New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

Microsoft's fault?

[thriver]

Please tell me why isn't it Microsoft's fault? Shouldn't the service be turned off by default and when it is turned on, FORCE the user to set a proper password?

Re:Microsoft's fault?

[Anonvmous+Coward]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Re:Microsoft's fault?

[Spy+Hunter]

It's MS's fault if people often pick easy to guess passwords and they didn't plan for that when they built Windows. It's a user-interface sort of issue. If you don't anticipate what your users are going to do, you're partly to blame for the resulting problems. Windows should ship with a list of common passwords and a checker that makes sure the password isn't common, in the dictionary, or weak for various other reasons. Most UNIX systems have this built into the password changing mechanism. Also, Windows should NEVER EVER allow a blank admin password.

Re:Microsoft's fault?

[pVoid]

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default

The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Same as above, go you lumberjack... GO NOW!

Re:Microsoft's fault?

[m_pll]

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user.

I'd say it was a design goal for XP Home... Try explaining to a typical home user why half of his games don't work if he's not an administrator.

Re:Microsoft's fault?

[JWSmythe]

Aw, it's not always Microsoft's fault.. If it isn't, we can blame the stupid users for using easy passwords. I work with Point Of Sale systems occasionally (when people ask for help), and find stupid stupid stupid passwords there. Store ID's (like as printed on your receipt), the owner's name, or just "password".. Like, they want to make it easy for the stereotypical TV hacker to get in or something.. The best one that usually gets me stuck is just hitting [enter]. I usually start off with the assumption that they used *SOMETHING* as a password. Sometimes they don't.. "It's too hard for the staff to remember."

Hey buddy, it's your security. If I come in when your cashier is on a smoke break and no one is looking, I'll just hit enter, cash out, and leave.. No problems here.

I usually go into a 15 minute speech on how secure passwords are important, and how they must mix upper and lower case letters with numbers and characters, so as to *NOT* make dictionary words. "Password" doesn't count, duh. I've gone back to the same stores months later, and tried the old password, and it worked.. I don't even have to ask for access to their system, I just get in and start fixing for them..

Good thing I'm a good guy.. I could just log in as their admin user, ring up a no-sale on all the registers, and leave.. I could even mark their logs that *THEY* cashed out all the drawers like they closed the day.. {sigh}

We can't blame Microsoft for making their customers stupid. Its just like blaming AOL for making their customers stupid. They didn't. They marketed to stupid people who would buy anything.

I don't even want to hear one word back from an AOL person on WinXP using MSIE.. You're their sucker.. You fell for getting the stupid AOL 9.999 CD and 100000 free hours, you bought Windows, and happily agreed to their licenses, and you probably bought a whole stack of beautifully hologramed Microsoft products right along with your new Microsoft taxed computer, but you'll still bitch that it crashes, and wonder why I just look at you funny because my Linux machines never crash..

I wish we had the time to educate people just a little bit.. But some of them are so dense it isn't even funny.. How do you tell them "Stop using AOL. You're paying $29.95 for a $19.95 service..". it's like saying they're paying $30 at K-Mart for a cheap toy, when they could spend $20 for the a toy that looks the same, but goes faster and is more fun to play with..

Stupid consumers will still spend $30 because the TV Ad told them it's the best..

You're the same people that will pay a couple hundred dollars for the next version of Windows that will still crash, and you'll still cry that it doesn't work.. You won't even consider that you've already bought Win3.1, Win95, Win98, Win2k, WinME, WinXP, and none of those have worked right. Maybe the next one will work properly? I have a beautiful bridge in Brooklyn to sell you too.

Shall I rant?

Simple solution...

[mrjive]

Unbind network sharing from your external tcp/ip settings.

This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.

huh?

[Dynedain]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks, both w/ Win domains/active directory and w/out)....weak passwords I'd expect, but default?

Not Microsofts Fault?

[tarogue]

If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.

Risks of default passwords

[ma++i+ude]

Default passwords are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

The weakest link

[lavalyn]

There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.

It isn't only at the PHB's desk that PEBKAC can occur.

Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon. /.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.

VB App to help?

[Anonvmous+Coward]

I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.

Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?

Re:VB App to help?

[Dwedit]

Then you just end up with users blindly clicking the same "Yes" button that got Gator on their systems.

Dictionary attack + 1

[ObviousGuy]

I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

Perhaps the best solution would be biometrics?

Re:Clue by four

I wasn't aware that any versions of Windows shipped with Samba.

What the hell are you talking about?

pat/patrick

St. PAtricks day is this month.

For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...

Hypocrisy

[Apreche]

Wow, this is really hilarious. Windows, is a very secure operating system, but not out of the box. It requires an amount of time and effort setting permissions and enabling/disabling services and the like. However, Windows users are generally the people who don't know how to do anything and need everything built in and done for them.

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

Now we get a worm that is/isn't Microsoft's fault. It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything. It just takes advantage of the fact that windows isn't secure by default. So who comes out to complain that something isn't automatic and built in? Oh, of course, the linux users who love the operating system where nothing is done for you and you have to write code to make software work.

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

And dont' get me wrong, I'm a dual boot win2k/mdk9 man, but this typical slashdot hypocrisy cracks me up.

Re:Hypocrisy

[oyenstikker]

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

I use Linux. My system wasn't anything by default. But by not being anything, it was secure.

Re:Hypocrisy

[theLOUDroom]

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.


windows guy: "You're operating system isn't anything by default!"

Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.

Windows, is a very secure operating system, but not out of the box.

Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:

• What's the mean time between root exploits being availible and unpatched for a win2k/IIS combination?
• What's the mean time that these exploits exist and are not fixed?
• What's the average number of days in a year that a win2K/IIS box must be taken down or is availible for a remote root exploit?

Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.

Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?

Re:White-hat worm?

[EverStoned]

"Your average user" is why virus like this spread.

*sigh*

Hypocrites

[Nintendork]

"for once a security problem that isn't really Microsoft's fault"

Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.

I feel sorry for those that let their hatred of a company clout their perception on information security.

-Lucas

Re:Hypocrites

[tres]

...I see a lot more *nix than MS activity.

This is derived from the idea that all security vulnerabilites are quantitatively the same. In fact, the danger posed by the majority of exploits listed for Open Source software is relatively minor compared to the regular influx of root level exploits that show up for the Windows platform.

Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:

• a) normally quite limited in their scope. *nix root exploits are relatively rare and are generally harder to take advantage of than their Windows counterparts.

• b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)

Don't get me wrong, when it comes down to it, I'd much rather get the best tool for the job. But when it comes to security, Microsoft Windows is not it.

It is not

MS does not provide default user password under NT/2K/XP. If this worm is going around it is because users setup week passwords. MS is in no way responsible for stupid users.

It's not a worm, it's a DDOS countermeasure

[eagl]

Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.

Re:It's not a worm, it's a DDOS countermeasure

[IIRCAFAIKIANAL]

Of course, some of those pc's that are attacking you are probably already compromised and that's why they are being used to attack you.

If I was a spammer or hacker, I would probably have a bunch of PC's between me and my targets, and use those pc's to get more pc's ad infinitum.

(Not that I know anything about this, I program in userland against an ORACLE database behind a firewall :)

Re:What were those commons passwords in Hackers?

[MyHair]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.

SAMBA protocol

[whereiswaldo]

Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Re:Might be MS's fault.

[WiPEOUT]

... in other news, Microsoft SQL Server 2000 is now being included in the RedHat 8.2 distribution's default install, and a security bulletin has been released for MacOSX 10.2 Print Services running on the Commodore 64.

... about blame

[Montreal+Geek]

Why is this not Microsoft's fault?

While, admitedly, the admin who left a default password in place deserves a beating with a big foam cluebat, the very fact that there is a default password in the first place is a major security flaw that traces its origins in Redmond.

A properly constructed security scheme would prompt you for a password upon activating the feature at the very least.

But MS is only following the Marketroid mantra "The users can't be bothered. They don't want to know. They don't want to understand."

That mantra might even be mostly true; but it still begets bad security. Users need education, not bad security.

For that matter, most features that end up having big security implications in Windows are not needed by the vast majority of the users out there, and activation (or better yet installation) of those features should be an explicit act.

-- MG

Re:patrick!!??!!

Oh good, you found a way to blame Microsoft. I was worried we would have to go an entire discussion thread without blaming them for anything.

Not default passwords...

[NetJunkie]

These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.

I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.

It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.

This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.

Re:ACK!!!

[oyenstikker]

But the editor is still making an insulting comment not really related to the article and not backed up in any way. It seems there are one of these lines at the end of every article related to . . .well. . .not related to Linux. The comments never add to the article. Please leave them off.

Re:The Most Open Security Hole....

[afidel]

I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)

All hail the ultimate logic

[concatenation]

MS should be punished because some users pick weak passwords.

Re:Hypocrites - Give M$ a break

Ofcourse unix has more bugs than MS , MS makes /begin list
win95,98,win2k,winXp and .net /end of list

unix is sco,irix,aix,redhat,debian,gentoo , solaris,sunOS, net/open/free bsd's , tru64,hp-unix , and probably many more ...

don't say linux flavours are all 1 os, if then i'd say all microsoft os's are 1 os ->
16bit viruses on 32 bit platforms, and currently developing 64 bit viruses on the latest hardware.

i'm not counting the applications on them :)
think Msoffice and IE+outlook express, it will outsum all the bugs.

Microsoft is very good in its own way, they have an excellent gui and very easy to use system, *HOWEVER* does not mean anything if you are compromised and have your financial accounts on the same disk you browse the web with :))

I'd give Microsoft a big break, infact I'd break it into kazillion pieces :))

Re:What were those commons passwords in Hackers?

[JWSmythe]

My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345

Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..

Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive. :)

If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.

The web site password crackers that I've seen use dictionary files, and for the passwords they try:

word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]

Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")

Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.

BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..

I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home. :) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)

It's a nice idea, but ....

[Hanji]

Such a system would just really piss off the average user, who would just OK his way through it anyways and keep his password set to his dog's name, with it posted on a post-it note on his monitor, just in case he forgets.

Re:It's about time...

[nurightshu]

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

Just like Melissa, and ILoveYou, and Klez, and Goner have taught the users to be very careful when opening e-mail attachments.

Re:What were those commons passwords in Hackers?

[NeoChichiri]

Actually...that's not entirely true...at least in the case of email or website login passwords...especially if they use either of those for business purposes. I think most of the time people just don't think of the possible problems that could arise from someone getting ahold of their password.

Technical Reasons:

[Tokerat]

Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.

Everything IS Microsoft's fault. Duh. ;-)

Re:What were those commons passwords in Hackers?

[JWSmythe]

That was an interesting post. But I'm replying more to what you said afterwards.

You spent good time giving an informative message, which when you hit submit, it honestly should have taken..

At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one /24 or another.. I striped out whitespace, added lines, I almost gave up, but one word finally made it click..

I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?

I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")

They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

If this were RISKS-Digest...

[billstewart]

If this were RISKS-Digest, somebody would comment that blaming the users might be fun, but building a system that encourages users to do obviously dumb things (or permits them) is usually a Bad Idea. (Somebody else would comment that that's not always true, because enforcing some kinds of standards without thinking about the side effects, such as Yellow Sticky Notes, is often a Bad Idea too.)

Slashdot Password Stupidity

[mib]

I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*

Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!

But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)

The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.

But:

• If you're letting users grab huge lists of your encrypted passwords, you're fucked.
• If you're letting unknown parties have enough auth attempts to brute force even a non-obvious dictionary word, you're fucked
• If you have something to secure that's worth somebody spending a lot of time and effort to break into and your only security is username and password, you are completely, utterly, and royally, fucked, and I hope I never have anything to do with systems you write.

- mib

p.s. Useradd/passwd is not account management.

Re:What were those commons passwords in Hackers?

[jaavaaguru]

My website only stores encrypted passwords. Anyone on Slashdot who stores plain text passwords should be ashamed.

Isn't that partly Microsoft's fault too?

[roystgnr]

What mechanism is more responsible than click-thru software EULAs for training computer users to believe that they should expect to regularly see large blocks of text emphatically declaring dire warnings and that they should just click "OK" without reading when those blocks of text pop up?