New Windows Worm Inching Around Internet 706
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
Microsoft's fault? (Score:1, Insightful)
Thank you (Score:3, Insightful)
Celeb Commentary, not just on DVDs! (Score:4, Insightful)
Re:Microsoft's fault? (Score:5, Insightful)
Please tell me how it's MS's fault that people pick easy to guess passwords?
Simple solution... (Score:5, Insightful)
This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.
And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
huh? (Score:3, Insightful)
Not Microsofts Fault? (Score:3, Insightful)
Risks of default passwords (Score:5, Insightful)
Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.
The weakest link (Score:3, Insightful)
It isn't only at the PHB's desk that PEBKAC can occur.
Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon.
VB App to help? (Score:5, Insightful)
Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
Dictionary attack + 1 (Score:5, Insightful)
When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.
This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.
Perhaps the best solution would be biometrics?
Re:Microsoft's fault? (Score:5, Insightful)
There are some environments and situations where maliciousness simply isn't a concern, and security is used for other purposes.
Re:Clue by four (Score:1, Insightful)
What the hell are you talking about?
pat/patrick (Score:5, Insightful)
For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...
Re:VB App to help? (Score:2, Insightful)
Hypocrisy (Score:2, Insightful)
On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.
Now we get a worm that is/isn't Microsoft's fault. It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything. It just takes advantage of the fact that windows isn't secure by default. So who comes out to complain that something isn't automatic and built in? Oh, of course, the linux users who love the operating system where nothing is done for you and you have to write code to make software work.
linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"
And dont' get me wrong, I'm a dual boot win2k/mdk9 man, but this typical slashdot hypocrisy cracks me up.
Re:White-hat worm? (Score:3, Insightful)
*sigh*
Hypocrites (Score:5, Insightful)
Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists [securityfocus.com] and I can tell you that I see a lot more *nix than MS activity.
I feel sorry for those that let their hatred of a company clout their perception on information security.
-Lucas
It is not (Score:2, Insightful)
It's not a worm, it's a DDOS countermeasure (Score:5, Insightful)
Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...
Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
Shit, I should go change my root password now.
I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.
SAMBA protocol (Score:4, Insightful)
Just to be the devil's advocate (literally
And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
Re:Might be MS's fault. (Score:3, Insightful)
... about blame (Score:2, Insightful)
While, admitedly, the admin who left a default password in place deserves a beating with a big foam cluebat, the very fact that there is a default password in the first place is a major security flaw that traces its origins in Redmond.
A properly constructed security scheme would prompt you for a password upon activating the feature at the very least.
But MS is only following the Marketroid mantra "The users can't be bothered. They don't want to know. They don't want to understand."
That mantra might even be mostly true; but it still begets bad security. Users need education, not bad security.
For that matter, most features that end up having big security implications in Windows are not needed by the vast majority of the users out there, and activation (or better yet installation) of those features should be an explicit act.
-- MG
Re:patrick!!??!! (Score:0, Insightful)
Re:This is a problem? (Score:4, Insightful)
That would be pretty useful in my office...
Cheers,
Jim
Not default passwords... (Score:4, Insightful)
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
Re:ACK!!! (Score:3, Insightful)
Re:Hypocrisy (Score:3, Insightful)
windows guy: "You're operating system isn't anything by default!"
I use Linux. My system wasn't anything by default. But by not being anything, it was secure.
Re:The Most Open Security Hole.... (Score:5, Insightful)
All hail the ultimate logic (Score:0, Insightful)
Re:Microsoft's fault? (Score:2, Insightful)
Re:Hypocrites - Give M$ a break (Score:1, Insightful)
win95,98,win2k,winXp and
unix is sco,irix,aix,redhat,debian,gentoo , solaris,sunOS, net/open/free bsd's , tru64,hp-unix , and probably many more
don't say linux flavours are all 1 os, if then i'd say all microsoft os's are 1 os ->
16bit viruses on 32 bit platforms, and currently developing 64 bit viruses on the latest hardware.
i'm not counting the applications on them
think Msoffice and IE+outlook express, it will outsum all the bugs.
Microsoft is very good in its own way, they have an excellent gui and very easy to use system, *HOWEVER* does not mean anything if you are compromised and have your financial accounts on the same disk you browse the web with
I'd give Microsoft a big break, infact I'd break it into kazillion pieces
Re:Microsoft's fault? (Score:4, Insightful)
The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Same as above, go you lumberjack... GO NOW!
Re:It's not a worm, it's a DDOS countermeasure (Score:4, Insightful)
If I was a spammer or hacker, I would probably have a bunch of PC's between me and my targets, and use those pc's to get more pc's ad infinitum.
(Not that I know anything about this, I program in userland against an ORACLE database behind a firewall
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345
Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..
Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive.
If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.
The web site password crackers that I've seen use dictionary files, and for the passwords they try:
word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]
Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")
Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.
BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..
I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home.
It's a nice idea, but .... (Score:3, Insightful)
Re:It's about time... (Score:2, Insightful)
If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.
Just like Melissa, and ILoveYou, and Klez, and Goner have taught the users to be very careful when opening e-mail attachments.
Re:What were those commons passwords in Hackers? (Score:2, Insightful)
Re:Hypocrisy (Score:4, Insightful)
What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.
windows guy: "You're operating system isn't anything by default!"
Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.
Windows, is a very secure operating system, but not out of the box.
Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:
Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.
Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?
Re:Microsoft's fault? (Score:2, Insightful)
I'd say it was a design goal for XP Home... Try explaining to a typical home user why half of his games don't work if he's not an administrator.
Technical Reasons: (Score:4, Insightful)
Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.
Everything IS Microsoft's fault. Duh.
Re:What were those commons passwords in Hackers? (Score:5, Insightful)
You spent good time giving an informative message, which when you hit submit, it honestly should have taken..
At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one
I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?
I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")
They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts..
Re:Hypocrites (Score:4, Insightful)
Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:
b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)
If this were RISKS-Digest... (Score:3, Insightful)
Slashdot Password Stupidity (Score:3, Insightful)
I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*
Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!
But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)
The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.
But:
- mib
p.s. Useradd/passwd is not account management.
Re:What were those commons passwords in Hackers? (Score:3, Insightful)
Re:Microsoft's fault? (Score:3, Insightful)
Hey buddy, it's your security. If I come in when your cashier is on a smoke break and no one is looking, I'll just hit enter, cash out, and leave.. No problems here.
I usually go into a 15 minute speech on how secure passwords are important, and how they must mix upper and lower case letters with numbers and characters, so as to *NOT* make dictionary words. "Password" doesn't count, duh. I've gone back to the same stores months later, and tried the old password, and it worked.. I don't even have to ask for access to their system, I just get in and start fixing for them..
Good thing I'm a good guy.. I could just log in as their admin user, ring up a no-sale on all the registers, and leave.. I could even mark their logs that *THEY* cashed out all the drawers like they closed the day.. {sigh}
We can't blame Microsoft for making their customers stupid. Its just like blaming AOL for making their customers stupid. They didn't. They marketed to stupid people who would buy anything.
I don't even want to hear one word back from an AOL person on WinXP using MSIE.. You're their sucker.. You fell for getting the stupid AOL 9.999 CD and 100000 free hours, you bought Windows, and happily agreed to their licenses, and you probably bought a whole stack of beautifully hologramed Microsoft products right along with your new Microsoft taxed computer, but you'll still bitch that it crashes, and wonder why I just look at you funny because my Linux machines never crash..
I wish we had the time to educate people just a little bit.. But some of them are so dense it isn't even funny.. How do you tell them "Stop using AOL. You're paying $29.95 for a $19.95 service..". it's like saying they're paying $30 at K-Mart for a cheap toy, when they could spend $20 for the a toy that looks the same, but goes faster and is more fun to play with..
Stupid consumers will still spend $30 because the TV Ad told them it's the best..
You're the same people that will pay a couple hundred dollars for the next version of Windows that will still crash, and you'll still cry that it doesn't work.. You won't even consider that you've already bought Win3.1, Win95, Win98, Win2k, WinME, WinXP, and none of those have worked right. Maybe the next one will work properly? I have a beautiful bridge in Brooklyn to sell you too.
Shall I rant?
Isn't that partly Microsoft's fault too? (Score:3, Insightful)