Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
Is the one left open by an Admin who has no business being an Admin....
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
New UNIX password: oliver
BAD PASSWORD: it is based on your username
New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.
New UNIX password: rg78kn
BAD PASSWORD: is too simple
Yeh, nothing to do with the password system.
Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?
thank God the internet isn't a human right.
It's about time someone wrote a worm like this.
If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.
I once worked as an SA at a bank. I could guess 90% of peoples passwords in 3 tries. I'd say about 30% were the default "welcome". And the users would bitch (and occasionally get someone fired) if we told them to change them.
If it is clearly communicated that this thing is spread because of weak passwords, maybe people will wake up and start using real passwords.
Or is it just wishful thinking?
Follow the adventures of the new wandering jews
On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
what about c$? or admin$?
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.
-=fshalor
Please tell me how it's MS's fault that people pick easy to guess passwords?
Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.
You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.
A modest proposal:
Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)
A feeling of having made the same mistake before: Deja Foobar
"Please tell me how it's MS's fault that people pick easy to guess passwords?"
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
Surprising that the most popular 'simple' password I have come across: drowssap wasn't on the list... either it must not be very composite, or the programmers of the worm are fairly out-of-touch.
Erutangis ym si siht.
It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.
Slashdot is a waste of time. I enjoy wasting time.
What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):
The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.
Of course, then what would the Linux and BSD zealots have left to bitch about?
File under 'M' for 'Manic ranting'
Try changing your Linux user password from the command line (hint: type passwd)
Pick something easy, like a dictionary word, or something really short.
You'll see:
[nimmerge@costanza nimmerge]$ passwd
Changing password for user george.
Changing password for george
(current) UNIX password:
New password:
BAD PASSWORD: it is too short
New password:
BAD PASSWORD: it is based on a dictionary word
New password:
Now give me a valid reason why Microsoft can't require strong passwords by default?
I'd rather be a conservative nutjob than a liberal with no nuts and no job.
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
Search 2010 Gen Con events
A little OT, but do any *NIXes have Kerberos as your default auth service after a fresh install?
--
est modus in rebus
Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
"Stuff... In my home!? NEVER!" - Zim on Invader Zim
"I want the toilet seat!" - Little Dog on Two Stupid Dogs
Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.
:)
:)
.. 8 ) ] );
:)
chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i
I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files.
I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day..
-----
#!/usr/bin/perl
# Define our character sets here, leaving out difficult (similiar) characters
open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----
Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed.
BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.
Serious? Seriousness is well above my pay grade.
I don't know about you, but an out-of-the-box RedHat 8 is pretty damn secure, assuming you don't install any services with it. Select 'high security' in the installer, and boom! Instant firewall.
:) Took me about 10 minutes worth of clicking on little boxes, nothing beyond the automatic partitioning that even remotely resembled thought. Bless rpms.
Comes with more software than I've currently got loaded on my Windows machine, period. Office suite(s), games, usenet, web, mail, irc, packet sniffer, firewall, cd-burning,... I could go on, but at 4.6 gigs it's kinda scary
Anyway, your point again was?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I once told a a room full of college students that the password for one of my accounts (not one that was very important) was secret and it was in German. Not one of them had the brains to look up the German word for secret and try it. Talk about hiding something in plain sight.
I use the diceware system. I generally end up with 25+ character passwords, and when mixed up cases, swap letter for number and word separator special chars are used, it gives very high strength passwords.
Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.
Tequila - drink of the gods.
I can't say I keep a high security for my computer as I should (and I really should...to much pr0n to lose), but for internet banking, really important stuff online, I have a pretty foolproof system.
What I do is I take the name of someone I know for every month of the year. I associate a date with them, like birthday, day i met them etc. Sounds stupid so far, but here's what I do next
I then associate the date with the current year and decide how to mess about with the numbers. Do i just take the date at face value, or do I use date seperatrs / . and - in some sort of combination and use them as mathematical operators to generate a number? What ever I decide to do I convert the number into hex (because some passwords require numbers) and then attach it to the name of the person concerned in what ever way I choose and voila, password generated. Keeo in mind that if you use the same combination of operators when the year changes, you password is not going to change a hell of a lot for corresponding months between the years
The beauty is I've told you my system and you can't figure out any of my passwords. Better yet, you don't actually need to remember your passwords, more likely you just need to remember the mathematical operators because names and birthdays should come off the otop of your head. I can't remember my slashdot password though, I chose that before my system. Thank goodness for cookies.
"I just can't sit while people are saying nonsense in a meeting without saying it's nonsense" J Watson, Sci Am 288:(4)51