New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

What were those commons passwords in Hackers?

[Eese]

I bet they just made a program that tried, "Love, sex, and god".

Re:What were those commons passwords in Hackers?

[MadocGwyn]

There was another one, but I can't tell you waht it is, its a secret.

Re:What were those commons passwords in Hackers?

[mumkin]

According to F-secure, these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

Re:What were those commons passwords in Hackers?

[ackthpt]

Thank goodness it didn't include 'cowboyneal4ever', since I use that for everything and it has never let me down for security purposes.

Re:What were those commons passwords in Hackers?

[bmorris]

crap, now I have to change the password on my suitcase.

Re:What were those commons passwords in Hackers?

[carpe_noctem]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

Re:What were those commons passwords in Hackers?

[Fishstick]

>Hey, that's the same password as my server!

oops, after looking up the line, it should be something more like...

That's the kind of password some idiot would have on his windows machine!!

Re:What were those commons passwords in Hackers?

[MyHair]

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Shit, I should go change my root password now.

I wondered about that one, too. I'm guessing that's what happens when you hold down X until the buffer is full.

Re:What were those commons passwords in Hackers?

[galaxy300]

I'm surprised that ****** isn't in the list. That's my password for just about everything. As a matter of fact, I've noticed that it's just about everyone's password!!!

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

if the hackers need any help, here are the most common passwords for my website:

password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.

9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.

hope that helps!

Re:What were those commons passwords in Hackers?

[JDWTopGuy]

Just logged in to your account. Boy, your karma is in the toilet!

Re:What were those commons passwords in Hackers?

[ackthpt]

Just logged in to your account. Boy, your karma is in the toilet!

It's all those redundant or offtopic spelling and grammar corrections of CmdrTaco. It's a tough job, but someone's got to do it.

Re:What were those commons passwords in Hackers?

[3ryon]

these are the passwords it tries : [empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin...

Whew! For a second there I thought it was trying xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Re:What were those commons passwords in Hackers?

[_xeno_]

Who'd be foolish enough to use ****** as a password? I use ********!

Re:What were those commons passwords in Hackers?

[JWSmythe]

My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345

Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..

Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive. :)

If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.

The web site password crackers that I've seen use dictionary files, and for the passwords they try:

word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]

Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")

Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.

BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..

I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home. :) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)

Re:What were those commons passwords in Hackers?

[LoztInSpace]

[the user's username backwards]. Heh heh. Reminds me of a friend telling someone to use this. Bad advice aside, imagine him saying this as he simultaneously realises that the user's name is Lana.

Re:What were those commons passwords in Hackers?

[NeoChichiri]

Actually...that's not entirely true...at least in the case of email or website login passwords...especially if they use either of those for business purposes. I think most of the time people just don't think of the possible problems that could arise from someone getting ahold of their password.

Re:What were those commons passwords in Hackers?

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

Re:What were those commons passwords in Hackers?

[jtdubs]

Or worse: Bob.

Re:What were those commons passwords in Hackers?

[Enigma2175]

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

After reading your post, I thought I would try a few myself. Sure it's a small sample, although probably not statistically valid it certainly adds to the anecdotal evidence

mysql> select count(*) from auth;

count(*)
873
Total Users

mysql> select count(*) from auth where password = md5(username);

count(*)
90
username same as password

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.fname);

count(a.username)

44
password is first name

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.lname);

count(a.username)
24
Password is last name

mysql> select count(*) from auth where password = md5('password');

count(*)
10
hmmm, only 10 users with a password of password

Some more ....
mysql> select count(*) from auth where password = md5('12345');

count(*)
10

I've got to put some text here to break up the queries, hopefully it will help out a little bit. Does anyone who has read through the slashcode know what criteria is used for the lameness filter? Is is the ratio of junk characters to nonjunk characters or is there something else to it?

It seems like it causes problems.

mysql> select count(*) from auth where password = md5('1234');

count(*)
2

Now I suppose I must do a very lengthy conclusion because the lame /. lameness filter. It seems as if many of my users use passwords that are inherently insecure. There are a few I could check for, but it would involve coding time and these days management doesn't look to kindly upon code that doesn't make money. I doubt I have enough to get through the filter, but I'll give it a shot. OK, now I have had to strip several of the server responses of dashes, hopefully this time 8crosses fingers8

Jesus, what a fucking pain in the ass. Is it really that painful to the community to have a few ASCII porn pics posted? Damn I hate to have to go through this huge fucking ordeal just to post a simple fucking comment. How about a goddamn lameness filter exemption for people with excellent karma? How many ASCII goatse.cx picxtures have you seen posted with a plus 1 bonus?

It still will not post. I have stripped just about every nonletter from my post and it still will not fucking go up. what next do i need to strip the punctuation and caps so that i can get more non motherfucking bullshit junk characters in my post i guess it just goes back to the saying often quoted on slashdot i will paraphrase those who give up essential posting liberties for a little temporary safety from goatsex deserve goatsex twentyfour seven i wonder if it has ever occured to the nitwits that run this site that people might actually want to post something that is meaningful to the conversation that is not plain old text sometimes it makes things much more readable if you have some formatting and punctuation in there to break things up a bit gee its news for nerds cant these guys forsee that some geeks are going to want to post code and other things that may have more punctuation and special characters than your standard text

motherfuckers

Re:What were those commons passwords in Hackers?

[JWSmythe]

That was an interesting post. But I'm replying more to what you said afterwards.

You spent good time giving an informative message, which when you hit submit, it honestly should have taken..

At the risk of sounding off-topic, I agree with you completely about the lameness filter.. Sometimes switching your input type from "Plain Old Text" to "Code" will help, but there's another filter it'll frequently be caught on bitching about too much whitespace or redundant lines. Last time, I was trying to show examples of our our DNS worked.. 18 lines with word "Address: ", and half starting with one /24 or another.. I striped out whitespace, added lines, I almost gave up, but one word finally made it click..

I can't imagine what would happen if I actually posted a significantly long chunk of code for someone, that I *COULDN"T* strip anything out of.. What do I do, write a novel behind it just to fill space to make their percentages match what a normal message should read like?

I do sympathise with them though. We get abusers on our systems all the time too, but in our case, we have an abuse button, where an abuse moderator can dump the message because it was bad.. It would seem to be an easy enough mod for here. If something gets modded down to -2, it never shows to anyone (effectively deleted). I know I should have some outragously high Karma by now (now only known as "Excellent")

They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

Re:What were those commons passwords in Hackers?

[boots@work]

Nice post, though I can't understand what you think you're doing with hard data on Slashdot. :-)

I was standing by one of the Kodak scanning stations... BTW, there are all kinds of interesting options to set on those machines. :)

What, like force_image=goatse.jpg ?

Re:What were those commons passwords in Hackers?

[JWSmythe]

Hehehee... It didn't have internet access, or I would have.. But the Internet Kiosks at CompUSA have a mysterious habit of getting their home pages changed. :)

I wish I could do something with those refrigerators with the touch screen WinCE/XP thing to do anything.. Every time I touch one it crashes, so I don't even know if they have connectivity.

Ahhhh, the perfect diet.. Every time you go to the fridge, you see ... well, I'll not be descriptive.. I don't think I'd ever be able to eat again. :)

Re:What were those commons passwords in Hackers?

[fucksl4shd0t]

the list does include love, sex, god, and secret.

That, of course, is because they are all frequently confused with one another, and none of them truly exist.

Re:What were those commons passwords in Hackers?

[jaavaaguru]

My website only stores encrypted passwords. Anyone on Slashdot who stores plain text passwords should be ashamed.

Re:What were those commons passwords in Hackers?

[MegaFur]

I don't get it. Most times, windoze lets you look through workgroups and choose the one you want to browse them *graphically* (double-click). So there's no need to count the "_"'s. I suspect that your plan worked mostly 'cause you changed the workgroup to something other than "WORKGROUP" and a lot of people didn't think to look for workgroups with anything other than the default name.

But if I did want to count the "_"'s, I could:
1) I copy the "_"'s to the clipboard.
2) I open notepad and paste the "_"'s.
3) I count them. (= 10)

(Note: this is also a handy way to distinguish all of 'l10O' which can be hard to tell in some fonts.)

But that was a general windoze solution. If Unix utilities are available, I could run `wc' (WordCount) with no input, then paste the "_"'s in, then type [ENTER], CTRL+D and word count would tell me how many chars are there.

Yes, I know I'm being geeky an petty, but this is slashdot and I feel I should be allowed.

Re:What were those commons passwords in Hackers?

[MegaFur]

It reminds me of INTERCAL. In that joke programming language, approximately 33% of the lines have to say 'PLEASE'. If not enough lines say 'PLEASE', the compiler will say that you are rude and will refuse to compile your program. If too many lines say 'PLEASE', the compiler will accuse you of being overly polite. (It won't compile then either.)

Re:What were those commons passwords in Hackers?

[Placido]

>> They still need to do some work on here.. Too bad the bugs show up when we try doing in depth posts.. :(

Yeah. Those bugs that only occur sporadically are the hardest to debug.

Re:What were those commons passwords in Hackers?

[buswolley]

did yo just give a away the password to one of your 312 uers? That wasn't very nice of you

A cold day in...

[asparagus]

...for once a security problem that isn't really Microsoft's fault...

Taco: Hell just called. They want you turn back on the heat.

The Most Open Security Hole....

[scottm52]

Is the one left open by an Admin who has no business being an Admin....

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

Re:The Most Open Security Hole....

[afidel]

I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)

Re:Microsoft's fault?

[Anonvmous+Coward]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Simple solution...

[mrjive]

Unbind network sharing from your external tcp/ip settings.

This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.

Re:Simple solution...

[MondoMor]

And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.


Unless you disable the "server" service (this is NOT ISS). Then those shares are disabled. Home users and many business users don't need the Server service running.

Google for Win2k Services Tweak guide and follow the many happy descriptions.

Re:Simple solution...

[shamilton]

Easy, in the properties for your external network interface, simply uncheck "File and Printer Sharing for Microsoft Networks."

However, I don't think this is particularily amazing advice... only applicable to a box which happens to be acting as both a fileserver and a gateway.

If I had mod points, I'd Overrated the grandparent for exactly this reason.

sh

Re:Simple solution...

[Orig]

"It's a shame there's no easy way to get rid of Messenger service (ie. "net send") spam the same way."

Control Panel -> Services , Set "Messenger" service startup type to "disabled".

Or just do:

C:\>net stop messenger
The Messenger service is stopping.
The Messenger service was stopped successfully.


C:\>

huh?

[Dynedain]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks, both w/ Win domains/active directory and w/out)....weak passwords I'd expect, but default?

Not Microsofts Fault?

[tarogue]

If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.

Risks of default passwords

[ma++i+ude]

Default passwords are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

The weakest link

[lavalyn]

There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.

It isn't only at the PHB's desk that PEBKAC can occur.

Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon. /.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.

ummm....

[oliverthered]

New UNIX password: oliver
BAD PASSWORD: it is based on your username

New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.

New UNIX password: rg78kn
BAD PASSWORD: is too simple

Yeh, nothing to do with the password system.

Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?

Re:ummm....

[seanadams.com]

Yeah, but it'll take passwords like 123!@#qwe!@#
Hint: look at your keyboard.

Re:ummm....

[suwain_2]

Not that I exactly advocate weak passwords, but you really can't compare the 'home user' Windows model with the 'Internet server' Linux model. I think a lot of people (primarily the less computer-literate) would be completely bewildered when it rejected the password they wanted to use. Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject. On the systems set up to be this picky, I su to root and change my password, allowing me to bypass the password integrity test. Not the most secure thing in the world, I suppose, but if 'hardcore Linux geeks' get flustered when their password is rejected (and find ways to *make* the system take it), imagine how relatively 'clueless' home users would feel?

Anyway, maybe it could have a very elementary test: things like "password" and its variants would be rejected, as would common derivations of the username. What might be a better idea was if when the user was asked to create / change a password, it had a section on choosing a *good* password. (And if your password was a 'common' bad one, it could explain why it's bad.)

Re:ummm....

[targo]

You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.

ACK!!!

[revery]

for once a security problem that isn't really Microsoft's fault.

What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...

Who are you and what have you done with the slashdot editors?!?

--

Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"

Re:ACK!!!

[oyenstikker]

But the editor is still making an insulting comment not really related to the article and not backed up in any way. It seems there are one of these lines at the end of every article related to . . .well. . .not related to Linux. The comments never add to the article. Please leave them off.

VB App to help?

[Anonvmous+Coward]

I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.

Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?

Re:VB App to help?

[Dwedit]

Then you just end up with users blindly clicking the same "Yes" button that got Gator on their systems.

Dictionary attack + 1

[ObviousGuy]

I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

Perhaps the best solution would be biometrics?

Re:Dictionary attack + 1

[myowntrueself]

"Perhaps the best solution would be biometrics?"

Maybe. If implemented by a security guard with a pair of calipers that he measures your skull with every time you want to log on, then he logs on for you and if your skull doesn't match the numbers on his clipboard he shoots you.

Phew! I'm safe!

[callipygian-showsyst]

I didn't see my password:

xyzzy

on the list of passwords it tries. Guess I don't have to worry about this one.

It's about time...

[evronm]

It's about time someone wrote a worm like this.

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

I once worked as an SA at a bank. I could guess 90% of peoples passwords in 3 tries. I'd say about 30% were the default "welcome". And the users would bitch (and occasionally get someone fired) if we told them to change them.

If it is clearly communicated that this thing is spread because of weak passwords, maybe people will wake up and start using real passwords.

Or is it just wishful thinking?

Re:It's about time...

[nurightshu]

If it does enough damage, maybe people will learn, through aversive conditioning, not to use stupid passwords.

Just like Melissa, and ILoveYou, and Klez, and Goner have taught the users to be very careful when opening e-mail attachments.

Ack! It's the Rapture!

[Guppy06]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Dammit, I knew I should have built that bomb shelter...

Symantec's hint

[very]

On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.

LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225

This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.

They know something, definitely.

Re:White-hat worm?

[tedrlord]

Read the article. In addition to turning off file sharing, it installs a backdoor into the system.

Re:I wonder if that is why my router is not happy

[myowntrueself]

Let me guess, UDP port 137 is producing lots and lots of logged events?

Thats normal. There are two solutions;

1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.

Or

2. Stop logging UDP port 137.

Re:Microsoft's fault?

Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.

pat/patrick

St. PAtricks day is this month.

For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...

Re:Microsoft's fault?

[AvitarX]

what about c$? or admin$?

not all shares are manually set.

if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.

Re:Microsoft's fault?

[fshalor]

Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.

Re:Microsoft's fault?

[lavalyn]

Go look at your computer's C$ share. This is the default share on a fresh 2K install.

Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!

not in there?

[ackthpt]

And how many people really have 42 x's as their password?

What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.

I was surprised that it didn't include:

Months (i.e. january, february, ...) since I catch people using those a lot

system (i.e. another favorite)

xyzzy

plugh

Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.

Re:not in there?

[tuba_dude]

interesting system. I take a bag of marbles and throw it at my keyboard until I get 8-12 characters and go from there.

Re:not in there?

[Surak]

xyzzy

Nothing happens.

Real Info on this Worm

Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.

1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.

Good Luck
McAfee has an extra.dat that fights it, the

Hypocrisy

[Apreche]

Wow, this is really hilarious. Windows, is a very secure operating system, but not out of the box. It requires an amount of time and effort setting permissions and enabling/disabling services and the like. However, Windows users are generally the people who don't know how to do anything and need everything built in and done for them.

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

Now we get a worm that is/isn't Microsoft's fault. It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything. It just takes advantage of the fact that windows isn't secure by default. So who comes out to complain that something isn't automatic and built in? Oh, of course, the linux users who love the operating system where nothing is done for you and you have to write code to make software work.

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

And dont' get me wrong, I'm a dual boot win2k/mdk9 man, but this typical slashdot hypocrisy cracks me up.

Re:Hypocrisy

[oyenstikker]

linux guy: "You're operating system isn't secure by default!"
windows guy: "You're operating system isn't anything by default!"

I use Linux. My system wasn't anything by default. But by not being anything, it was secure.

Re:Hypocrisy

[theLOUDroom]

On the other hand we've got linux, the do it yourself operating system. You've got to set up, tweak, fiddle, configure, code and compile everything. Nothing is done for you. But of course, it's secure out of the box.

What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.


windows guy: "You're operating system isn't anything by default!"

Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.

Windows, is a very secure operating system, but not out of the box.

Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:

• What's the mean time between root exploits being availible and unpatched for a win2k/IIS combination?
• What's the mean time that these exploits exist and are not fixed?
• What's the average number of days in a year that a win2K/IIS box must be taken down or is availible for a remote root exploit?

Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.

Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?

Re:White-hat worm?

[EverStoned]

"Your average user" is why virus like this spread.

*sigh*

Hypocrites

[Nintendork]

"for once a security problem that isn't really Microsoft's fault"

Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.

I feel sorry for those that let their hatred of a company clout their perception on information security.

-Lucas

Re:Hypocrites

[tres]

...I see a lot more *nix than MS activity.

This is derived from the idea that all security vulnerabilites are quantitatively the same. In fact, the danger posed by the majority of exploits listed for Open Source software is relatively minor compared to the regular influx of root level exploits that show up for the Windows platform.

Sure, you see a lot of exploits for Open Source software, but the difference is when exploits for Open Source software are found, they are:

• a) normally quite limited in their scope. *nix root exploits are relatively rare and are generally harder to take advantage of than their Windows counterparts.

• b) patched almost immediatley after the exploit is announced. We see in the world of Windows that it's not uncommon for vulerabilities to be announced and left unpatched for months. (And since you don't have access to the source, you can't do any patching yourself either.)

Don't get me wrong, when it comes down to it, I'd much rather get the best tool for the job. But when it comes to security, Microsoft Windows is not it.

Re:Hypocrites

[terminal.dk]

Problem is, that most of the bugs contributed to Unix is not a problem in unix, but a problem with some user installed software, like Sendmail etc.

On Windows we don't attribute errors in Exchange, WordPerfect etc to the OS.

Now if we only count unix errors as those in the kernel and libc, and even Dan Bernsteins software,we get quite a bit fewer.

People can't see the difference between software from the huge company "Open Source", and the company's operating system, while it is easier for them to tell there is a difference between Windows, and an add-on product that costs hundreds of dollars.

It is not

MS does not provide default user password under NT/2K/XP. If this worm is going around it is because users setup week passwords. MS is in no way responsible for stupid users.

It's not a worm, it's a DDOS countermeasure

[eagl]

Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.

Re:It's not a worm, it's a DDOS countermeasure

[IIRCAFAIKIANAL]

Of course, some of those pc's that are attacking you are probably already compromised and that's why they are being used to attack you.

If I was a spammer or hacker, I would probably have a bunch of PC's between me and my targets, and use those pc's to get more pc's ad infinitum.

(Not that I know anything about this, I program in userland against an ORACLE database behind a firewall :)

SAMBA protocol

[whereiswaldo]

Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Re:SAMBA protocol

[The+Ape+With+No+Name]

Notice it says: Startup Folder. Unless the worm can add a script to /etc/rc.d/ or cat itself into rc.local then SAMBA isn't vulnerable other than stuff on the share being available.

Other thing: time for all the LOTR lusers to change g@nbA1ph to g011um!

Re:SAMBA protocol

[Unregistered]

Yea, but copy C:\Windows\Tempor~1\Work.exe C:\Windows\StartMenu\Programs\Startup dosn't work too well on linux.

Re:SAMBA protocol

> Just to be the devil's advocate (literally ;), isn't SAMBA just a protocol? Since Linux supports SAMBA, is it not just as vulnerable to this worm?

Being picky, Samba is the open software suite that handles the SMB protocol. Yes, Samba would be as vulnerable except that by default Samba doesn't share anything - you have to tell it what you want to share via its config file. So, you probably (...but NOT definitively!..) assigned a share password at the same time you created the config file entry. Not quite the same as a share created by default with a weak password.

> And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.

Probably because the majority of their market are home users who Don't Want to have to worry about passwords 'n stuff - just arrest those stupid, inconveniencing 'hackers' and let the home users get on with their work. MS doesn't want to deal with the grief that reasonable security would cause their largest installed base.

Re:SAMBA protocol

[sn0wman3030]

Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.

WRONG!

[dotgod]

Sorry, but "administrator" can't be one of the passwords the worm tries because I use that for the password on my box and everyt

NO CARRIER

Re:WRONG!

[IIRCAFAIKIANAL]

Those no carrier jokes always remind me of Monty Python and the Holy Grail...

<dream sequence>
ARTHUR:
What does it say?
MAYNARD:
It reads, 'Here may be found the last words of Joseph of Arimathea. He who is valiant and pure of spirit may find the Holy Grail in the Castle of aaarrrrggh'.
ARTHUR:
What?
MAYNARD:
'...The Castle of aaarrrrggh'.
BEDEVERE:
What is that?
MAYNARD:
He must have died while carving it.
LAUNCELOT:
Oh, come on!
MAYNARD:
Well, that's what it says.
ARTHUR:
Look, if he was dying, he wouldn't bother to carve 'aarrggh'. He'd just say it!
MAYNARD:
Well, that's what's carved in the rock!
GALAHAD:
Perhaps he was dictating.
ARTHUR:
Oh, shut up. Well, does it say anything else?
MAYNARD:
No. Just 'aaarrrrggh'.
LAUNCELOT:
Aaaauugggh.
ARTHUR:
A arrrggh.
</dream sequence>

No, that's just stupid. Too bad I hit submit already...

Choose your weapons...Uh, I pick Blame!

[ackthpt]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.

You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.

A modest proposal:

Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)

Re:Choose your weapons...Uh, I pick Blame!

[NetJunkie]

Complex password checkings is an included feature. It's easily enabled.

Re:Choose your weapons...Uh, I pick Blame!

[zeugma-amp]

I'm of the opinion that it is almost criminal these days for a system to not run a quick test against passwords as the user chooses it. This is the case on most, if not all linux systems I use, and many others as well.

The problem is, that many users have a large number of systems they must access, and can't be bothered to choose decent ones for each systems, and can't be bothered to change them at any regular interval once they've been set. Password aging is a pretty basic security concept that is rarely implemented.

I always reccommend the use of passwords that are not words, but are pronouncable by the user. Many years ago, when I went to work for MCI, we were assigned MCIMail accounts. When you would initially log in, it would prompt you to change your password. Rather than just let you type in any old thing, it would give you 3 choices like this.

puwacane
solahota
yamatotu

You had the option of choosing one of the three listed, or could roll the dice for another three more to your liking. I kinda liked it.

These days, there are a number of programs that will do this for you quick and easily. I'm sure most of you are aware of 'gpw', which will generate passwords similar to those listed above. I've seen many variations of the program, and in fact currently use a perl-based one on my Solaris boxes when it's time to change passwords.

I mentioned earlier that people have many different passwords to remember. This, as well as the problem of multiple usernames are a major problem for many users. Fortunately, there are software solutions for this as well. For Linux users, I like 'gpasman', which is a small program that will keep track of usernames/passwords for you that is itself protected with a password/passphrase (use a darn good one!). Windows users may find ' password safe' to be a good choice.

Both of the above programs have enabeled me to have excellent passwords everywhere. Password Safe will even generate extremely strong passwords for you.

I guess my point, if there really is one, is that some of the pain of passwords can be alleviated to some degree by good technology. I wish more people took more care in their choice of passwords. Given the results reported elsewhere on this page, they don't seem to.

Re:Microsoft's fault?

[shamilton]

It's not hidden in nt/2k/xp. Though when you try to delete it, you get told it's there and necessary for administrative purposes.

love of the Irish.

[Erris]

The pat / patrick is rather weird, eh? only name in the list

Happy Saint Patrick's day!

Re:love of the Irish.

[Theaetetus]

The pat / patrick is rather weird, eh? only name in the list

Hey! My son Temp123 would take offense at that!

-T

Re:love of the Irish.

[Jerf]

"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."

(*: True in the general case, since the XOR trick only works in certain circumstances.)

Re:Might be MS's fault.

[WiPEOUT]

... in other news, Microsoft SQL Server 2000 is now being included in the RedHat 8.2 distribution's default install, and a security bulletin has been released for MacOSX 10.2 Print Services running on the Commodore 64.

Re:Microsoft's fault?

[Guppy06]

"Please tell me how it's MS's fault that people pick easy to guess passwords?"

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.

The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.

I can see the headlines now:

[masteroveride]

A worm that isn't Microsoft's problem!?!? Next thing you know you'll hear about airliners falling out of the sky due to flying pigs...

Re:huh?

[Erris]

I don't remeber there being default passwords on Windows file sharing (have setup multiple filesharing networks,

He he, you don't remember because it did not tell you. Filesharing gets set up as part of other software installs without telling you. Nice eh?

Re:Microsoft's fault?

[NetJunkie]

If I have the Administrator password I can do anything I want...whether the default shares are there or not. I can easily connect to the system and share the drives out myself. The worm could just as easily do that.

XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names.

Re:Microsoft's fault?

[ubernostrum]

Please tell me how it's MS's fault that people pick easy to guess passwords?

Well, it's not necessarily their fault, but I'm used to my Linux box where I'm not allowed, for example, to select a word in the dictionary as a password. On MS OSes, having some sort of feature to disallow exceedingly weak passwords wouldn't be too hard to implement and could do a lot for the security of the system . . . heck, just a simple routine that disallows "admin" and "password" would probably take care of half the machines that have been infected by this thing.

Re:Microsoft's fault?

[ahaning]

For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.

It's a good thought, but consider this:

You should be warned that ena*click*

Are you sure that you want*click*

Sweet. My files are shared.

Surprising

[chewedtoothpick]

Surprising that the most popular 'simple' password I have come across: drowssap wasn't on the list... either it must not be very composite, or the programmers of the worm are fairly out-of-touch.

Re:Microsoft's fault?

[Guppy06]

"XP does not show the user accounts unless you set it up for the family stuff. My XP machines in my domains don't show any user names."

That's because you have it in a domain, using domain accounts. If you're not in a domain, the default local log-in method is that "family stuff" you're talking about.

However, you are right; I was wrong about the default behavior. Instead of a user log-in, a default XP Home install will automatically log you in to the default account "Owner," an admin account with no password(!!!!!).

Re:patrick!!??!!

[Kpt+Kill]

uhh... yeah it does, try looking for it. ill give you a hint... Local Security settings

Re:I wonder if that is why my router is not happy

[ackthpt]

Let me guess, UDP port 137 is producing lots and lots of logged events?

UDP 137 has been logging lots of hits since day 1 for this system. Fortunately I have a firewall and have been very excited to see how many worms are out there trying to find a new host. A few weeks back I examined the log for the few hours I was connected over a dial-up (no DSL or ISDN, just 56K) and found 335 attempts, most of which are aimed at 137. A quick search of this with Google yielded info that this was indeed likely caused by a worm on many computers, scanning IP addresses and testing port 137.

My first log of a probe on 445 was 3/7/2003 at 21:12 (9:12 PM in California) seems they come in pairs or threes. The number of probes has been increasing.

Given what I've seen of my firewall logs, there's no way I'll ever put another computer within spitting distance of an internet connection without a firewall. Like, cripes 'n stuff!

Re:Microsoft's fault?

[roolmarty]

From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):

To remove automatic creation of the administrative shares by using Registry Editor:

• Start Registry Editor (Regedt32.exe).
• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\AutoShareServer

• Change the value of the AutoShareServer key to zero (0).
  NOTE: A setting of zero (0) prevents the administrative shares, such as C$, D$, and Admin$ from being created automatically.
• Quit Registry Editor.

NOTE: If the AutoShareServer key does not exist, create the AutoShareServer key by using the following steps:

• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters
• On the Edit menu, click Add Value.
• Type AutoShareServer, click REG_DWORD, and then click OK.
• Type 0, and then click OK.
• Quit Registry Editor, and then restart the computer.

And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key and set its value data to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters

These get rid of those pesky administrative shares.

Not default passwords...

[NetJunkie]

These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.

I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.

It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.

This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.

Re:Not default passwords...

[larien]

Get one for your mom

When I helped my mother get on the internet (she uses it mainly for registering cattle movements on the web), I took a CD with Zone Alarm on it with me and installed that with the settings locked down. My home connection (linux box on ADSL) is slightly more open, with ports 22, 80 & 443 open. Only two users have access to port 22, though (unless ssh breaks again...). Everything else at home is NAT'd through the linux box.

well...maybe...but

[BurKaZoiD]

Is the one left open by an Admin who has no business being an Admin....

For 99.997% (Manhattan Project, anyone?) of the cases, I'd agree wholeheartedly. The rest of them, like our Network Admin where I work, are under the thumb of some stupid BEEYOTCH of an IT Director who wants to continue to use the same passwords used by the old Network Administrator (who was shitcanned by her), and refuses to allow the new guy to set newer, more secure passwords. And believe me, it's not a matter of people just not getting along. For Pete's sake, she's even yelled at me for encrypting DSN strings and sticking them in the registry of the server, instead of plopping them in a text file like everyone else, open to the world. And she totally f*cking flipped (when she read the documentation I wrote about the procedure) upon hitting the section that described how every time the DSN was accessed, read, edited, or yelled at sternly the code modified and scrambled it with a new, different algorithm. She described it as "unsafe, and taking things to an extreme that was unnecessary". She also said made some asinine comment about how we would never be able to recover the passwords if the code were ever lost, to which I recall thinking "Well first, that's job security for me, second, don't forget your goddamn passwords, and third, that's what sa access is for, you dumb bitch."

Yep, this type of commentary coming from someone who not only has no business being an IT Director, but swears on a stack of bibles she can reverse engineer MD5 in her head (we have another application that uses MD5 to hash passwords, she simply recognizes the default password hash).

I swear to God I'm not making this shit up. I wish the nasty bitch would stick to pushing pencils and leave the real work to those of us who know.

Why do people hire these admins?

[Dunkalis]

It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.

How MS can "force" a person to choose a good pw?

[mark-t]

I concur with the view that services that leave a system open should not be installed by the OS until it has a moderately secure password set up for access. It is even entirely feasable to do this with Windows:

What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):

"Warning, there are users for this system that have administrative priviledges but have no password set. Before this service can be installed, please enter a password to use for administration purposes. This step exists to protect your computer from being accessed by unauthorized persons. A password should be at least 8 characters long, ideally should contain numbers as well as letters, and should not be a normal english word."

The dialog presented here will have a [Cancel] button, which would cause the password setting subsystem to fail, and therefore the service would not be installed (with suitable diagnostic given such as "The service was not installed because no security password was set").

Then, after entering the password, the password subsystem can do a rudimentary analysis of the password, checking it's length, whether or not it contains letters/numbers, etc. If it fails to measure up to what is determined to be a weak password, it pops up another dialog:

"Warning, the password you have selected is considered weak because (insert detailed explanation here). Are you sure you want to use this password? [Yes] [No]" (The default option being "No"). If they click No, then they go back to the password selection.

After the user has selected a password:

"Please memorize or write this password down and keep it in a safe place. It is highly recommended that you do not leave the password anywhere that it could be easily discovered by an unauthorized person. This password is now set for the following users: [list of users on the system with admin priviledges and no prior password set]. The user(s) can change their password at any time after logging in from the Control Panel 'Users and Passwords' tool. [OK]"

The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.

Of course, then what would the Linux and BSD zealots have left to bitch about?

Re:Microsoft's fault?

[_xeno_]

Or, for the terminally lazy, cut the following and save it as a .REG file. (For example, "Disable Admin Shares.reg".)

----CUT HERE----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\lanmanserver\parameters]
"AutoShareServer"=dword:00000000
"AutoShareWks"=dword:00000000
----CUT HERE----

Note the italicized line. Slashcode inserts a space there to prevent me from "page widenning". Remove that space. If the lines wrapped, then the line in italics should be one line and not two.

Once the file is saved, right click and choose "Merge". (Or just double click/single click/whatever to cause the default action to take place.) Merge the values into the registry, and this will set the keys mentioned above without the need to play with the registry. Reboot, and you should be all set to delete the C$..Z$ and ADMIN$ shares. Damn those things annoyed me - thanks for the post!

Re:Microsoft's fault?

[SomeGuyFromCA]

Nice, but I actually find the shares convenient at times. For instance, suppose I've taken my computer to my friend's house. I've got some mp3s he wants to play, but alas I have brought only my headphones. I could get up and go all the way over to my computer, but instead I can just open \\mycomputer\D$ and enter the password when it asks. No need to point out security implications.

So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.

Re:Microsoft's fault?

[IDIIAMOTS]

Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.

disables network sharing.

[Deathlizard]

"disables network sharing."

Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.

Either way nimda would be off the network :)

Solution: Don't use weak passwords.

[ChaosDiscord]

Personally, I use a password that's a 'l33t'-ified word (with absolutely no signifance to me... it was a random word I saw as I glanced down at my desk while trying to think of a new password), which some Linux boxes seem to reject.

Good for those Linux boxes! You're using a weak password.

First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.

Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!

Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.

Users pick bad passwords, sigh

[bigberk]

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.

Yeah, but...

[jrwillis]

Is that case sensitive?

Re:Yeah, but...

[_xeno_]

Yeah, I just checked. 88888888 won't work.

Re:Microsoft's fault?

[pVoid]

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default

The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Same as above, go you lumberjack... GO NOW!

It's a nice idea, but ....

[Hanji]

Such a system would just really piss off the average user, who would just OK his way through it anyways and keep his password set to his dog's name, with it posted on a post-it note on his monitor, just in case he forgets.

Blank user passwords

[yerricde]

It doesn't take advantage of a hole in the windows software, like an unchecked buffer or anything.

It does take advantage of the fact that Windows allows a blank user password as a valid means of authentication. In fact, it does take advantage of "an unchecked buffer" of sorts, as the "set password" phase of the new account wizard apparently fails to check whether or not there's anything in the buffer holding the new user's password!

Re:Microsoft's fault?

[Herkum01]

The fact that your aunt has breast cancer is Microsoft's fault.

THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!

DAMN YOU MICROSOFT

I'm curious.

[La+Temperanza]

A little OT, but do any *NIXes have Kerberos as your default auth service after a fresh install?

dammit

[Smev]

I guess after the 2 years I've been using the same exploit I'll have to learn something new :(

With windows 2000 the administrator password is accully left blank by default if you select the auto login (all users use same login) option on the windows 2000 install. That what makes this exploit so widespread. Its nothing new, Rit.edu had a the exact attack almost a year ago.

Re:Microsoft's fault?

[m_pll]

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user.

I'd say it was a design goal for XP Home... Try explaining to a typical home user why half of his games don't work if he's not an administrator.

Problem with my own machine. Mozilla into my HD!

[BlackListedCard]

Shit... Tried in Mozilla the "file://IPofanattacker/ Guess what... My own hard drive directory structure is sitting in front of me. I'm running linux and everything is fuck'n rock solid tight. All IP ports turned off. Can anyone else duplicate this. Just enter any IP address into file://(right here). Mozilla defaults to the hard drive of the actual machine it's running on????!!!! Something which I do not like....

who's on first?

[djupedal]

"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"

Re:who's on first?

[JWSmythe]

Our users hate it when *I* assign their passwords. They're given exactly one chance to pick a strong password (when they sign up). If someone guesses their password and it gets out to a password site or whatever, my script assigns their new password.

chars.txt is a plain text file of any characters I'd like for them to use. This gives 54^8 (72,301,961,339,136) combinations. I leave out common typing mistakes like
Zero = uppercase o
One = lowercase L
One = uppercase i

I think 72 trillion combinations is slightly safer than top 100 common passwords, or words that show up in the short version of the common dictionary files. :)

I use this for our own internal passwords too, but at least I let people keep running it til they see something that pleases them. "Oh ya, that's one I'll remember." Just feel sorry for people just starting on our staff on password-change day.. :)

-----
#!/usr/bin/perl

# Define our character sets here, leaving out difficult (similiar) characters

open (LIST, "/usr/users/security/chars.list");
@chars = <LIST>;
close (LIST);
$password = join("", @chars[ map { rand @chars } (1 .. 8 ) ] );
$password =~ y/0-9A-Za-z//cd;
print "$password";
-----

Of course, for less secure applications, I've just used "no".. So, when someone asks "What's your password?", I just answer "no". They get pissed off, I take the keyboard, tap no[enter] real quick, and they wonder what I really typed. :)

BTW, for you copyright happy people out there, that join line was stolen from one of the O'Reilly books.. So, sue me.

Re:who's on first?

[JWSmythe]

BOFH: Hold on one second sir.. [click][click][click]. What was your username again?

lUSER: BOB! MY USERNAME IS BOB! WHAT'S MY PASSWORD.

BOFH: "no", Bob.. But I'm looking further into this, and it seems you may have a problem.

lUSER: Ya? What kind of problem? Everything was fine til you changed my password.

BOFH: Did you have any files in your directory?

lUSER: I just finished the annual fiscal reports!.

BOFH: [click][click][click].. Hmmmm, I don't see anything here.

lUSER: WHAT!!!!!!!!

BOFH: Hold on, lets look at the backups...

lUSER: Thank god..

BOFH: PFY, you made backups right?

PFY: there's right here in the tape degausser.

BOFH: Bob, I'm sorry, it seems there was a terrible accident with the backups..

[degausser mysteriously turns on]

lUSER: What about my Email, is it safe?

[lightbulb appears over BOFH's head]

BOFH: Lets have a look, shall we? [click][click][click] So, you've been writing to the bosses wife an awful lot.. Hmmm

lUSER: Ya, we're old friends.

BOFH: Are these nudes of her? Close friends, aren't you?

lUSER: BUT! No! Don't look at those!

PFY (whispers to BOFH): what if......

[click][click][click][click] No problem, I've removed all those nasty pictures from your box.

BOFH hangs up the phone, un plugs it from the wall, and gracefully sets it on top of the bookshelf where it won't be in the way.

"Where did you send the pics?", PFY asks...

"From: Mr. Luser
To: Bosses Wife
Bcc: to the boss, the boss's mother-in-law, luser's wife, and of course a copy in our files.", BOFH cites.

"Have we arranged for our monthly raises yet? I think it's about time. Lets check accountings database, and see how much Mr. Luser was earning us."

----

I'd love to be a BOFH writer.. But until then, I live the part in real life. :) Sometimes they're just too quick. A simple electrocution? or Halon accident just aren't as much fun as they *COULD* be having.

Just imagine the fun a BOFH could have with say an ex-girlfriend's new boyfriend, an ounce of cocaine (mixed in with 5 pounds of filler), superglue, epoxy, and a few "anonymous" phone calls to his boss, neighbors, and the police, all while being the nicest guy in the world to him too..

I've just never had a good outlet for my stories.. :) Nothing feels better than a well orchestrated revenge.

Re:who's on first?

[Nogami_Saeko]

Every once in a while I get someone (boss-type people) who want to know my password is so they can get onto one of the machines I administer (presumably to screw it up for me).

I just tell them that my password is the same as my ATM number (it's not of course), so I can't give it to them.

Works pretty well.

Re:who's on first?

[JWSmythe]

I tell them I use the same one for everything. My suitcase, my ATM pin, and my private vault at home. It's easy. 1234 . Just don't give it out to anyone. :)

Now, if they were smart, they'd know I have a cheap suitcase, 'cause they don't pay me enough to have good luggage to go anywhere with. I've been using the same olive drab duffle bag for the past 12 years, and it doesn't have a lock. As for the vault at home, all I have to hide in it is my clean socks, and right now I only have one pair of those. :)

Re:who's on first?

[Scumbag+Tracker]

To avoid being hacked, I set my password to "pi". Only problem is, now it takes me forever to log on in the morning. :-/

Re:who's on first?

[KshGoddess]

Reminds me of one user I had (actually an entire group), at a place where users created their own root password for their desktop.

Me: What's your root password?
User: what.
Me: The password for the root user, the superuser.
User: what.
Me: Look, I can't get into your desktop to fix [problem] without the root password.
User: No, no, it's w-h-a-t.

My favorite was the applications person, who after being lectured for having a crackable password (daisy1) showed up the next time around with... daisy2. *grr* This was someone who had full control to a rather important application's internals. Sigh.

Technical Reasons:

[Tokerat]

Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.

Everything IS Microsoft's fault. Duh. ;-)

Weak XP

[Brat+Food]

Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).

Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.

Add to that that all accounts made are Administrator by default, and DONT need passwords.

What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.

Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.

While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.

They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.

To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.

The windows box will have every spyware app on it, stuff deleted, etc, etc.

OH, Xupiter just installed itself again, i have to go...

Re:Weak XP

[gamorck]

Really? I guess you weren't aware of the fact that XP will by default not allow the machine to be accessed through netbios remotely using an account which sports a blank password.

But then again your entire argument is constructed on pure and utter ignorance of the basic facts so I guess I shouldn't have expected anything otherwise... though a retraction on your part would be nice.

J

P.S. If a sys admin can't lock down his box without being provided a "I'm not a dumb user" checkbox - doesn't it seem like the problem may not in fact have anything to do with Microsoft at all?

Try a recent distro?

[freeweed]

I don't know about you, but an out-of-the-box RedHat 8 is pretty damn secure, assuming you don't install any services with it. Select 'high security' in the installer, and boom! Instant firewall.

Comes with more software than I've currently got loaded on my Windows machine, period. Office suite(s), games, usenet, web, mail, irc, packet sniffer, firewall, cd-burning,... I could go on, but at 4.6 gigs it's kinda scary :) Took me about 10 minutes worth of clicking on little boxes, nothing beyond the automatic partitioning that even remotely resembled thought. Bless rpms.

Anyway, your point again was?

Re:Ack! It's the Rapture!

[Enigma2175]

This is the seventh posting on the front page in a row by Taco. And none of them are dupes!

Along with that, this post observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.

It's very clear to me now, obviously the /. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.

If this were RISKS-Digest...

[billstewart]

If this were RISKS-Digest, somebody would comment that blaming the users might be fun, but building a system that encourages users to do obviously dumb things (or permits them) is usually a Bad Idea. (Somebody else would comment that that's not always true, because enforcing some kinds of standards without thinking about the side effects, such as Yellow Sticky Notes, is often a Bad Idea too.)

Slashdot Password Stupidity

[mib]

I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*

Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!

But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)

The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.

But:

• If you're letting users grab huge lists of your encrypted passwords, you're fucked.
• If you're letting unknown parties have enough auth attempts to brute force even a non-obvious dictionary word, you're fucked
• If you have something to secure that's worth somebody spending a lot of time and effort to break into and your only security is username and password, you are completely, utterly, and royally, fucked, and I hope I never have anything to do with systems you write.

- mib

p.s. Useradd/passwd is not account management.

Re:He was right!

[JWSmythe]

Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)

22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod

There were 294 words with "sex" in them, the top ones are:

84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex

And 278 with "love" in it..

86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit

Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day. :)

Luckily the world is safe...

[ardu]

since the worm doesn't try the most common password: ******

Re:Microsoft's fault?

[JWSmythe]

Aw, it's not always Microsoft's fault.. If it isn't, we can blame the stupid users for using easy passwords. I work with Point Of Sale systems occasionally (when people ask for help), and find stupid stupid stupid passwords there. Store ID's (like as printed on your receipt), the owner's name, or just "password".. Like, they want to make it easy for the stereotypical TV hacker to get in or something.. The best one that usually gets me stuck is just hitting [enter]. I usually start off with the assumption that they used *SOMETHING* as a password. Sometimes they don't.. "It's too hard for the staff to remember."

Hey buddy, it's your security. If I come in when your cashier is on a smoke break and no one is looking, I'll just hit enter, cash out, and leave.. No problems here.

I usually go into a 15 minute speech on how secure passwords are important, and how they must mix upper and lower case letters with numbers and characters, so as to *NOT* make dictionary words. "Password" doesn't count, duh. I've gone back to the same stores months later, and tried the old password, and it worked.. I don't even have to ask for access to their system, I just get in and start fixing for them..

Good thing I'm a good guy.. I could just log in as their admin user, ring up a no-sale on all the registers, and leave.. I could even mark their logs that *THEY* cashed out all the drawers like they closed the day.. {sigh}

We can't blame Microsoft for making their customers stupid. Its just like blaming AOL for making their customers stupid. They didn't. They marketed to stupid people who would buy anything.

I don't even want to hear one word back from an AOL person on WinXP using MSIE.. You're their sucker.. You fell for getting the stupid AOL 9.999 CD and 100000 free hours, you bought Windows, and happily agreed to their licenses, and you probably bought a whole stack of beautifully hologramed Microsoft products right along with your new Microsoft taxed computer, but you'll still bitch that it crashes, and wonder why I just look at you funny because my Linux machines never crash..

I wish we had the time to educate people just a little bit.. But some of them are so dense it isn't even funny.. How do you tell them "Stop using AOL. You're paying $29.95 for a $19.95 service..". it's like saying they're paying $30 at K-Mart for a cheap toy, when they could spend $20 for the a toy that looks the same, but goes faster and is more fun to play with..

Stupid consumers will still spend $30 because the TV Ad told them it's the best..

You're the same people that will pay a couple hundred dollars for the next version of Windows that will still crash, and you'll still cry that it doesn't work.. You won't even consider that you've already bought Win3.1, Win95, Win98, Win2k, WinME, WinXP, and none of those have worked right. Maybe the next one will work properly? I have a beautiful bridge in Brooklyn to sell you too.

Shall I rant?

Great site for good passwords

[TequilaMonster]

I use the diceware system. I generally end up with 25+ character passwords, and when mixed up cases, swap letter for number and word separator special chars are used, it gives very high strength passwords.

Then just use memory path tricks to store them in the old' grey matter, nuff said. I use the same rules every time for character substitution, so I don't have to remember the coded password, just the diceware phrase. Apply the coding, and there's the password.

My system

[Zugok]

I can't say I keep a high security for my computer as I should (and I really should...to much pr0n to lose), but for internet banking, really important stuff online, I have a pretty foolproof system.

What I do is I take the name of someone I know for every month of the year. I associate a date with them, like birthday, day i met them etc. Sounds stupid so far, but here's what I do next

I then associate the date with the current year and decide how to mess about with the numbers. Do i just take the date at face value, or do I use date seperatrs / . and - in some sort of combination and use them as mathematical operators to generate a number? What ever I decide to do I convert the number into hex (because some passwords require numbers) and then attach it to the name of the person concerned in what ever way I choose and voila, password generated. Keeo in mind that if you use the same combination of operators when the year changes, you password is not going to change a hell of a lot for corresponding months between the years

The beauty is I've told you my system and you can't figure out any of my passwords. Better yet, you don't actually need to remember your passwords, more likely you just need to remember the mathematical operators because names and birthdays should come off the otop of your head. I can't remember my slashdot password though, I chose that before my system. Thank goodness for cookies.

A bit more detail

[Black+Copter+Control]

Cantral Command (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).

Isn't that partly Microsoft's fault too?

[roystgnr]

What mechanism is more responsible than click-thru software EULAs for training computer users to believe that they should expect to regularly see large blocks of text emphatically declaring dire warnings and that they should just click "OK" without reading when those blocks of text pop up?

Some details about the worm itself

[sepulcrum]

Apart from everyone complaining and joking about the strength of the average user's password i read nothing about the actual worm this is about.

The worm comes in using port 445 (this is the samba over TCP port) and tries some simple passwords (the most effective being the empty password). After the infection the worm drops the file dvldr32.exe in the startupfolder so that next time the machine is restarted the worm/virus will be installed onto the machine.

What the worm does is:
- Start scanning and infecting other random ips, it does this on a very high speed (i.e. 100's of ips per minute)
- Installs WinVNC (a vnc server for windows) that allows remote control, see the vnc webpage.
- Connects to some private IRC servers and joins a channel with some high ascii chars in the name (chinese?) and a password. The IRC server is modified so that it does not give back any information to the client, but anyone on IRC can request the ips of all the infected machines. When i tested this there were about 8000 infected machines on IRC (8000 was the IRC client limit so there are probably alot more infected machines out there).

Note that this is quite a big threat as even passive attackers can get ips of infected machines by watching their logs for connections to port 445. Most of the machines making such connections to you are either machines in your local network or infected machines (unless you do alot of samba over tcp/ip over the internet).

One can easily access the harddisks of these machines using the Admin$ share (which you know has no or only a simple password) either to get files from the users or computer or get a copy of the worm itself (it's located in \winnt\system32 folder and named dvldr32.exe). Once you have a copy of the worm you can obtain the vnc password using some good old reverse engineering tricks (which i will not give out here because that would help out scriptkiddies just a little bit too much). I tried out the password i obtained using this analysis on one of the hosts that scanned me and guess what the guy was doing on his pc, yep he was downloading porn using KaZAA.

From the looks of it this worm has already infected alot of machines. I get about one connection attempt to port 445 every 2 hours.

For some more info about the worm checkout the antiy website

Let's see how long it takes before all ISPs block their vnc (5900) and their microsoft-ds (445) ports to stop the worm or microsoft issues a security update that forces strong passwords upon users or asks for permission everytime something new is put into the startup folder.