New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

What were those commons passwords in Hackers?

[Eese]

I bet they just made a program that tried, "Love, sex, and god".

Re:What were those commons passwords in Hackers?

[MadocGwyn]

There was another one, but I can't tell you waht it is, its a secret.

Re:What were those commons passwords in Hackers?

[ackthpt]

Thank goodness it didn't include 'cowboyneal4ever', since I use that for everything and it has never let me down for security purposes.

Re:What were those commons passwords in Hackers?

[bmorris]

crap, now I have to change the password on my suitcase.

Re:What were those commons passwords in Hackers?

[carpe_noctem]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

Re:What were those commons passwords in Hackers?

[galaxy300]

I'm surprised that ****** isn't in the list. That's my password for just about everything. As a matter of fact, I've noticed that it's just about everyone's password!!!

Re:What were those commons passwords in Hackers?

[JDWTopGuy]

Just logged in to your account. Boy, your karma is in the toilet!

Re:What were those commons passwords in Hackers?

[ackthpt]

Just logged in to your account. Boy, your karma is in the toilet!

It's all those redundant or offtopic spelling and grammar corrections of CmdrTaco. It's a tough job, but someone's got to do it.

Re:What were those commons passwords in Hackers?

[3ryon]

these are the passwords it tries : [empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin...

Whew! For a second there I thought it was trying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Re:What were those commons passwords in Hackers?

[_xeno_]

Who'd be foolish enough to use ****** as a password? I use ********!

Re:What were those commons passwords in Hackers?

[LoztInSpace]

[the user's username backwards]. Heh heh. Reminds me of a friend telling someone to use this. Bad advice aside, imagine him saying this as he simultaneously realises that the user's name is Lana.

Re:What were those commons passwords in Hackers?

[jtdubs]

Or worse: Bob.

Re:What were those commons passwords in Hackers?

[Enigma2175]

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

After reading your post, I thought I would try a few myself. Sure it's a small sample, although probably not statistically valid it certainly adds to the anecdotal evidence

mysql> select count(*) from auth;

count(*)
873
Total Users

mysql> select count(*) from auth where password = md5(username);

count(*)
90
username same as password

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.fname);

count(a.username)

44
password is first name

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.lname);

count(a.username)
24
Password is last name

mysql> select count(*) from auth where password = md5('password');

count(*)
10
hmmm, only 10 users with a password of password

Some more ....
mysql> select count(*) from auth where password = md5('12345');

count(*)
10

I've got to put some text here to break up the queries, hopefully it will help out a little bit. Does anyone who has read through the slashcode know what criteria is used for the lameness filter? Is is the ratio of junk characters to nonjunk characters or is there something else to it?

It seems like it causes problems.

mysql> select count(*) from auth where password = md5('1234');

count(*)
2

Now I suppose I must do a very lengthy conclusion because the lame /. lameness filter. It seems as if many of my users use passwords that are inherently insecure. There are a few I could check for, but it would involve coding time and these days management doesn't look to kindly upon code that doesn't make money. I doubt I have enough to get through the filter, but I'll give it a shot. OK, now I have had to strip several of the server responses of dashes, hopefully this time 8crosses fingers8

Jesus, what a fucking pain in the ass. Is it really that painful to the community to have a few ASCII porn pics posted? Damn I hate to have to go through this huge fucking ordeal just to post a simple fucking comment. How about a goddamn lameness filter exemption for people with excellent karma? How many ASCII goatse.cx picxtures have you seen posted with a plus 1 bonus?

It still will not post. I have stripped just about every nonletter from my post and it still will not fucking go up. what next do i need to strip the punctuation and caps so that i can get more non motherfucking bullshit junk characters in my post i guess it just goes back to the saying often quoted on slashdot i will paraphrase those who give up essential posting liberties for a little temporary safety from goatsex deserve goatsex twentyfour seven i wonder if it has ever occured to the nitwits that run this site that people might actually want to post something that is meaningful to the conversation that is not plain old text sometimes it makes things much more readable if you have some formatting and punctuation in there to break things up a bit gee its news for nerds cant these guys forsee that some geeks are going to want to post code and other things that may have more punctuation and special characters than your standard text

motherfuckers

Re:What were those commons passwords in Hackers?

120 baseball
118 2112
116 letmein
Lol. I love to see that the RUSH geeks represent. -geddy (no, really)

Re:What were those commons passwords in Hackers?

[boots@work]

Nice post, though I can't understand what you think you're doing with hard data on Slashdot. :-)

I was standing by one of the Kodak scanning stations... BTW, there are all kinds of interesting options to set on those machines. :)

What, like force_image=goatse.jpg ?

Re:What were those commons passwords in Hackers?

[JWSmythe]

Hehehee... It didn't have internet access, or I would have.. But the Internet Kiosks at CompUSA have a mysterious habit of getting their home pages changed. :)

I wish I could do something with those refrigerators with the touch screen WinCE/XP thing to do anything.. Every time I touch one it crashes, so I don't even know if they have connectivity.

Ahhhh, the perfect diet.. Every time you go to the fridge, you see ... well, I'll not be descriptive.. I don't think I'd ever be able to eat again. :)

Re:What were those commons passwords in Hackers?

[fucksl4shd0t]

the list does include love, sex, god, and secret.

That, of course, is because they are all frequently confused with one another, and none of them truly exist.

Re:What were those commons passwords in Hackers?

[MegaFur]

It reminds me of INTERCAL. In that joke programming language, approximately 33% of the lines have to say 'PLEASE'. If not enough lines say 'PLEASE', the compiler will say that you are rude and will refuse to compile your program. If too many lines say 'PLEASE', the compiler will accuse you of being overly polite. (It won't compile then either.)

Re:What were those commons passwords in Hackers?

[Placido]

>> They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

Yeah. Those bugs that only occur sporadically are the hardest to debug.

Re:What were those commons passwords in Hackers?

[buswolley]

did yo just give a away the password to one of your 312 uers? That wasn't very nice of you

A cold day in...

[asparagus]

...for once a security problem that isn't really Microsoft's fault...

Taco: Hell just called. They want you turn back on the heat.

ACK!!!

[revery]

for once a security problem that isn't really Microsoft's fault.

What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...

Who are you and what have you done with the slashdot editors?!?

--

Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"

Phew! I'm safe!

[callipygian-showsyst]

I didn't see my password:

xyzzy

on the list of passwords it tries. Guess I don't have to worry about this one.

Ack! It's the Rapture!

[Guppy06]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Dammit, I knew I should have built that bomb shelter...

Re:I wonder if that is why my router is not happy

[myowntrueself]

Let me guess, UDP port 137 is producing lots and lots of logged events?

Thats normal. There are two solutions;

1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.

Or

2. Stop logging UDP port 137.

Re:Microsoft's fault?

Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.

Re:Dictionary attack + 1

[myowntrueself]

"Perhaps the best solution would be biometrics?"

Maybe. If implemented by a security guard with a pair of calipers that he measures your skull with every time you want to log on, then he logs on for you and if your skull doesn't match the numbers on his clipboard he shoots you.

WRONG!

[dotgod]

Sorry, but "administrator" can't be one of the passwords the worm tries because I use that for the password on my box and everyt

NO CARRIER

Re:WRONG!

[IIRCAFAIKIANAL]

Those no carrier jokes always remind me of Monty Python and the Holy Grail...

<dream sequence>
ARTHUR:
What does it say?
MAYNARD:
It reads, 'Here may be found the last words of Joseph of Arimathea. He who is valiant and pure of spirit may find the Holy Grail in the Castle of aaarrrrggh'.
ARTHUR:
What?
MAYNARD:
'...The Castle of aaarrrrggh'.
BEDEVERE:
What is that?
MAYNARD:
He must have died while carving it.
LAUNCELOT:
Oh, come on!
MAYNARD:
Well, that's what it says.
ARTHUR:
Look, if he was dying, he wouldn't bother to carve 'aarrggh'. He'd just say it!
MAYNARD:
Well, that's what's carved in the rock!
GALAHAD:
Perhaps he was dictating.
ARTHUR:
Oh, shut up. Well, does it say anything else?
MAYNARD:
No. Just 'aaarrrrggh'.
LAUNCELOT:
Aaaauugggh.
ARTHUR:
A arrrggh.
</dream sequence>

No, that's just stupid. Too bad I hit submit already...

love of the Irish.

[Erris]

The pat / patrick is rather weird, eh? only name in the list

Happy Saint Patrick's day!

Re:love of the Irish.

[Theaetetus]

The pat / patrick is rather weird, eh? only name in the list

Hey! My son Temp123 would take offense at that!

-T

Re:love of the Irish.

[Jerf]

"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."

(*: True in the general case, since the XOR trick only works in certain circumstances.)

Re:love of the Irish.

the XOR trick only works in certain circumstances

What, like when your data isn't a string of bits? When was the last time that happened?

In any case, that sounds like a pretty nasty threesome.

I can see the headlines now:

[masteroveride]

A worm that isn't Microsoft's problem!?!? Next thing you know you'll hear about airliners falling out of the sky due to flying pigs...

Re:Microsoft's fault?

[ahaning]

For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.

It's a good thought, but consider this:

You should be warned that ena*click*

Are you sure that you want*click*

Sweet. My files are shared.

well...maybe...but

[BurKaZoiD]

Is the one left open by an Admin who has no business being an Admin....

For 99.997% (Manhattan Project, anyone?) of the cases, I'd agree wholeheartedly. The rest of them, like our Network Admin where I work, are under the thumb of some stupid BEEYOTCH of an IT Director who wants to continue to use the same passwords used by the old Network Administrator (who was shitcanned by her), and refuses to allow the new guy to set newer, more secure passwords. And believe me, it's not a matter of people just not getting along. For Pete's sake, she's even yelled at me for encrypting DSN strings and sticking them in the registry of the server, instead of plopping them in a text file like everyone else, open to the world. And she totally f*cking flipped (when she read the documentation I wrote about the procedure) upon hitting the section that described how every time the DSN was accessed, read, edited, or yelled at sternly the code modified and scrambled it with a new, different algorithm. She described it as "unsafe, and taking things to an extreme that was unnecessary". She also said made some asinine comment about how we would never be able to recover the passwords if the code were ever lost, to which I recall thinking "Well first, that's job security for me, second, don't forget your goddamn passwords, and third, that's what sa access is for, you dumb bitch."

Yep, this type of commentary coming from someone who not only has no business being an IT Director, but swears on a stack of bibles she can reverse engineer MD5 in her head (we have another application that uses MD5 to hash passwords, she simply recognizes the default password hash).

I swear to God I'm not making this shit up. I wish the nasty bitch would stick to pushing pencils and leave the real work to those of us who know.

Re:SAMBA protocol

[Unregistered]

Yea, but copy C:\Windows\Tempor~1\Work.exe C:\Windows\StartMenu\Programs\Startup dosn't work too well on linux.

disables network sharing.

[Deathlizard]

"disables network sharing."

Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.

Either way nimda would be off the network :)

Yeah, but...

[jrwillis]

Is that case sensitive?

Re:Yeah, but...

[_xeno_]

Yeah, I just checked. 88888888 won't work.

Re:not in there?

[tuba_dude]

interesting system. I take a bag of marbles and throw it at my keyboard until I get 8-12 characters and go from there.

Re:Microsoft's fault?

[Herkum01]

The fact that your aunt has breast cancer is Microsoft's fault.

THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!

DAMN YOU MICROSOFT

Problem with my own machine. Mozilla into my HD!

[BlackListedCard]

Shit... Tried in Mozilla the "file://IPofanattacker/ Guess what... My own hard drive directory structure is sitting in front of me. I'm running linux and everything is fuck'n rock solid tight. All IP ports turned off. Can anyone else duplicate this. Just enter any IP address into file://(right here). Mozilla defaults to the hard drive of the actual machine it's running on????!!!! Something which I do not like....

who's on first?

[djupedal]

"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"

Re:who's on first?

[JWSmythe]

BOFH: Hold on one second sir.. [click][click][click]. What was your username again?

lUSER: BOB! MY USERNAME IS BOB! WHAT'S MY PASSWORD.

BOFH: "no", Bob.. But I'm looking further into this, and it seems you may have a problem.

lUSER: Ya? What kind of problem? Everything was fine til you changed my password.

BOFH: Did you have any files in your directory?

lUSER: I just finished the annual fiscal reports!.

BOFH: [click][click][click].. Hmmmm, I don't see anything here.

lUSER: WHAT!!!!!!!!

BOFH: Hold on, lets look at the backups...

lUSER: Thank god..

BOFH: PFY, you made backups right?

PFY: there's right here in the tape degausser.

BOFH: Bob, I'm sorry, it seems there was a terrible accident with the backups..

[degausser mysteriously turns on]

lUSER: What about my Email, is it safe?

[lightbulb appears over BOFH's head]

BOFH: Lets have a look, shall we? [click][click][click] So, you've been writing to the bosses wife an awful lot.. Hmmm

lUSER: Ya, we're old friends.

BOFH: Are these nudes of her? Close friends, aren't you?

lUSER: BUT! No! Don't look at those!

PFY (whispers to BOFH): what if......

[click][click][click][click] No problem, I've removed all those nasty pictures from your box.

BOFH hangs up the phone, un plugs it from the wall, and gracefully sets it on top of the bookshelf where it won't be in the way.

"Where did you send the pics?", PFY asks...

"From: Mr. Luser
To: Bosses Wife
Bcc: to the boss, the boss's mother-in-law, luser's wife, and of course a copy in our files.", BOFH cites.

"Have we arranged for our monthly raises yet? I think it's about time. Lets check accountings database, and see how much Mr. Luser was earning us."

----

I'd love to be a BOFH writer.. But until then, I live the part in real life. :) Sometimes they're just too quick. A simple electrocution? or Halon accident just aren't as much fun as they *COULD* be having.

Just imagine the fun a BOFH could have with say an ex-girlfriend's new boyfriend, an ounce of cocaine (mixed in with 5 pounds of filler), superglue, epoxy, and a few "anonymous" phone calls to his boss, neighbors, and the police, all while being the nicest guy in the world to him too..

I've just never had a good outlet for my stories.. :) Nothing feels better than a well orchestrated revenge.

Re:who's on first?

[JWSmythe]

I tell them I use the same one for everything. My suitcase, my ATM pin, and my private vault at home. It's easy. 1234 . Just don't give it out to anyone. :)

Now, if they were smart, they'd know I have a cheap suitcase, 'cause they don't pay me enough to have good luggage to go anywhere with. I've been using the same olive drab duffle bag for the past 12 years, and it doesn't have a lock. As for the vault at home, all I have to hide in it is my clean socks, and right now I only have one pair of those. :)

Re:who's on first?

[Scumbag+Tracker]

To avoid being hacked, I set my password to "pi". Only problem is, now it takes me forever to log on in the morning. :-/

Re:who's on first?

[KshGoddess]

Reminds me of one user I had (actually an entire group), at a place where users created their own root password for their desktop.

Me: What's your root password?
User: what.
Me: The password for the root user, the superuser.
User: what.
Me: Look, I can't get into your desktop to fix [problem] without the root password.
User: No, no, it's w-h-a-t.

My favorite was the applications person, who after being lectured for having a crackable password (daisy1) showed up the next time around with... daisy2. *grr* This was someone who had full control to a rather important application's internals. Sigh.

Re:Ack! It's the Rapture!

[Enigma2175]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Along with that, this post observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.

It's very clear to me now, obviously the /. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.

Luckily the world is safe...

[ardu]

since the worm doesn't try the most common password: ******

Re:not in there?

[Surak]

xyzzy

Nothing happens.