Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Windows Worm Inching Around Internet

Posted by ryuzaki0 on from the dance-the-samba dept.

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

12 of 604 comments (clear)

  1. Re:Microsoft's fault? by Anonvmous+Coward · · Score: 5, Insightful

    "Please tell me why isn't it Microsoft's fault? "

    Please tell me how it's MS's fault that people pick easy to guess passwords?

  2. Simple solution... by mrjive · · Score: 4, Insightful

    Unbind network sharing from your external tcp/ip settings.

    This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.

    And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.

    --
    If you can't beat them, arrange to have them beaten. -George Carlin
  3. Risks of default passwords by ma++i+ude · · Score: 5, Insightful
    Default passwords are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

    Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

    --
    You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
  4. VB App to help? by Anonvmous+Coward · · Score: 4, Insightful

    I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.

    Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?

  5. Dictionary attack + 1 by ObviousGuy · · Score: 5, Insightful

    I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

    When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

    This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

    Perhaps the best solution would be biometrics?

    --
    I have been pwned because my /. password was too easy to guess.
  6. pat/patrick by Anonymous Coward · · Score: 5, Insightful

    St. PAtricks day is this month.

    For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...

  7. Hypocrites by Nintendork · · Score: 5, Insightful
    "for once a security problem that isn't really Microsoft's fault"

    Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.

    I feel sorry for those that let their hatred of a company clout their perception on information security.

    -Lucas

  8. It's not a worm, it's a DDOS countermeasure by eagl · · Score: 5, Insightful

    Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

    Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

    Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.

  9. Re:What were those commons passwords in Hackers? by MyHair · · Score: 4, Insightful

    xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    Shit, I should go change my root password now.

    I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.

  10. Re:The Most Open Security Hole.... by afidel · · Score: 5, Insightful

    I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  11. Re:What were those commons passwords in Hackers? by JWSmythe · · Score: 5, Insightful

    My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

    505 1234
    494 password
    319 6969
    241 harley
    231 123456
    201 golf
    180 pussy
    169 mustang
    169 1111
    143 shadow
    135 1313
    134 fish
    130 5150
    127 7777
    121 qwerty
    120 baseball
    118 2112
    116 letmein
    114 12345678
    114 12345

    Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..

    Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive. :)

    If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.

    The web site password crackers that I've seen use dictionary files, and for the passwords they try:

    word
    drow (word backwards)
    [0-9]word (read as regex, not literal)
    word[0-9]
    [0-9]drow
    drow[0-9]

    Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")

    Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.

    BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..

    I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home. :) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)

    --
    Serious? Seriousness is well above my pay grade.
  12. Re:What were those commons passwords in Hackers? by JWSmythe · · Score: 4, Insightful

    That was an interesting post. But I'm replying more to what you said afterwards.

    You spent good time giving an informative message, which when you hit submit, it honestly should have taken..

    At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one /24 or another.. I striped out whitespace, added lines, I almost gave up, but one word finally made it click..

    I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?

    I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")

    They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

    --
    Serious? Seriousness is well above my pay grade.