Here's the SARC description of Gaobot, at least what's pertinent to locked out accounts:
Probes administrative shares using the following username
and password combinations, as well as usernames found by using the
NetUserEnum() API.
Seems okay at first glance because it sounds like it uses a known uid/pwd
combination, which it does... however, the NetUserEnum call against a DC
will return all user objects (behavior we were seeing by the virus).
RestrictAnonymous=1 is supposed to stop the user of those calls... which it
appears to. This is great for anything that attempts to use that call.
This article on SecurityFocus talks at some length on about it:
http://www.securityfocus.com/infocus/1352.
This Monday ought to be fun. Can't wait to see what broke... :-/
_____________________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Sunday, November 02, 2003 12:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] RestrictAnonymous Settings
I haven't seen anything that locked out normal user accounts, I have seen
MUMU which locked out local admin ID's. I would expect this new one you
describe is probably doing the same as well.
Our solution was to start smacking people using local admin ID's because
they weren't supposed to be anyway, they were all supposed to use domain
accounts and the only ID's that would be local ids and admin on the machines
holding the IDs are the domain admins which is my group and only affects
three people instead of thousands.
Note that disabling the anonymous enumeration on domain controllers can have
some interesting effects that you should watch for. For instance if you want
to populate an ACL or group on a machine and you aren't logged into the
machine with a domain ID it won't be able to directly enumerate users and
groups for the domain and you can either be presented with an authentication
box to authenticate as a domain user or it may just fail outright.
joe
_____________________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Marcus Oh
Sent: Sunday, November 02, 2003 12:21 PM
To: [EMAIL PROTECTED]
This has been a long week. We finally made the RestrictAnonymous=1 setting
this weekend to combat what looked like "Gaobot" infections locking out
thousands of accounts. Gave the PDCe a good run for the money with all the
lock/unlock activity going on.
The odd thing is, shortly after we put the settings in place and bounced all
the domain controllers, it still happened. The bottom line being, a two
fold situation. One, an infection of sdbot, causing lockouts... the other
we discovered on a sniff of one of the DCs showing ridiculously high # of
packets originating from one machine. Finally in the clear for now...
Problem is, any script written to enumerate objects w/ a normal or logged-on
user account and attempt a dictionary list of passwords is going to cause
this same problem. Any of you guys have lockout policies in place... and if
so... what steps have you taken to mitigate these lockout storms?
Thanks!
Marcus
<<attachment: winmail.dat>>
