New Windows Worm Inching Around Internet 706
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
Might be MS's fault. (Score:1, Informative)
Re:Simple solution... (Score:2, Informative)
Unless you disable the "server" service (this is NOT ISS). Then those shares are disabled. Home users and many business users don't need the Server service running.
Google for Win2k Services Tweak guide and follow the many happy descriptions.
Re:What were those commons passwords in Hackers? (Score:5, Informative)
[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw
the pat / patrick is rather weird, eh? only name in the list.
Re:This is a problem? (Score:3, Informative)
Re:White-hat worm? (Score:3, Informative)
Re:Doh! (Score:3, Informative)
Re:Microsoft's fault? (Score:3, Informative)
Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!
not in there? (Score:3, Informative)
What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.
I was surprised that it didn't include:
Months (i.e. january, february, ...) since I catch people using those a lot
system (i.e. another favorite)
xyzzy
plugh
Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.
Real Info on this Worm (Score:4, Informative)
1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.
Good Luck
McAfee has an extra.dat that fights it, the
Re:What were those commons passwords in Hackers? (Score:2, Informative)
oops, after looking up the line [moviequotes.com], it should be something more like...
That's the kind of password some idiot would have on his windows machine!!
Re:ummm.... (Score:5, Informative)
Re:Microsoft's fault? (Score:3, Informative)
Re:huh? (Score:3, Informative)
He he, you don't remember because it did not tell you. Filesharing gets set up as part of other software installs without telling you. Nice eh?
Re:Microsoft's fault? (Score:3, Informative)
XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.
Re:Simple solution... (Score:2, Informative)
However, I don't think this is particularily amazing advice... only applicable to a box which happens to be acting as both a fileserver and a gateway.
If I had mod points, I'd Overrated the grandparent for exactly this reason.
sh
Re:Choose your weapons...Uh, I pick Blame! (Score:4, Informative)
Re:SAMBA protocol (Score:3, Informative)
Other thing: time for all the LOTR lusers to change g@nbA1ph to g011um!
Re:Microsoft's fault? (Score:3, Informative)
That's because you have it in a domain, using domain accounts. If you're not in a domain, the default local log-in method is that "family stuff" you're talking about.
However, you are right; I was wrong about the default behavior. Instead of a user log-in, a default XP Home install will automatically log you in to the default account "Owner," an admin account with no password(!!!!!).
Re:Simple solution... (Score:1, Informative)
2K/XP:
Right-click on Local Area Network
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Click on Advanced
Select the WINS tab
Select Disable NetBIOS over TCP/IP
Click OK
Lower:
Right-click on My Network Places
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Select the NetBIOS tab
Uncheck: Enable NetBIOS over TCP/IP
Click OK
Removing the binding from TCP/IP is the same, up to 'Click on Properties':
Select the Bindings tab
Check: Client for Microsoft Networks
Check: File and Printer Sharing
Click OK
Warning about using NetBEUI: it slows down large networks by only using multicast (i.e. turns your switch into a regular hub). Read about it here [uga.edu]. (By the way, that link has screenshots of the directions above.)
Re:What were those commons passwords in Hackers? (Score:5, Informative)
password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.
9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.
hope that helps!
Re:patrick!!??!! (Score:2, Informative)
Re:Microsoft's fault? (Score:5, Informative)
From Technet article 318751 [microsoft.com] (HOWTO: Remove Administrative Shares in Windows 2000):
And... From 314984 [microsoft.com] (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)
These get rid of those pesky administrative shares.Re:SAMBA protocol (Score:2, Informative)
Being picky, Samba is the open software suite that handles the SMB protocol. Yes, Samba would be as vulnerable except that by default Samba doesn't share anything - you have to tell it what you want to share via its config file. So, you probably (...but NOT definitively!..) assigned a share password at the same time you created the config file entry. Not quite the same as a share created by default with a weak password.
> And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
Probably because the majority of their market are home users who Don't Want to have to worry about passwords 'n stuff - just arrest those stupid, inconveniencing 'hackers' and let the home users get on with their work. MS doesn't want to deal with the grief that reasonable security would cause their largest installed base.
Re:SAMBA protocol (Score:5, Informative)
Re:Microsoft's fault? (Score:3, Informative)
That's one thing. It's quite another when the program doesn't even bother to ask for a password for your new account. And that assumes that you set up individual user accounts to begin with. XP Home's default behavior, IIRC, is to log everybody in as "Owner," a bulit-in admin-level account with no password.
Re:Microsoft's fault? (Score:3, Informative)
----CUT HERE----
i ces\lanmanserver\parameters]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
----CUT HERE----
Note the italicized line. Slashcode inserts a space there to prevent me from "page widenning". Remove that space. If the lines wrapped, then the line in italics should be one line and not two.
Once the file is saved, right click and choose "Merge". (Or just double click/single click/whatever to cause the default action to take place.) Merge the values into the registry, and this will set the keys mentioned above without the need to play with the registry. Reboot, and you should be all set to delete the C$..Z$ and ADMIN$ shares. Damn those things annoyed me - thanks for the post!
Re:Microsoft's fault? (Score:4, Informative)
So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.
Re:Microsoft's fault? (Score:5, Informative)
Re:Microsoft's fault? (Score:3, Informative)
Users pick bad passwords, sigh (Score:4, Informative)
I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.
In either case, to see how our Internet is currently faring check out the Internet Storm Center [incidents.org]. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm [nai.com].
Programmers Telling Users What to Do? (Score:5, Informative)
Spoken as a programmer: Password policy is not the job of the programmer, that's the job of management and/or sys admins. Your employer should outline a security policy and your admins should back it up in implementation and your managers should back it up with disciplinary policy (PAF's I think they are called, they smack you and you go 'PAF!', or something like that.) Programmers should not be in the practice of roaming around telling users how they should be doing things, stepping on the toes of management, sys admins or even analysts, etc. Programmers typically do not interact with users (unless they happen to be a programmer/analysts, in which case they probably are allowed out into the user community more often) in order to perform the important job of upholding the social misfit, geek, nerd, and so on, stereotypes.
Oh, and if you are an admin and the programmers have begun to rise up and tell you how, when and what to set your server passwords to dictate policy, just change the subject to Star Trek, The Matrix or Dr. Who and the problem will just go away.
That said...
Here's a pretty picture of my firewall log [dragonswest.com], please note the cluster of port 445 hits.
Blank user passwords (Score:2, Informative)
It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything.
It does take advantage of the fact that Windows allows a blank user password as a valid means of authentication. In fact, it does take advantage of "an unchecked buffer" of sorts, as the "set password" phase of the new account wizard apparently fails to check whether or not there's anything in the buffer holding the new user's password!
Re:What were those commons passwords in Hackers? (Score:2, Informative)
53: 123456
21: password
keep in mind we require a >= 6 char password. We only have about 4,000 users.
dammit (Score:2, Informative)
With windows 2000 the administrator password is accully left blank by default if you select the auto login (all users use same login) option on the windows 2000 install. That what makes this exploit so widespread. Its nothing new, Rit.edu [rit.edu] had a the exact attack almost a year ago.
Re:Choose your weapons...Uh, I pick Blame! (Score:3, Informative)
I'm of the opinion that it is almost criminal these days for a system to not run a quick test against passwords as the user chooses it. This is the case on most, if not all linux systems I use, and many others as well.
The problem is, that many users have a large number of systems they must access, and can't be bothered to choose decent ones for each systems, and can't be bothered to change them at any regular interval once they've been set. Password aging is a pretty basic security concept that is rarely implemented.
I always reccommend the use of passwords that are not words, but are pronouncable by the user. Many years ago, when I went to work for MCI, we were assigned MCIMail accounts. When you would initially log in, it would prompt you to change your password. Rather than just let you type in any old thing, it would give you 3 choices like this.
You had the option of choosing one of the three listed, or could roll the dice for another three more to your liking. I kinda liked it.
These days, there are a number of programs that will do this for you quick and easily. I'm sure most of you are aware of 'gpw', which will generate passwords similar to those listed above. I've seen many variations of the program, and in fact currently use a perl-based one on my Solaris boxes when it's time to change passwords.
I mentioned earlier that people have many different passwords to remember. This, as well as the problem of multiple usernames are a major problem for many users. Fortunately, there are software solutions for this as well. For Linux users, I like 'gpasman [linux.org]', which is a small program that will keep track of usernames/passwords for you that is itself protected with a password/passphrase (use a darn good one!). Windows users may find ' password safe [counterpane.com]' to be a good choice.
Both of the above programs have enabeled me to have excellent passwords everywhere. Password Safe will even generate extremely strong passwords for you.
I guess my point, if there really is one, is that some of the pain of passwords can be alleviated to some degree by good technology. I wish more people took more care in their choice of passwords. Given the results reported elsewhere on this page, they don't seem to.
Re:who's on first? (Score:3, Informative)
I just tell them that my password is the same as my ATM number (it's not of course), so I can't give it to them.
Works pretty well.
Re:Simple solution... (Score:2, Informative)
Control Panel -> Services , Set "Messenger" service startup type to "disabled".
Or just do:
C:\>net stop messenger
The Messenger service is stopping.
The Messenger service was stopped successfully.
C:\>
Re:He was right! (Score:5, Informative)
22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod
There were 294 words with "sex" in them, the top ones are:
84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex
And 278 with "love" in it..
86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit
Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day.
Re:This is a problem? (Score:4, Informative)
Re:What were those commons passwords in Hackers? (Score:5, Informative)
But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)
(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)
But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.
Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.
Re:Hypocrites (Score:3, Informative)
On Windows we don't attribute errors in Exchange, WordPerfect etc to the OS.
Now if we only count unix errors as those in the kernel and libc, and even Dan Bernsteins software,we get quite a bit fewer.
People can't see the difference between software from the huge company "Open Source", and the company's operating system, while it is easier for them to tell there is a difference between Windows, and an add-on product that costs hundreds of dollars.
A bit more detail (Score:4, Informative)
Some details about the worm itself (Score:2, Informative)
The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.
What the worm does is:
- Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute)
- Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage. [att.com]
- Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).
Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).
One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.
From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.
For some more info about the worm checkout the antiy website [antiy.net]
Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.