Clock Forwarding HAC
*. Why is mi2g software talking about Clock forwarding "HAC"?
There have been two serious incidents and we would like to warn the world
community about not being prepared for such an eventuality. Both Y2k compliant
and non-compliant systems exhibit varying degrees of vulnerability.
*. Just what is meant by "Hacker Activated Code" and how does
Hacker Activated Code (HAC) means native / machine code that
is compiled for a specific architecture and is activated remotely through
a signal extraneous to the network.
*. Have you found and isolated this code?
Yes, mi2g software has found two customised end-of-cycle components
that were configured for specific IP addresses on the victim's networks. They
appear to have run once only and they no longer execute the entire sequence
contained in the confidential log files of the infected servers within the
two major victims in October.
*. How far has this thing spread now?
mi2g software has had only two instances.
*. Are you dealing with more than one version?
Yes, the mi2g SIPS engineers are dealing with two distinct end-of-cycle
versions. They are still searching for start-of-cycle codes.
*. Have you taken any other action other than contacting CERT?
Yes, the regulatory authorities in the appropriate jurisdictions have been
informed with the consent and co-operation of the clients involved, whilst
respecting confidentiality and sensitivity to adverse share price movement
in the event of naming specifics.
*. Do you have other information available on this tojan/malicous code?
It appears to be a one-time execution, IP address specific, native code that
forwards the clock of the 80x86 system on which it runs, whilst disabling
any synchronisation protocol with a Central Time Server. It has brought down
all Y2k non-compliant computers/applications on the network.
*. What is the origin of this HAC? Where did the HAC come from?
The two main geographic areas that the victim departments trade with are
Eastern Europe and Scandinavia.
*. How much of the problem came from the HAC?
mi2g software is still trying to identify how much of a threat the
start-of-cycle code is. How much has the code achieved on its own and what
was achieved by unauthorised network accessors in parallel.
*. The use of this term "one-time Hacker Activated Code" means
It executes its payload once and then does not execute.