Recently, a number of messages originating from a computer underground source appear to have allegedly attempted to extort money from Hewlett Packard (HP) by widely distributing the details of malicious code targeted toward HP systems. The Internet address identified as "sod@command.com.inter.net", weekly posts new information specifically targeting vulnerabilities of Hewlett Packard systems operating 9.xx versions. Because of the intent, broad scope, and potential seriousness of this information, the ISRC subsequently accomplished preliminary efforts to determine the creditability of the attacks. The information in bold below, was extracted from the body of a messages transmitting the attack information.

"Well hello there, folks, and I hope the day is treating you well. My name is Colonel Panic and it has been delegated unto me to bring you news of a little project we like to call the HP Bug of the Week.

Last week, as some of you may have caught on, we put up for display a vicious little bug in HP's Remote Watch. This week, since the Glance performance monitor has been mentioned in a few places, we've decided to go with that one. HP has had a 'patched' version of Glance out for quite a while now, and if you're running it, then go stamp 'root' on your forehead 'cuz your UID has just been XORed with itself. Also, for those of you still running an older copy of glance, we've included some bugs to break those earlier revisions (but hey, get with the times!) So the price is right, come on down, grab that copy of lynx and head on over where one bug a week is the promise that we keep, lest our souls burn in hell.

G'day.

SPECIAL INVITATION TO OUR FRIENDS AT HP: Hi there. How are you? Fine, I hope. Why not just sit on down, relax, pop a peppermint Valium and think flowing blue-green water, then start up that World Wide Web browser and point it toward that address up there. Just feel nice and relaxed and browse through short page that we've got, and then think to yourself "Wow, I bet our company could really use some guys like this. I think we should hire them and pay them a fortune 'cause they'll be so valuable." Think to yourself "they seem like really nice guys", and then think "I like ice cream I bet these guys like ice cream, too." Then think about that chick who works across from you who you'd do just about anything for, and how much more she'd like you if you gave us a dump truck full of money. When she sees how generous you are, man, there'll be no stopping her. So why wait? We're available to take that money off your hands and show that really sweet, tasty, and delicious momma just what kind of a man you really are."

As part of a validation process, assistance was solicited from an HP computer scientist at PNNL to determine the credibility of the identified HP weaknesses. The codes contained in the messages were downloaded and compiled to generate the "bug". Using one of the laboratory's stand-alone HP systems, an attempt was launched to "infect" the system which was running HP 9.01 version software.

The following results were observed. The malicious code advertised by the underground source proved to be valid, exploiting weaknesses in the HP/UX operating system. The HP "bug" program was shown to have the potential for serious deleterious impact on HP systems running 9.xx. versions. Once installed this "bug" allowed standard users, including guest users, to gain root access. Once root access was established, a user could open or redirect a port allowing access through the firewall.

Two other malicious programs, required that the operating system run an HP created software application called Glance. Glance is written by HP. Glance is an on-line performance and diagnostic software for logging system performance data. Another malicious program required the operating system to be running Perl, a program interpretation language used to compile information "on the fly". We are still in the process of determining the validity of these two malicious programs on systems running Glance and Perl. stem on the HP system used during this validation process was not running Glance or Perl. It is our understanding, however that a substantial number of systems throughout the DOE complex may be running Glance and/or Perl.

HP systems are in wide use in the commercial world, e.g., General Motors, Ford, Boeing. These systems are also prevalent in the university environment. This is of particular interest because of the close interaction between universities and DOE national labs. HP systems are normally chosen because they are considered to be superior for running UNIX and are very reliable. HPs are also very well suited for running scientific data, and for developing code.

That this information be coordinated with the CIAC, and that this probe be continued to determine if these malicious programs are a potential or real threat to the DOE Information Assurance Infrastructure.

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001