New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

Might be MS's fault.

[gmplague]

Actually, this might just be MS's fault. Windows 95/98 prior to 98SE and NT4 prior to service pack 4 (i think) all shipped with samba enabled by default, without a password. That means probably at least some of the hosts affected by this worm were affected because of MS's bungling.

Re:Simple solution...

[MondoMor]

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.


Unless you disable the "server" service (this is NOT ISS). Then those shares are disabled. Home users and many business users don't need the Server service running.

Google for Win2k Services Tweak guide and follow the many happy descriptions.

Re:What were those commons passwords in Hackers?

[mumkin]

According to F-secure [f-secure.com], these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

Re:This is a problem?

[tedrlord]

The worm installs a backdoor into the system. Apparently the disabled file sharing is just a side effect.

Re:White-hat worm?

[tedrlord]

Read the article. In addition to turning off file sharing, it installs a backdoor into the system.

Re:Doh!

[jhunsake]

Hey, dumbass, Samba is an open-source project, it is not part of Windows!

Re:Microsoft's fault?

[lavalyn]

Go look at your computer's C$ share. This is the default share on a fresh 2K install.

Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!

not in there?

[ackthpt]

And how many people really have 42 x's as their password?

What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.

I was surprised that it didn't include:

Months (i.e. january, february, ...) since I catch people using those a lot

system (i.e. another favorite)

xyzzy

plugh

Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.

Real Info on this Worm

[Anonymous Coward]

Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.

1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.

Good Luck
McAfee has an extra.dat that fights it, the

Re:What were those commons passwords in Hackers?

[Fishstick]

>Hey, that's the same password as my server!

oops, after looking up the line [moviequotes.com], it should be something more like...

That's the kind of password some idiot would have on his windows machine!!

Re:ummm....

[targo]

You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.

Re:Microsoft's fault?

[shamilton]

It's not hidden in nt/2k/xp. Though when you try to delete it, you get told it's there and necessary for administrative purposes.

Re:huh?

[Erris]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks,

He he, you don't remember because it did not tell you. Filesharing gets set up as part of other software installs without telling you. Nice eh?

Re:Microsoft's fault?

[NetJunkie]

If I have the Administrator password I can do anything I want...whether the default shares are there or not. I can easily connect to the system and share the drives out myself. The worm could just as easily do that.

XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.

Re:Simple solution...

[shamilton]

Easy, in the properties for your external network interface, simply uncheck "File and Printer Sharing for Microsoft Networks."

However, I don't think this is particularily amazing advice... only applicable to a box which happens to be acting as both a fileserver and a gateway.

If I had mod points, I'd Overrated the grandparent for exactly this reason.

sh

Re:Choose your weapons...Uh, I pick Blame!

[NetJunkie]

Complex password checkings is an included feature. It's easily enabled.

Re:SAMBA protocol

[The Ape With No Name]

Notice it says: Startup Folder. Unless the worm can add a script to /etc/rc.d/ or cat itself into rc.local then SAMBA isn't vulnerable other than stuff on the share being available.

Other thing: time for all the LOTR lusers to change g@nbA1ph to g011um!

Re:Microsoft's fault?

[Guppy06]

"XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names."

That's because you have it in a domain, using domain accounts. If you're not in a domain, the default local log-in method is that "family stuff" you're talking about.

However, you are right; I was wrong about the default behavior. Instead of a user log-in, a default XP Home install will automatically log you in to the default account "Owner," an admin account with no password(!!!!!).

Re:Simple solution...

[Anonymous Coward]

Here is a start for NetBIOS from here [uci.edu]:
2K/XP:
Right-click on Local Area Network
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Click on Advanced
Select the WINS tab
Select Disable NetBIOS over TCP/IP
Click OK

Lower:
Right-click on My Network Places
Select: Properties
Select: Internet Protocol TCP/IP
Click on Properties
Select the NetBIOS tab
Uncheck: Enable NetBIOS over TCP/IP
Click OK

Removing the binding from TCP/IP is the same, up to 'Click on Properties':
Select the Bindings tab
Check: Client for Microsoft Networks
Check: File and Printer Sharing
Click OK

Warning about using NetBEUI: it slows down large networks by only using multicast (i.e. turns your switch into a regular hub). Read about it here [uga.edu]. (By the way, that link has screenshots of the directions above.)

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

if the hackers need any help, here are the most common passwords for my website:

password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.

9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.

hope that helps!

Re:patrick!!??!!

[Kpt Kill]

uhh... yeah it does, try looking for it. ill give you a hint... Local Security settings

Re:Microsoft's fault?

[roolmarty]

From Technet article 318751 [microsoft.com] (HOWTO: Remove Administrative Shares in Windows 2000):

To remove automatic creation of the administrative shares by using Registry Editor:

• Start Registry Editor (Regedt32.exe).
• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\AutoShareServer

• Change the value of the AutoShareServer key to zero (0).
  NOTE: A setting of zero (0) prevents the administrative shares, such as C$, D$, and Admin$ from being created automatically.
• Quit Registry Editor.

NOTE: If the AutoShareServer key does not exist, create the AutoShareServer key by using the following steps:

• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters
• On the Edit menu, click Add Value.
• Type AutoShareServer, click REG_DWORD, and then click OK.
• Type 0, and then click OK.
• Quit Registry Editor, and then restart the computer.

And... From 314984 [microsoft.com] (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key and set its value data to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters

These get rid of those pesky administrative shares.

Re:SAMBA protocol

[Anonymous Coward]

> Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

Being picky, Samba is the open software suite that handles the SMB protocol. Yes, Samba would be as vulnerable except that by default Samba doesn't share anything - you have to tell it what you want to share via its config file. So, you probably (...but NOT definitively!..) assigned a share password at the same time you created the config file entry. Not quite the same as a share created by default with a weak password.

> And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Probably because the majority of their market are home users who Don't Want to have to worry about passwords 'n stuff - just arrest those stupid, inconveniencing 'hackers' and let the home users get on with their work. MS doesn't want to deal with the grief that reasonable security would cause their largest installed base.

Re:SAMBA protocol

[sn0wman3030]

Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info [anu.edu.au].

Re:Microsoft's fault?

[Guppy06]

"If I want to set a stupid password, who is the programmer to tell me I shouldn't do that?"

That's one thing. It's quite another when the program doesn't even bother to ask for a password for your new account. And that assumes that you set up individual user accounts to begin with. XP Home's default behavior, IIRC, is to log everybody in as "Owner," a bulit-in admin-level account with no password.

Re:Microsoft's fault?

[_xeno_]

Or, for the terminally lazy, cut the following and save it as a .REG file. (For example, "Disable Admin Shares.reg".)

----CUT HERE----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
----CUT HERE----

Note the italicized line. Slashcode inserts a space there to prevent me from "page widenning". Remove that space. If the lines wrapped, then the line in italics should be one line and not two.

Once the file is saved, right click and choose "Merge". (Or just double click/single click/whatever to cause the default action to take place.) Merge the values into the registry, and this will set the keys mentioned above without the need to play with the registry. Reboot, and you should be all set to delete the C$..Z$ and ADMIN$ shares. Damn those things annoyed me - thanks for the post!

Re:Microsoft's fault?

[SomeGuyFromCA]

Nice, but I actually find the shares convenient at times. For instance, suppose I've taken my computer to my friend's house. I've got some mp3s he wants to play, but alas I have brought only my headphones. I could get up and go all the way over to my computer, but instead I can just open \\mycomputer\D$ and enter the password when it asks. No need to point out security implications.

So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.

Re:Microsoft's fault?

[IDIIAMOTS]

Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.

Re:Microsoft's fault?

[Spy Hunter]

1. It is not any harder to send a strong password to a large group of people than it is to send a weak password.
2. Setting a weak password on a heavily-restricted user account is not such a big deal. What is a big deal is allowing the admin password to be blank (!) or "pass" (duh!). There is NEVER EVER any good justification for that.

Users pick bad passwords, sigh

[bigberk]

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center [incidents.org]. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm [nai.com].

Programmers Telling Users What to Do?

[ackthpt]

If I want to set a stupid password, who is the programmer to tell me I shouldn't do that?

Spoken as a programmer: Password policy is not the job of the programmer, that's the job of management and/or sys admins. Your employer should outline a security policy and your admins should back it up in implementation and your managers should back it up with disciplinary policy (PAF's I think they are called, they smack you and you go 'PAF!', or something like that.) Programmers should not be in the practice of roaming around telling users how they should be doing things, stepping on the toes of management, sys admins or even analysts, etc. Programmers typically do not interact with users (unless they happen to be a programmer/analysts, in which case they probably are allowed out into the user community more often) in order to perform the important job of upholding the social misfit, geek, nerd, and so on, stereotypes.

Oh, and if you are an admin and the programmers have begun to rise up and tell you how, when and what to set your server passwords to dictate policy, just change the subject to Star Trek, The Matrix or Dr. Who and the problem will just go away.

That said...

Here's a pretty picture of my firewall log [dragonswest.com], please note the cluster of port 445 hits.

Blank user passwords

[yerricde]

It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything.

It does take advantage of the fact that Windows allows a blank user password as a valid means of authentication. In fact, it does take advantage of "an unchecked buffer" of sorts, as the "set password" phase of the new account wizard apparently fails to check whether or not there's anything in the buffer holding the new user's password!

Re:What were those commons passwords in Hackers?

[Anonymous Coward]

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

dammit

[Smev]

I guess after the 2 years I've been using the same exploit I'll have to learn something new :(

With windows 2000 the administrator password is accully left blank by default if you select the auto login (all users use same login) option on the windows 2000 install. That what makes this exploit so widespread. Its nothing new, Rit.edu [rit.edu] had a the exact attack almost a year ago.

Re:Choose your weapons...Uh, I pick Blame!

[zeugma-amp]

I'm of the opinion that it is almost criminal these days for a system to not run a quick test against passwords as the user chooses it. This is the case on most, if not all linux systems I use, and many others as well.

The problem is, that many users have a large number of systems they must access, and can't be bothered to choose decent ones for each systems, and can't be bothered to change them at any regular interval once they've been set. Password aging is a pretty basic security concept that is rarely implemented.

I always reccommend the use of passwords that are not words, but are pronouncable by the user. Many years ago, when I went to work for MCI, we were assigned MCIMail accounts. When you would initially log in, it would prompt you to change your password. Rather than just let you type in any old thing, it would give you 3 choices like this.

puwacane
solahota
yamatotu

You had the option of choosing one of the three listed, or could roll the dice for another three more to your liking. I kinda liked it.

These days, there are a number of programs that will do this for you quick and easily. I'm sure most of you are aware of 'gpw', which will generate passwords similar to those listed above. I've seen many variations of the program, and in fact currently use a perl-based one on my Solaris boxes when it's time to change passwords.

I mentioned earlier that people have many different passwords to remember. This, as well as the problem of multiple usernames are a major problem for many users. Fortunately, there are software solutions for this as well. For Linux users, I like 'gpasman [linux.org]', which is a small program that will keep track of usernames/passwords for you that is itself protected with a password/passphrase (use a darn good one!). Windows users may find ' password safe [counterpane.com]' to be a good choice.

Both of the above programs have enabeled me to have excellent passwords everywhere. Password Safe will even generate extremely strong passwords for you.

I guess my point, if there really is one, is that some of the pain of passwords can be alleviated to some degree by good technology. I wish more people took more care in their choice of passwords. Given the results reported elsewhere on this page, they don't seem to.

Re:who's on first?

[Nogami_Saeko]

Every once in a while I get someone (boss-type people) who want to know my password is so they can get onto one of the machines I administer (presumably to screw it up for me).

I just tell them that my password is the same as my ATM number (it's not of course), so I can't give it to them.

Works pretty well.

Re:Simple solution...

[Orig]

"It's a shame there's no easy way to get rid of Messenger service (ie. "net send") spam the same way."

Control Panel -> Services , Set "Messenger" service startup type to "disabled".

Or just do:

C:\>net stop messenger
The Messenger service is stopping.
The Messenger service was stopped successfully.


C:\>

Re:He was right!

[JWSmythe]

Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)

22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod

There were 294 words with "sex" in them, the top ones are:

84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex

And 278 with "love" in it..

86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit

Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day. :)

Re:This is a problem?

[sheriff_p]

Ah, the old ethical virus thread. Read this link [virusbtn.com], written probably about 9 years ago, and still very relevant today, about why 'Good' viruses are still a bad idea.

Re:What were those commons passwords in Hackers?

[MegaFur]

I don't get it. Most times, windoze lets you look through workgroups and choose the one you want to browse them *graphically* (double-click). So there's no need to count the "_"'s. I suspect that your plan worked mostly 'cause you changed the workgroup to something other than "WORKGROUP" and a lot of people didn't think to look for workgroups with anything other than the default name.

But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)

(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)

But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.

Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.

Re:Hypocrites

[terminal.dk]

Problem is, that most of the bugs contributed to Unix is not a problem in unix, but a problem with some user installed software, like Sendmail etc.

On Windows we don't attribute errors in Exchange, WordPerfect etc to the OS.

Now if we only count unix errors as those in the kernel and libc, and even Dan Bernsteins software,we get quite a bit fewer.

People can't see the difference between software from the huge company "Open Source", and the company's operating system, while it is easier for them to tell there is a difference between Windows, and an add-on product that costs hundreds of dollars.

A bit more detail

[Black Copter Control]

Cantral Command [centralcommand.com] (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).

Some details about the worm itself

[sepulcrum]

Apart from everyone complaining and joking about the strength of the average user's password i read nothing about the actual worm this is about.

The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.

What the worm does is:
- Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute)
- Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage. [att.com]
- Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).

Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).

One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.

From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.

For some more info about the worm checkout the antiy website [antiy.net]

Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.