Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
Is the one left open by an Admin who has no business being an Admin....
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
New UNIX password: oliver
BAD PASSWORD: it is based on your username
New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.
New UNIX password: rg78kn
BAD PASSWORD: is too simple
Yeh, nothing to do with the password system.
Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?
thank God the internet isn't a human right.
On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
what about c$? or admin$?
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.
-=fshalor
Please tell me how it's MS's fault that people pick easy to guess passwords?
Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.
You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.
A modest proposal:
Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)
A feeling of having made the same mistake before: Deja Foobar
"Please tell me how it's MS's fault that people pick easy to guess passwords?"
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.
Slashdot is a waste of time. I enjoy wasting time.
What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):
The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.
Of course, then what would the Linux and BSD zealots have left to bitch about?
File under 'M' for 'Manic ranting'
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
Search 2010 Gen Con events
Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
"Stuff... In my home!? NEVER!" - Zim on Invader Zim
"I want the toilet seat!" - Little Dog on Two Stupid Dogs
Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.
:)
:)
.. 8 ) ] );
:)
chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i
I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files.
I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day..
-----
#!/usr/bin/perl
# Define our character sets here, leaving out difficult (similiar) characters
open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----
Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed.
BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.
Serious? Seriousness is well above my pay grade.