New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

The Most Open Security Hole....

[scottm52]

Is the one left open by an Admin who has no business being an Admin....

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

Symantec's hint

[very]

On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.

LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225

This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

They know something, definitely.

Re:Microsoft's fault?

[AvitarX]

what about c$? or admin$?

not all shares are manually set.

if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.

Re:Microsoft's fault?

[Guppy06]

"Please tell me how it's MS's fault that people pick easy to guess passwords?"

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.

The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.

Why do people hire these admins?

[Dunkalis]

It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.

Solution: Don't use weak passwords.

[ChaosDiscord]

Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject.

Good for those Linux boxes! You're using a weak password.

First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.

Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!

Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.

Weak XP

[Brat+Food]

Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).

Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.

Add to that that all accounts made are Administrator by default, and DONT need passwords.

What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.

Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.

While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.

They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.

To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.

The windows box will have every spyware app on it, stuff deleted, etc, etc.

OH, Xupiter just installed itself again, i have to go...

Re:who's on first?

[JWSmythe]

Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.

chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i

I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files. :)

I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day.. :)

-----
#!/usr/bin/perl

# Define our character sets here, leaving out difficult (similiar) characters

open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1 .. 8 ) ] );
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----

Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed. :)

BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.