Forgot your password?
typodupeerror
Microsoft

New Windows Worm Inching Around Internet 706

Posted by CmdrTaco
from the dance-the-samba dept.
helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
This discussion has been archived. No new comments can be posted.

New Windows Worm Inching Around Internet

Comments Filter:
  • by Eese (647951) on Monday March 10, 2003 @09:09PM (#5481463)
    I bet they just made a program that tried, "Love, sex, and god".
    • by mumkin (28230) on Monday March 10, 2003 @09:20PM (#5481579) Journal
      According to F-secure [f-secure.com], these are the passwords it tries :

      [empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

      the pat / patrick is rather weird, eh? only name in the list.
  • by Paranoid Cheese Sand (655174) <thethirdtwin.hotmail@com> on Monday March 10, 2003 @09:10PM (#5481476)
    If we had a report on EVERY worm that showed up, we'd be flooded. Redundant; FP.
  • Thank you (Score:3, Insightful)

    by MattCohn.com (555899) on Monday March 10, 2003 @09:10PM (#5481486)
    Thank you Taco for your accurate and profesional attitude. I just hope this thread isn't littered with "Yah it is!!!" posts. I've actually been yelled at by my Network Admin when a computer I used had a share on the whole drive w/ no pass. Well it wasn't me that set it, and while browsing the network I realised the network share folder was accessable with the default password for our school... student/student. Including confedential internal memo's and reports...
  • This is a problem? (Score:5, Interesting)

    by Quasar1999 (520073) on Monday March 10, 2003 @09:10PM (#5481488) Journal
    I think its great... think about it... you have a crappy password, this worm hits you and it disables file sharing? What could be better? No damage, it forces the admin/user to notice the problem, and possibly set up a proper password, or better still a firewall... This causes minimal damage, minimal downtime, and it helps prevent others from exploiting the same weakness this worm exploits..

    Anyone want to tell me why this is a problem? It forces the person to act, unlike a security posting about good passwords in an employee handbook.
  • by Jacer (574383) on Monday March 10, 2003 @09:12PM (#5481508) Homepage
    for once a security problem that isn't really Microsoft's fault Was that really nessecary? I mean come on, news isn't supposed to be slanted, it's supposed to be factual. Who cares how witty Taco thinks he is?
  • by asparagus (29121) <koonce@g m a i l . com> on Monday March 10, 2003 @09:13PM (#5481514) Homepage Journal
    ...for once a security problem that isn't really Microsoft's fault...

    Taco: Hell just called. They want you turn back on the heat.
  • by scottm52 (544690) <winmaclinblog@NoSPAM.gmail.com> on Monday March 10, 2003 @09:13PM (#5481515) Homepage
    Is the one left open by an Admin who has no business being an Admin....

    But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

    Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

    • by afidel (530433) on Monday March 10, 2003 @10:38PM (#5481984)
      I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)
  • Simple solution... (Score:5, Insightful)

    by mrjive (169376) on Monday March 10, 2003 @09:13PM (#5481521) Homepage Journal
    Unbind network sharing from your external tcp/ip settings.

    This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.

    And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
  • huh? (Score:3, Insightful)

    by Dynedain (141758) <slashdot2 @ a n t h o n y m clin.com> on Monday March 10, 2003 @09:14PM (#5481525) Homepage
    I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks, both w/ Win domains/active directory and w/out)....weak passwords I'd expect, but default?
  • by tarogue (84626) on Monday March 10, 2003 @09:15PM (#5481534)
    If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.
  • by ma++i+ude (580592) on Monday March 10, 2003 @09:16PM (#5481543) Homepage
    Default passwords [phenoelit.de] are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

    Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

  • The weakest link (Score:3, Insightful)

    by lavalyn (649886) on Monday March 10, 2003 @09:17PM (#5481555) Homepage Journal
    There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.

    It isn't only at the PHB's desk that PEBKAC can occur.

    Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon. /.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.
  • ummm.... (Score:4, Interesting)

    by oliverthered (187439) <oliverthered@hotm a i l . c om> on Monday March 10, 2003 @09:18PM (#5481556) Journal
    New UNIX password: oliver
    BAD PASSWORD: it is based on your username

    New UNIX password: jp821968i
    BAD PASSWORD: it looks like a National Insurance number.

    New UNIX password: rg78kn
    BAD PASSWORD: is too simple

    Yeh, nothing to do with the password system.

    Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?

    • Re:ummm.... (Score:3, Interesting)

      by seanadams.com (463190)
      Yeah, but it'll take passwords like 123!@#qwe!@#
      Hint: look at your keyboard.
    • Re:ummm.... (Score:5, Informative)

      by targo (409974) <targo_t@[ ]mail.com ['hot' in gap]> on Monday March 10, 2003 @09:44PM (#5481729) Homepage
      You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.
  • ACK!!! (Score:5, Funny)

    by revery (456516) <charles@nOsPAM.cac2.net> on Monday March 10, 2003 @09:18PM (#5481559) Homepage
    for once a security problem that isn't really Microsoft's fault.

    What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...

    Who are you and what have you done with the slashdot editors?!?

    --

    Dilbert - "If aliens take over your boss's body, is that a bad thing?"
    Wally - "It depends on the aliens"

  • VB App to help? (Score:5, Insightful)

    by Anonvmous Coward (589068) on Monday March 10, 2003 @09:18PM (#5481560)
    I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.

    Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
  • by ObviousGuy (578567) <ObviousGuy@hotmail.com> on Monday March 10, 2003 @09:19PM (#5481567) Homepage Journal
    I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

    When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

    This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

    Perhaps the best solution would be biometrics?
    • "Perhaps the best solution would be biometrics?"

      Maybe. If implemented by a security guard with a pair of calipers that he measures your skull with every time you want to log on, then he logs on for you and if your skull doesn't match the numbers on his clipboard he shoots you.

  • by callipygian-showsyst (631222) on Monday March 10, 2003 @09:20PM (#5481587) Homepage
    I didn't see my password:

    xyzzy

    on the list of passwords it tries. Guess I don't have to worry about this one.

  • by Guppy06 (410832) on Monday March 10, 2003 @09:21PM (#5481590)
    This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

    Dammit, I knew I should have built that bomb shelter...
    • by Enigma2175 (179646) on Tuesday March 11, 2003 @02:25AM (#5482834) Homepage Journal
      This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

      Along with that, this post [slashdot.org] observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.

      It's very clear to me now, obviously the /. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.
  • Symantec's hint (Score:5, Interesting)

    by very (241808) on Monday March 10, 2003 @09:21PM (#5481592) Homepage Journal
    On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.

    LiveUpdate:
    Virus Definitions released March 9
    Norton AntiVirus Corp. Edition Defs Version: 50309h
    Norton AntiVirus Corp. Edition Sequence Number: 21592
    Total Viruses Detected: 63225


    This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

    They know something, definitely.
  • by Anonymous Coward on Monday March 10, 2003 @09:37PM (#5481686)
    Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.

    1. Once on the system it disables personal security/firewall/virus scanning
    2. Copies itself to the start up group
    3. With virus scanning disabled it drops several nasty bugs.
    4. Network traffic/processor utilization goes thru the roof.
    5. It then tries to replicate on the next machine...
    next DAT release on the 12th will include that def.

    Good Luck
    McAfee has an extra.dat that fights it, the
  • Hypocrites (Score:5, Insightful)

    by Nintendork (411169) on Monday March 10, 2003 @09:39PM (#5481697) Homepage
    "for once a security problem that isn't really Microsoft's fault"

    Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists [securityfocus.com] and I can tell you that I see a lot more *nix than MS activity.

    I feel sorry for those that let their hatred of a company clout their perception on information security.

    -Lucas

    • Re:Hypocrites (Score:4, Insightful)

      by tres (151637) on Tuesday March 11, 2003 @03:03AM (#5482921) Homepage
      ...I see a lot more *nix than MS activity.
      This is derived from the idea that all security vulnerabilites are quantitatively the same. In fact, the danger posed by the majority of exploits listed for Open Source software is relatively minor compared to the regular influx of root level exploits that show up for the Windows platform.

      Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:

      • a) normally quite limited in their scope. *nix root exploits are relatively rare and are generally harder to take advantage of than their Windows counterparts.
      • b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)

      Don't get me wrong, when it comes down to it, I'd much rather get the best tool for the job. But when it comes to security, Microsoft Windows is not it.

  • by eagl (86459) on Monday March 10, 2003 @09:40PM (#5481707) Journal
    Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

    Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

    Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
  • SAMBA protocol (Score:4, Insightful)

    by whereiswaldo (459052) on Monday March 10, 2003 @09:47PM (#5481742) Journal

    Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

    And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
  • by NetJunkie (56134) <jason@nash.gmail@com> on Monday March 10, 2003 @10:27PM (#5481929)
    These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.

    I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.

    It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.

    This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
  • by Dunkalis (566394) <crichards@nospAM.gmx.net> on Monday March 10, 2003 @10:33PM (#5481964)
    It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.
  • by mark-t (151149) <markt@@@lynx...bc...ca> on Monday March 10, 2003 @10:38PM (#5481983) Journal
    I concur with the view that services that leave a system open should not be installed by the OS until it has a moderately secure password set up for access. It is even entirely feasable to do this with Windows:

    What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):

    "Warning, there are users for this system that have administrative priviledges but have no password set. Before this service can be installed, please enter a password to use for administration purposes. This step exists to protect your computer from being accessed by unauthorized persons. A password should be at least 8 characters long, ideally should contain numbers as well as letters, and should not be a normal english word."

    The dialog presented here will have a [Cancel] button, which would cause the password setting subsystem to fail, and therefore the service would not be installed (with suitable diagnostic given such as "The service was not installed because no security password was set").

    Then, after entering the password, the password subsystem can do a rudimentary analysis of the password, checking it's length, whether or not it contains letters/numbers, etc. If it fails to measure up to what is determined to be a weak password, it pops up another dialog:

    "Warning, the password you have selected is considered weak because (insert detailed explanation here). Are you sure you want to use this password? [Yes] [No]" (The default option being "No"). If they click No, then they go back to the password selection.

    After the user has selected a password:

    "Please memorize or write this password down and keep it in a safe place. It is highly recommended that you do not leave the password anywhere that it could be easily discovered by an unauthorized person. This password is now set for the following users: [list of users on the system with admin priviledges and no prior password set]. The user(s) can change their password at any time after logging in from the Control Panel 'Users and Passwords' tool. [OK]"

    The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.

    Of course, then what would the Linux and BSD zealots have left to bitch about?

  • by Deathlizard (115856) on Monday March 10, 2003 @10:58PM (#5482060) Homepage Journal
    "disables network sharing."

    Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.

    Either way nimda would be off the network :)
  • by bigberk (547360) <bigberk@users.pc9.org> on Monday March 10, 2003 @11:04PM (#5482088)
    It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

    I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

    In either case, to see how our Internet is currently faring check out the Internet Storm Center [incidents.org]. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm [nai.com].
  • Weak XP (Score:5, Interesting)

    by Brat Food (9397) on Tuesday March 11, 2003 @02:11AM (#5482786) Homepage
    Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).

    Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.

    Add to that that all accounts made are Administrator by default, and DONT need passwords.

    What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.

    Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.

    While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.

    They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.

    To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.

    The windows box will have every spyware app on it, stuff deleted, etc, etc.

    OH, Xupiter just installed itself again, i have to go...

  • by ardu (27147) on Tuesday March 11, 2003 @04:46AM (#5483120) Homepage
    since the worm doesn't try the most common password: ******
  • A bit more detail (Score:4, Informative)

    by Black Copter Control (464012) <samuel-local@nOSpAm.bcgreen.com> on Tuesday March 11, 2003 @10:05AM (#5483867) Homepage Journal
    Cantral Command [centralcommand.com] (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).

RADIO SHACK LEVEL II BASIC READY >_

Working...