Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
"Please tell me why isn't it Microsoft's fault? "
Please tell me how it's MS's fault that people pick easy to guess passwords?
Unbind network sharing from your external tcp/ip settings.
This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.
And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
If you can't beat them, arrange to have them beaten. -George Carlin
If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.
Life sucks, but death doesn't put out at all. -- Thomas J. Kopp
Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.
You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.
/.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.
It isn't only at the PHB's desk that PEBKAC can occur.
Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon.
Doing the Right Thing should not be preempted by making a buck.
I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.
Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.
When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.
This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.
Perhaps the best solution would be biometrics?
I have been pwned because my
St. PAtricks day is this month.
For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...
Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.
I feel sorry for those that let their hatred of a company clout their perception on information security.
-Lucas
Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...
Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...
Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Shit, I should go change my root password now.
I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.
Just to be the devil's advocate (literally
And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Same as above, go you lumberjack... GO NOW!
My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)
:)
:) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)
505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345
Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..
Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive.
If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.
The web site password crackers that I've seen use dictionary files, and for the passwords they try:
word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]
Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")
Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.
BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..
I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home.
Serious? Seriousness is well above my pay grade.
What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.
windows guy: "You're operating system isn't anything by default!"
Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.
Windows, is a very secure operating system, but not out of the box.
Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:
Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.
Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?
Life is too short to proofread.
Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.
Everything IS Microsoft's fault. Duh.
CAn'T CompreHend SARcaSm?
That was an interesting post. But I'm replying more to what you said afterwards.
/24 or another.. I striped out whitespace, added lines, I almost gave up, but one word finally made it click..
:(
You spent good time giving an informative message, which when you hit submit, it honestly should have taken..
At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one
I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?
I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")
They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts..
Serious? Seriousness is well above my pay grade.
I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*
Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!
But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)
The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.
But:
- mib
p.s. Useradd/passwd is not account management.