Apparently you were on to something. Check out the CERT bulletin below:
Jason
-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Original release date: March 11, 2003
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Microsoft Windows 2000
* Microsoft Windows XP
Overview
In recent weeks, the CERT/CC has observed an increase in the number
of
reports of systems running Windows 2000 and XP compromised due
to
poorly protected file shares.
I. Description
Over the past few weeks, the CERT/CC has received an increasing
number
of reports of intruder activity involving the exploitation of
Null
(i.e., non-existent) or weak Administrator passwords on Server
Message
Block (SMB) file shares used on systems running Windows 2000
or
Windows XP. This activity has resulted in the successful compromise
of
thousands of systems, with home broadband users' systems being a
prime
target. Recent examples of such activity are the attack tools known
as
W32/Deloder, GT-bot, sdbot, and W32/Slackor, which are described
in
more detail below.
Background
Microsoft Windows uses the SMB protocol to share files and
printer
resources with other computers. In older versions of Windows
(e.g.,
95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT)
on
ports 137/tcp and udp, 138/udp, and 139/tcp. However, in
later
versions of Windows (e.g., 2000 and XP), it is possible to run
SMB
directly over TCP/IP on port 445/tcp.
Windows file shares with poorly chosen or Null passwords have been
a
recurring security risk for both corporate networks and home users
for
some time:
* IN-2002-06: W32/Lioten Malicious Code
* CA-2001-20: Continuing Threats to Home Users
* IN-2000-02: Exploitation of Unprotected Windows Networking Shares
* IN-2000-03: 911 Worm
It has often been the case that these poorly configured shares
were
exposed to the Internet. Intruders have been able to leverage
poorly
protected Windows shares by exploiting weak or Null passwords
to
access user-created and default administrative shares. This problem
is
exacerbated by another relevant trend: intruders
specifically
targeting Internet address ranges known to contain a high density
of
weakly protected systems. As described in CA-2001-20, the
intruders'
efforts commonly focus on addresses known to be used by home
broadband
connections.
Recent developments
The CERT/CC has recently received a number of reports of
exploitation
of Null or weak Administrator passwords on systems running
Windows
2000 or Windows XP. Thousands of systems have been compromised in
this
manner.
Although the tools involved in these reports vary, they exhibit
a
number of common traits, including
* scanning for systems listening on 445/tcp (frequently within
the
same /16 network as the infected host)
* exploiting Null or weak passwords to gain access to
the
Administrator account
* opening backdoors for remote access
* connecting back to Internet Relay Chat (IRC) servers to
await
additional commands from attackers
* installing or supporting tools for use in
distributed
denial-of-service (DDoS) attacks
Some of the tools reported have self-propagating (i.e.,
worm)
capabilities, while others are propagated via social
engineering
techniques similar to those described in IN-2002-03:
Social
Engineering Attacks via IRC and Instant Messaging.
The network scanning associated with this activity is widespread
but
appears to be especially concentrated in address ranges
commonly
associated with home broadband users. Using these techniques,
many
attackers have built sizable networks of DDoS agents, each
comprised
of thousands of compromised systems.
W32/Deloder
The self-propagating W32/Deloder malicious code is an example of
the
intruder activity described above. It begins by scanning the
/16
(i.e., addresses with the same first two high-order octets) of
the
infected host for systems listening on 445/tcp. When a connection
is
established, W32/Deloder attempts to compromise the
Administrator
account by using a list of pre-loaded passwords. Variants may
include
different or additional passwords, but reports to the CERT/CC
indicate
that the following have appeared thus far:
[NULL] 0 000000 00000000 007 1 110 111 111111 11111111
12
121212 123 123123 1234 12345 123456 1234567 12345678
123456789
1234qwer 123abc 123asd 123qwe 2002 2003 2600 54321
654321
88888888 Admin Internet Login Password a aaa abc abc123
abcd
admin admin123 administrator alpha asdf computer
database
enable foobar god godblessyou home ihavenopass login
love
mypass mypass123 mypc mypc123 oracle owner pass passwd
password
pat patrick pc pw pw123 pwd qwer root secret server sex
super
sybase temp temp123 test test123 win xp
xxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yxcv zxcv
On successful compromise of the Administrator account,
W32/Deloder
copies itself to the victim, placing multiple copies in
various
locations on the system. Additionally, it adds a registry key
that
will cause the automatic execution of dvldr32.exe (one of
the
aforementioned copies). The victim will begin scanning for
other
systems to infect after it is restarted.
W32/Deloder opens up backdoors on the victim system to allow
attackers
further access. It does this in two ways:
1. attempting to connect to one of a number of pre-configured
IRC
servers
2. installing a copy of VNC (Virtual Network Computing),
an
open-source remote display tool from AT&T, listening on
5800/tcp
or 5900/tcp
Note: VNC in and of itself is not a malicious tool, and has many
other
legitimate uses.
During the course of infection by W32/Deloder, a number of files
may
be created on the system. Reports indicate that files matching
the
following descriptions have been found on compromised systems:
Filename
File Size (bytes)
Description
dvldr32.exe
745,984
The self-propagating malicious code
inst.exe
684,562
This file installs the backdoor applications onto the victim host
psexec.exe
36,352
A copy of the Remote Process Launch application (not inherently
malicious, but it is what allows the worm to replicate)
explorer.exe
212,992
A renamed copy of the VNC application
omnithread_rt.dll
57,344
VNC dependency file
VNCHooks.dll
32,768
VNC dependency file
rundll32.exe
29,336
The IRC-Pitchfork bot application
cygwin1.dll
944,968
IRC-Pitschfork dependency file
GT-bot and sdbot
Intruders frequently use IRC "bots" (automated software that
accepts
commands via IRC channels) to remotely control compromised
systems.
GT-bot and sdbot are two examples of intruder-developed IRC bots.
Both
support automated scanning and exploitation of inadequately
protected
Windows shares. These tools also offer intruders a variety of
DDoS
capabilities, including the ability to generate ICMP, UDP, or
TCP
traffic.
Tools like these are undergoing constant development in the
intruder
community and are frequently included as part of other tools. As
a
result, the names, sizes, and other characteristics of the files
that
might contain these tools vary widely. Furthermore, once
installed,
the tools are designed to hide themselves fairly well, so
detection
may be difficult.
The CERT/CC has received reports of sdbot networks as large as
7,000
systems, and GT-bot networks in excess of 140,000 systems.
W32/Slackor
The W32/Slackor worm is another example of a tool that targets
file
shares. On a compromised machine, the worm begins by scanning the
/16
of the infected host for other systems listening on 445/tcp. When
a
system is discovered, W32/Slackor connects to the $IPC share using
a
set of pre-programmed usernames and passwords, copies itself to
the
C:\sp directory, and runs its payload. The payload consists of
the
following files:
Filename
Description
slacke-worm.exe
The self-propagating malicious code
abc.bat
List of usernames/passwords
psexec.exe
A copy of the Remote Process Launch application (from
sysinternals.com,
used for replicating the worm)
main.exe
The bot application
W32/Slackor also contains an IRC bot. When this bot joins its
IRC
network, a remote intruder controlling the IRC channel can
issue
arbitrary commands on the compromised computer, including
launching
denial-of-service attacks.
Network footprint
Widespread scanning for 445/tcp indicates activity of this
type.
Compromised hosts may also have unauthorized connections to
IRC
servers (typically on 6667/tcp, although ports may
vary).
Additionally, the VNC package installed by W32/Deloder will
typically
listen on 5800/tcp or 5900/tcp. If a compromised system is used in
a
DDoS attack on another site, large volumes of IP traffic (ICMP,
UDP,
or TCP) may be detected emanating from the compromised system.
II. Impact
The presence of any of these tools on a system indicates that
the
Administrator password has likely been compromised, and the
entire
system is therefore suspect. With this level of access, intruders may
* exercise remote control
* expose confidential data
* install other malicious software
* change files
* delete files
* launch attacks against other sites
The scanning activities of these tools may generate high volumes
of
445/tcp traffic. As a result, some Internet-connected hosts
or
networks with compromised hosts may experience performance
issues
(including denial-of-service conditions).
Sites targeted by the DDoS agents installed by this activity
may
experience unusually heavy traffic volumes or high packet
rates,
resulting in degradation of services or loss of
connectivity
altogether.
III. Solution
In addition to following the steps outlined in this section,
the
CERT/CC encourages home users to review the "Home Network
Security"
and "Home Computer Security" documents.
Disable or secure file shares
Best practice dictates a policy of least privilege; if a
given
computer is not intended to be a server (i.e., share files
with
others), "File and Printer Sharing for Microsoft Networks" should
be
disabled.
For computers that export shares, ensure that user authentication
is
required and that each account has a well-chosen
password.
Furthermore, consider using a firewall to control which computer
can
access these shares.
By default, Windows NT, 2000, and XP create certain hidden
and
administrative shares. See the HOW TO: Create and Delete Hidden
or
Administrative Shares on Client Computers for further guidelines
on
managing these shares.
Use strong passwords
The various tools described above exploit the use of weak or
Null
passwords in order to propagate, so using strong passwords can
help
keep them from infecting your systems.
Microsoft has posted a "Create Strong Passwords" checklist.
Run and maintain an anti-virus product
The malicious code being distributed in these attacks is
under
continuous development by intruders, but most anti-virus
software
vendors release frequently updated information, tools, or
virus
databases to help detect and recover from the malicious code
involved
in this activity. Therefore, it is important that users keep
their
anti-virus software up to date. The CERT/CC maintains a partial
list
of anti-virus vendors.
Many anti-virus packages support automatic updates of
virus
definitions. The CERT/CC recommends using these automatic updates
when
available.
Do not run programs of unknown origin
Never download, install, or run a program unless you know it to
be
authored by a person or company that you trust. Users of IRC,
Instant
Messaging (IM), and file-sharing services should be particularly
wary
of following links or running software sent to them by other users,
as
this is a commonly used method among intruders attempting to
build
networks of DDoS agents.
Deploy a firewall
The CERT/CC also recommends using a firewall product, such as
a
network appliance or a personal firewall software package. In
some
situations, these products may be able to alert users to the fact
that
their machine has been compromised. Furthermore, they have the
ability
to block intruders from accessing backdoors over the network.
However,
no firewall can detect or stop all attacks, so it is important
to
continue to follow safe computing practices.
Ingress/egress filtering
Ingress filtering manages the flow of traffic as it enters a
network
under your administrative control. In the network usage policy of
many
sites, external hosts are only permitted to initiate inbound
traffic
to machines that provide public services on specific ports.
Thus,
ingress filtering should be performed at the border to
prohibit
externally initiated inbound traffic to non-authorized services.
Egress filtering manages the flow of traffic as it leaves a
network
under your administrative control. There is typically limited need
for
internal systems to access SMB shares across the Internet.
In the case of the intruder activity described above,
blocking
connections to port 445/tcp from entering or leaving your
network
reduces the risk of external infected systems attacking hosts
inside
your network or vice-versa.
Recovering from a system compromise
If you believe a system under your administrative control has
been
compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
IV. References
1. Trends in Denial of Service Attack
Technology:
http://www.cert.org/archive/pdf/DoS_trends.pdf
2. Managing the Threat of Denial-of-Service
Attacks:
http://www.cert.org/archive/pdf/Managing_DoS.pdf
3. IN-2002-06: W32/Lioten Malicious Code:
http://www.cert.org/incident_notes/IN-2002-06.html
4. CA-2001-20: Continuing Threats to Home
Users:
http://www.cert.org/advisories/CA-2001-20.html
5. IN-2000-02: Exploitation of Unprotected Windows Networking
Shares:
http://www.cert.org/incident_notes/IN-2000-02.html
6. IN-2000-03: 911 Worm:
http://www.cert.org/incident_notes/IN-2000-03.html
7. IN-2002-03: Social Engineering Attacks via IRC and
Instant
Messaging: http://www.cert.org/incident_notes/IN-2002-03.html
8. VNC (Virtual Network Computing):
http://www.uk.research.att.com/vnc/
9. Home Network Security:
http://www.cert.org/tech_tips/home_networks.html
10. Home Computer Security:
http://www.cert.org/homeusers/HomeComputerSecurity/
11. HOW TO: Create and Delete Hidden or Administrative Shares
on
Client Computers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd
=tech
12. Checklist: Create Strong Passwords:
http://www.microsoft.com/security/articles/password.asp
13. Anti-virus vendors:
http://www.cert.org/other_sources/viruses.html#VI
14. Steps for Recovering from a UNIX or NT System
Compromise:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Reporting
The CERT/CC is interested in receiving reports of this activity.
If
machines under your administrative control are compromised,
please
send mail to [EMAIL PROTECTED] with the following text included in
the
subject line: "[CERT#36888]".
_________________________________________________________________
Feedback can be directed to the authors: Allen Householder and
Roman
Danyliw
______________________________________________________________________
This document is available from:
http://www.cert.org/advisories/CA-2003-08.html
______________________________________________________________________
CERT/CC Contact Information
Email: [EMAIL PROTECTED]
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
/
EDT(GMT-4) Monday through Friday; they are on call for
emergencies
during other hours, on U.S. holidays, and on weekends.
Using encryption
We strongly urge you to encrypt sensitive information sent by
email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline for
more
information.
Getting security information
CERT publications and other security information are available
from
our web site
http://www.cert.org/
To subscribe to the CERT mailing list for advisories and
bulletins,
send email to [EMAIL PROTECTED] Please include in the body of
your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the
U.S.
Patent and Trademark Office.
______________________________________________________________________
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software
Engineering Institute is furnished on an "as is" basis.
Carnegie
Mellon University makes no warranties of any kind, either expressed
or
implied as to any matter including, but not limited to, warranty
of
fitness for a particular purpose or merchantability, exclusivity
or
results obtained from use of the material. Carnegie Mellon
University
does not make any warranty of any kind with respect to freedom
from
patent, trademark, or copyright infringement.
_________________________________________________________________
Conditions for use, disclaimers, and sponsorship information
Copyright 2003 Carnegie Mellon University.
Revision History
March 11, 2003: Initial release
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBPm5bd2jtSoHZUTs5AQGJkQQAskLQbGaPphIDbOdtvazUNJTuXroPQNyo
5Fw2RNeKkr3ECvmtuRRqDaDUyx1mziCDz8i655twWsY5k1Jexl+WICLlFvvf5jpA
bgJYskeEagBNAGlkvAZuI48tOtC/O3M01dTLzVmN083Tqn22ZXl/w5nHMVu4y81t
XqROPqun25M=
=hbFj
-----END PGP SIGNATURE-----
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
