[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Newsbyte 15.3.2002: Army and Navy are conducting a high-priority of Microsoft Windows Systems
By Brian McWilliams, Newsbytes
ATLANTA, GEORGIA, U.S.A.,
15 Mar 2002, 11:22 AM CST
The United States Army and Navy are conducting a high-priority
security review of their Microsoft [NASDAQ:MSFT] Windows systems for
the presence of an unauthorized remote-control program, sources
familiar with the investigation have confirmed.
An unclassified memo, sent Mar. 6 by the Navy's Computer Incident
Response Team (NAVCIRT), warned Navy computer administrators to scan
their Windows systems for evidence of a popular commercial software
program called RemotelyAnywhere.
"NAVCIRT received several computer incident reports involving the
installation of RemotelyAnywhere on compromised computer systems which
in turn enables scanning, probing, and compromising of additional DOD
systems," said the memo, a copy of which was received by Rob
Rosenberger, an independent virus expert who consults to the military
on information security matters.
Officials from NAVCIRT, which is part of the Navy's Fleet Information
Warfare Center in Virginia, were not immediately available for
A similar message was sent Mar. 13 by the Army Forces Command to
computer systems staff at all of its installations.
The Army memo, which was distributed by e-mail and designated High
Importance, warned information assurance managers (IAMs) that the
remote access tool "may be sitting on our systems, waiting to be
A copy of the Army e-mail obtained by Newsbytes instructed Army system
administrators to search all Windows computers for the presence of
files that "are evidence of system compromise."
Jack Coffey, an Army Forces Command spokesman in Atlanta, confirmed
the authenticity of the memo and said it was based on the advisory
from NAVCIRT as well as one from the Department of Defense Computer
Emergency Response Team. Coffee said he was unable to immediately
provide more information.
Pentagon officials did not respond to requests for interviews.
It was not immediately clear whether other branches of the U.S.
military or Defense Dept. headquarters were performing a similar
A representative of Wisconsin-based Binary Research International,
which distributes RemotelyAnywhere, said military investigators
contacted the company last week for assistance after an undisclosed
number of copies of the program were discovered on Department of
Defense computer systems.
"We are cooperating fully and doing what we can to help track these
people down," said Binary spokesman Jim Szopinski.
The attackers are believed to have obtained illegally licensed or
"cracked" copies of RemotelyAnywhere, which costs $99 for a
single-user license, according to Szopinski.
According to product documentation, RemotelyAnywhere is developed by
Hungary-based 3am Labs. The software acts as a HTTP server and allows
remote users to access files and manage a computer remotely through a
Web browser. The program includes a configurable "listener" function
that waits for connections on TCP ports 2000 and 2001 by default.
To install RemotelyAnywhere on Windows NT, 2000, or XP systems, users
must have system administrator privileges, Szopinski said.
Rosenberger said attackers may have used RemotelyAnywhere, rather than
an underground remote-control tool such as NetBus, because the
commercial program would not be detected by anti-virus software.
According to NAVCIRT, the presence of the following four files is
"evidence of system compromise: RAMIRR.DLL, RAHOOK.DLL, RA_SSH1.DLL,
The Army memo requests that computer systems personnel complete their
review of multi-user server systems today, after which they are to
perform a sweep of desktop computers, workstations, and laptops.
"This has become terribly important," said the memo, which described
the security review as "a must-accomplish action."
The state of information security at many government agencies,
including the Department of Defense, was criticized in a report to
Congress last April by the General Accounting Office. According to the
GAO, "weaknesses at the Department of Defense increase the
vulnerability of various military operations."
According to Binary Research, companies using RemotelyAnywhere include
AT&T, Office Depot, and MCI Worldcom.
The Navy Fleet Information Warfare Center is at
The Army Forces Command is at http://www.forscom.army.mil
The RemotelyAnywhere site is at http://www.remotelyanywhere.com
Binary Research is on the Web at http://www.binaryresearch.net
Dipl. Pol., wissenschaftlicher Mitarbeiter
HSFK Hessische Stiftung für Friedens- und Konfliktforschung
PRIF Peace Research Institute Frankfurt
Leimenrode 29 60322 Frankfurt a/M Germany
Tel +49 (0)69 9591 0422 Fax +49 (0)69 5584 81
Mobil 0172 3196 006
- hsfk -
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.