the server machine as is any typing on the keyboard. The small window at bottom center controls the special keys on the keyboard. Other options in the client include setting the port and password used to contact the server, commands to change the registry, and various commands to display dialog boxes, shut down the server and so forth. Note that the commands are listed in the Unicode values of the Chinese characters so determining what the commands do had to be done on a trial and error basis on a U.S. localized system. Detecting Glacier ================= If you have been infected with the Glacier server program, you will likely notice a significant system slowdown, especially in systems with older, slower CPUs. A Pentium 90 system slowed to a crawl when the server was run on it. On a Windows NT system, open the task manager and look for update.exe, sysset.exe or G_server.exe in the process list. Finding update.exe in the task list is not a sure detection of Glacier as there is a real update.exe program that handles Windows Internet Explorer updates. The second place to look is in the \windows\system32 (or \winnt\system32) directory for sysset.exe and update.exe. Again, update.exe may exist on normal systems. The backdoor program has a length of 261KB. Right click on the program and select Properties. In the Properties dialog box for the file, select the Version tab and click on the Language item in the Other Version Information list. If the language is "Chinese (PRC)" on English language systems, this is probably the backdoor program. You can also check the registry keys mentioned above. From the start menu, select Run and run regedit. In the Regedit window, select the path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run If the value WindowsUpdate exists in this key and has a value that points to update.exe you can be pretty sure that you have the Glacier server installed on your system. Removing Glacier ================ Removing Glacier involves reversing the steps that Glacier took when it installed itself. Note that these steps involve editing the registry and errors in editing the registry can make a system unbootable so be very careful when doing so. Because of the changes Glacier has made to the registry, running Regedit will restart the server so you must perform these steps in the correct order. 1. Start Regedit by clicking on the Start button, selecting Run, typing regedit.exe and clicking OK. 2. In a Windows Explorer window, open the \windows\system32 or \winnt\system32 directory depending on what kind of a system you have. 3. Open the TaskManager and kill any processes named update.exe, sysset.exe, or G_server.exe. 4. In the System32 directory, find and delete update.exe and sysset.exe. 5. In regedit, open the following two keys and delete the WindowsUpdate values. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices 6. Open the following key HKEY_CLASSES_ROOT\exefile\shell\open\command change the default (unnamed) value to: "%1" %* Be careful here as a mistake will make it impossible to run any .exe file. Note that there is a single space between the second double quote and the second percent sign, that is: "%1"%* 7. Open the following key HKEY_CLASSES_ROOT\txtfile\shell\open\command change the default (unnamed) value to: "%SystemRoot%\system32\notepad.exe" %1 8. Don't quit regedit yet. Try to run any .exe application such as notepad.exe by double clicking on it in an Explorer window. If it runs, great, if not, switch back to the regedit window and check your changes to the registry. Don't quit regedit until you can start an .exe application. 9. When everything works, quit regedit and reboot the system. After the system is finished rebooting, check that the files are still gone from the system32 directory and that the registry keys are still how you set them. If they have changed back to the backdoor values, you missed something or did something out of order and reinstalled the backdoor. Keep trying until the files go away and stay away. - ---------------------------------------------------------------------------- CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-067: Linux worm Adore L-068: Cisco VPN3000 Concentrator TELNET Vulnerability L-069: Cisco Content Services Switch User Account Vulnerability L-070: FTP Filename Expansion Vulnerability L-071: Various Vendors' Network Time Protocol (NTP) Vulnerability L-072: Cisco Catalyst 5000 Series 802.1x Vulnerability L-073: Microsoft ISA Web Proxy Service Denial of Service L-074: Microsoft WebDAV Runs Scripts As User L-075: FreeBSD IPFilter May Incorrectly Pass Packets L-076: Red Hat Ptrace and Exec Race Conditions -----BEGIN PGP SIGNATURE----- Version: PGP for Business Security 5.5.2 iQCVAwUBOuoJ8bnzJzdsy3QZAQFwuAP/cjbqtaHjOsxWtHADW9tPMGpTo+ic8nPp 0GW5lAW0tdO2hCQZV5kvRtpOkwE6ojy3dh0Ck96jNbrNPRaxe7S3eHBFde1xS2bE 5fNrQ56DNmZTUOSp5oLnFwimjq7RGyzt8k9MAnca0x8A1wjti75vQOJGRY0zZuVn QHPNZdvxP+4= =sHnK -----END PGP SIGNATURE-----