CIAC Notes

Number 95-12: September 25, 1995
ATTENTION: CIAC is available 24-hours a day via its two skypage numbers. To use this service, dial 1-800-759-7243. The PIN numbers are: 8550070 (for the CIAC duty person) and 8550074 (for the CIAC manager). Please keep these numbers handy.
This edition of CIAC NOTES includes:
  1. Public Telnet Services
  2. Securing X Windows
  3. Merlin Beta Released
  4. Microsoft Word Macro Viruses
  5. Allegations of Inappropriate Data Collection in Win95
Please send your comments and feedback to ciac@llnl.gov

Public Telnet Services

by Marvin Christensen

Intruders do not always have to exploit a vulnerability to breach security. It may be possible for the intruder to use available systems services to achieve their objective.

Intruders are using public, non-passworded accounts to hide their tracks. During one investigation, an intruder was back-tracked through five systems before he was lost. Even though the services the intruder used were not used for their indended purpose, prosecution of the intruder would be very difficult.

The Problem

While library information systems are the most common type of system to make use of local telnet clients, other systems use telnet for similar capabilities. Library systems use telnet to allow the internet library patron to connect to other libary services on the net (i.e. "Press 1 to connect to the Big University Over There's library system"). The Internet's library information systems form a large interconnected web of their own. A given library system may have pointers to dozens of other systems. Connections to target library systems are usually implemented using telnet clients.

In attempting to prevent people from connecting to their site only to connect out again to another site, system adminstrators infer that all incoming connections are telnet sessions. Outgoing telnet connections using a local telnet client are directed to a preselected destination host (and optionally, port).

What the designers of these systems have missed is that many modern telnet clients allow the user to change environment variables. By changing the environment intruders can obtain a command prompt at the remote telnet client with user priviledges. Once they have the attention of the remote client they can issue an open to any reachable host and port. Intruders can chain the connection through several systems by changing the environment at each connection.

Assessment

CIAC considers this a serious problem that will become even more serious when it becomes common knowlege that these library information systems can be used to hide the intruders origin. System hiding techniques are often used by persons who conduct unauthorized and/or illegal activity.

Do not use a fully functional telnet client on systems that permit public access. The telnet client should be modified to not allow the user to enter the command prompt or telnet command prompt.

Securing X Windows

CIAC has added the document "Securing X Windows" to its 2300 series document collection.

X Windows enjoys great popularity with users, in a variety of environments. Its client/server model of application management allows for powerful, flexible interaction between users and computers. Unfortunately, this power comes at the cost of security. X Windows, if not managed properly, can create a serious vulnerability. This paper explores many of the security problems and solutions in X Windows.

Merlin Beta Released

CIAC announces the public release of the Merlin beta! Merlin, an exciting new UNIX tool, adds an easy-to-use graphical interface to several popular security tools, including Tiger, Tripwire, COPS, Crack, and SPI. The graphical interface simplifies and extending the capabilities of these security tools.

Here are some of Merlin's features:

Microsoft Word Macro Viruses

by William J. Orvis

Macro viruses, that's right, its plural now. Currently at least two macro viruses in the wild infect Microsoft Word documents; the WinWord.Concept (Word Prank) and WordMacro.Nuclear viruses. Both of these viruses infect document files for Microsoft Word version 6 or later on any platform. The viruses don't overwrite a document, but attach a macro program to the document that is loaded and run when the document is loaded. These first two viruses are not particularly damaging, but could easily have been so.

Microsoft Word version 6 and later have a macro capability known as WordBasic (for more information, choose the Programming with Microsoft Word section in the Word Help Contents). WordBasic is essentially the Basic programming language with extensions to make it easy to access the contents of open documents. WordBasic was intended to be used to perform special editing and formatting tasks that were not part of Word's built-in command set. A publisher I know uses WordBasic to initialize a writer's document, insert standard headers and footers, and set the default formatting. Most Word users don't even know they have it, but it is available in all the current versions. If you are using a version of Word that does not have WordBasic, you are not at risk. To see if you have WordBasic, see if a Macro command exists on the Tools menu. If so, then you have WordBasic.

Like most macro capabilities, WordBasic has the capability of creating auto execute (AutoExe), auto open (AutoOpen), and auto close (AutoClose) macros, which are the mechanisms the viruses use to take control of a computer and install themselves. An auto execute macro is one that automatically runs every time you start Word. The auto open and auto close macros run whenever you open or close the document they are attached to. When you open an infected document, its auto open macro runs and installs an auto execute macro in your global macro file (normal.dot). Once that is done, the virus code is executed every time you startup Word. The virus code then writes copies of itself onto every document you save with Word.

WordBasic is an interpreted language, that is, the programs are written in text form, which are read and executed whenever the program is run. This facility makes the code and the virus independent of the platform they are running on. The virus does not have to be written in machine language, but runs on any machine with a WordBasic interpreter. Thus, the viruses run equally well on a Macintosh, or any machine running Windows or Windows NT.

WinWord.Concept (Word Prank)

This is the first virus discovered of this type. It does nothing but replicate itself. You can detect the virus the first time it executes, because a dialog box appears containing the single digit 1. After the first infection, you can detect an infection by looking for the following line in the WINWORD6.INI file in the WINDOWS directory.

WW6I=1

Microsoft has made a disinfector available to detect and remove this virus from a system and from infected documents. The disinfector is a document named scan831.doc. It is available directly from Microsoft at:

To use scan831.doc, simply open it with Word. As soon as it is opened, it innoculates your system against the virus and cleans any infected documents as you save them. It also contains a procedure called CleanAll, which can be used to check and clean individual files or whole directories of files.

WordMacro.Nuclear

The WordMacro.Nuclear virus is similar in operation to the WinWord.Concept virus in how it infects files, but contains an additional payload. This virus contains a dropper for a DOS virus, as well as the document infector, and if the date is April 5th, it deletes command.com.

You can detect the virus by listing the macros installed in Word, using the Tools Macros command. In the Macro dialog box that appears, make sure that the Macros Available In: box is set to: All Active Templates. If all the macros in the following list are listed in the Macro Name list, you probably have the virus. If only some are there, you probably don't.

AutoExec
AutoOpen
DropSuriv
FileExit
FilePrint
FilePrintDefault
FileSaveAs
InsertPayload
Payload

You can also detect the virus when printing a document during the last 5 seconds of any minute. If you do, the following text appears at the top of the printed page.

"And finally I would like to say:"

"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"

It is not known at this time if scan831.doc will protect or remove this virus. To install some protection by hand, create an AutoExec macro in your normal.dot file. It does not have to do anything, it just has to be there. If the virus finds this macro already in the normal.dot file it does not infect a machine.

To clean documents and normal.dot by hand, you must delete all the macros in the above list from the document's and from normal.dot's macro list. Note again that all of the macros in the above list must be present for the virus to work. If only some are present, they likely came from some other source, for example, scan831.doc installs a Payload and an AutoClose macro in your normal.doc template, which you don't want to delete. To delete a macro from a file, open the file and select the Tools Macro command. On the Macro dialog box, click the Organizer button. On the Organizer dialog box, click the Macros tab and you will see two lists. One is usually set to the normal.dot file and the other is available. Click on a macro name and click Delete to remove it. To open another file to clean it, click Open File to select and open the file, then delete any macros.

Other Concerns

Most popular packages have a macro capability, and thus are at risk to new viruses of this type. Spreadsheets, project managers, database managers and word processors all have a built-in macro capability. If you have these utilities and are not using the macros, it would probably be a good idea to disable the auto-execute capabilities if possible.

For example, in Word for Windows, holding Shift when starting the program or opening a file disables any autoexecute macros that would have been started by that action. To permanently disable auto-execute macros, add /mDisableAutoMacros to the winword startup line. Select the Word icon in the Program Manager, select File Properties, and in the Program Item Properties dialog box, add the flag /mDisableAutoMacros to the right of the text in the Command Line box, so it reads something like the following (Note that the path to winword.exe may be different on your machine.)

C:\MSOFFICE\WINWORD\WINWORD.EXE /MDISABLEAUTOMACROS

The next time you start Word, all auto-execute macros will be disabled, including those in the scan831.doc file. To use auto-execute macros again, you must remove the flag you just added.

Allegations of Inappropriate Data Collection in Win95

by William J. Orvis

Over the last couple of months, allegations have been made in several Internet newsgroups, that Microsoft was collecting information about a users files and directories without the users consent. This collection supposedly occurred when the user registered Win95 or connected to the Microsoft Network (MSN). Note that we have not detected any unauthorized transmission of information. In the May 22, 1995 edition of Information Week (p. 88), an article in the In Short column on software piracy said:

"Microsoft officials confirm that beta versions of Windows 95 include a small viral routine called Registration Wizard. It interrogates every system on a network gathering intelligence on what software is being run on which machine. It then creates a complete listing of both Microsoft's and competitors' products by machine, which it reports to Microsoft when customers sign up for Microsoft's Network Services, due for launch later this year. Customers must actively disable the routine if they don't want it to run."
Later posts to some Internet news groups included a copy of the Information Week article plus the following:

"An update on this. A friend of mine got hold of the beta test CD of Win95, and set up a packet sniffer between his serial port and the modem. When you try out the free demo time on The Microsoft Network, it transmits your entire directory structure in background. ..."
The official response from Microsoft in the WinNews Electronic Newsletter (Vol. 2, #8, June 5, 1995) is as follows:

REDMOND, Washington - May 30, 1995
Microsoft today responds to customer confusion with the on-line registration option of Windows 95. Microsoft reassures customers the on-line registration feature preserves user privacy. The confusion began last week when an industry publication incorrectly reported that the on-line registration option sent information on customers' computer systems to Microsoft without consent. This article, and several subsequent posts on the Internet, alleging the unauthorized query and sending of customer information, are not accurate. In fact, the on-line registration option is simply an electronic version of the paper-based registration card that will ship in the Windows 95 product box. Similar to many paper-based registration cards, on-line registration is completely optional and allows customers to provide their system information for product support and marketing purposes.

The on-line registration option in Windows 95 provides a more convenient and accurate method for registering than the paper-based card that comes in the product box. This is because the information is gathered directly from the local computer rather than requiring the user to guess their system information, and then type it and send via a separate card.

The on-line registration process uses three steps to register customers. Customers are asked to provide information such as Customer Name, Company Name, Address and Phone Number. Customers are then presented the option of providing information about their computer system's configuration. A screen displays a list of the computer system's configuration information - such as the processor type, amount of RAM and hard disk space, and hardware peripherals such as network card, CD-ROM drive, and sound card. This information is gathered by the registration program which queries the system registry of the local computer. Customers must review and explicitly choose to provide the information or it is not sent. Customers are then presented with a list of application programs that reside on the local computer and asked if they would like to provide this information as well. The list of products is gathered by the registration program which looks for a list of programs on the local hard disk. The user must again explicitly choose to provide this information as part of the registration process or it is not sent.

Once the user chooses to send the information, the registration process is completed by sending the registration information to Microsoft. On-line registration uses the transport of the Microsoft Network to send the information. The customer does not have to be a Microsoft Network subscriber to register on-line, and once registered, the customer is not a Microsoft Network subscriber. Registering Windows 95 is a separate process from signing up for the Microsoft Network. Contrary to reports, the on-line registration feature does not query serial numbers or product registration information designed to fight software piracy. It also does not query computers on the local or wide-area network. For a list of the exact information gathered by on-line registration, the user can view the REGINFO.TXT file found in the C:\WINDOWS directory of the local computer.

The on-line registration feature of Windows 95 is an option for customers that makes registering Windows 95 more accurate and convenient. Providing computer- specific configuration information is strictly up to the customer. The registration information helps Microsoft build better products, as well as offer customers better information on their programs and better product support.

To check these allegations, CIAC built a serial packet sniffer to examine the message traffic between Win95 and Microsoft. Using this sniffer and the released version of Win 95, we examined the message traffic during Win95 registration, MSN registration, and MSN use. At no time did we see any unauthorized transmission of information. Everything we saw supported the claims in Microsoft's response.

During the Win95 product registration, the Registration Wizard does collect information about your hardware and software, but it asks you if it can send that information to Microsoft before actually doing so. If you answer No, the information is not sent. The information actually sent to Microsoft during registration of the Win95 product is contained in the file reginfo.txt in the windows directory. Examine this file after completing the registration process to see what information was sent to Microsoft.

During registration and use of the MSN network, nothing suspicious was sent to Microsoft. We did note, that the credit card number you must specify to pay for your connection to MSN is sent in the clear. However, you should realize that this is no more risky than giving your credit card number over the phone to any other company whose products you want to buy.

Many applications register themselves over the network whenever you start them up, so the risk is there that an application running on a networked machine could send inappropriately obtained information to some other site. While this could be done, it is unlikely that a large company would take the risk, because the damage to a company's reputation (not to mention legal action) would be severe.

Who is CIAC?

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability. Established in 1989, shortly after the Internet Worm, CIAC provides various computer security services free of charge to employees and contractors of the DOE, such as:

CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details. CIAC services are available for fee to other Federal civilian agencies. Contact Nancy Adair in the DOE Oakland Operation Office 510-637-1741.

CIAC can be contacted at: 

    Voice:    510-422-8193
    FAX:      510-423-8002
    STU-III:  510-423-2604
    E-mail:   ciac@llnl.gov
For emergencies and off-hour assistance, DOE and DOE contractor sites may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive. 
   World Wide Web:       http://ciac.llnl.gov/
   Anonymous FTP:               ciac.llnl.gov (128.115.19.53)
   Modem access:  (510) 423-4753 (14.4K baud)
                  (510) 423-3331 (14.4K baud)
CIAC has several self-subscribing mailing lists for electronic publications:
  1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information;
  2. CIAC-NOTES for Notes, a collection of computer security articles;
  3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability;
  4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products.
Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: 
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes O'Hara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help.
This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
End of CIAC Notes Number 95-12 95_09_25