Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
I bet they just made a program that tried, "Love, sex, and god".
...for once a security problem that isn't really Microsoft's fault...
Taco: Hell just called. They want you turn back on the heat.
Is the one left open by an Admin who has no business being an Admin....
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
"Please tell me why isn't it Microsoft's fault? "
Please tell me how it's MS's fault that people pick easy to guess passwords?
Unbind network sharing from your external tcp/ip settings.
This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.
And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
If you can't beat them, arrange to have them beaten. -George Carlin
If the worm is using default passwords to get in, then I would say that it *is* the fault of Microsoft. There should be no default password. When antype of networking is setup, you should be prompted to create a password. If no password is provided, no service is provided.
Life sucks, but death doesn't put out at all. -- Thomas J. Kopp
Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.
You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
There is a reason why intelligent password crackers (dictionary attack) will first try passwords such as "password", "secret", "administrator", "root" or its variants before going through the main database.
/.ers are young (mostly). Most users never needed to know passwords longer than a 4 digit PIN until the last decade.
It isn't only at the PHB's desk that PEBKAC can occur.
Unfortunately, in an employment environment where complicated passwords are just another encumberance and annoyance for most people, this is not going to change any time soon.
Doing the Right Thing should not be preempted by making a buck.
New UNIX password: oliver
BAD PASSWORD: it is based on your username
New UNIX password: jp821968i
BAD PASSWORD: it looks like a National Insurance number.
New UNIX password: rg78kn
BAD PASSWORD: is too simple
Yeh, nothing to do with the password system.
Ok, so that's how my linux box is setup (without post install configuration), why isn't windows setup this way?
thank God the internet isn't a human right.
for once a security problem that isn't really Microsoft's fault.
What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...
Who are you and what have you done with the slashdot editors?!?
--
Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"
I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.
Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.
When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.
This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.
Perhaps the best solution would be biometrics?
I have been pwned because my
xyzzy
on the list of passwords it tries. Guess I don't have to worry about this one.
Best Buy can have you arrested
This is the seventh posting on the front page in a row by Taco. And none of them are dupes!
Dammit, I knew I should have built that bomb shelter...
On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
Read the article. In addition to turning off file sharing, it installs a backdoor into the system.
[insert witty quote here]
Let me guess, UDP port 137 is producing lots and lots of logged events?
Thats normal. There are two solutions;
1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.
Or
2. Stop logging UDP port 137.
In the free world the media isn't government run; the government is media run.
Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.
St. PAtricks day is this month.
For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...
what about c$? or admin$?
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Um, actually there are a lot of "default" shares laying around ripe for the picking. In win98, I believe it's only the system root and all the drives. I think the same are enabled in win2k. You can disable them, but they come back upon reboot. In win2k, by default, you the service which must run isn't enabled, but under win98, it's trivial to hack around and get any of the default shares. These are ones which you don't see, by the way.
-=fshalor
Go look at your computer's C$ share. This is the default share on a fresh 2K install.
Even if it requires local admin accounts to access this share, just that it is available, and HIDDEN, is a grave security fault!
Doing the Right Thing should not be preempted by making a buck.
What's the maximum or mininum limit for password? I generally go with 6-8 with a combination of letters and numbers, often defering to foreign languages, rather than english.
I was surprised that it didn't include:
Months (i.e. january, february, ...) since I catch people using those a lot
system (i.e. another favorite)
xyzzy
plugh
Tho I do not 'foobar' is in there, but I generally use that on internet sites where I could care less if someone assumes my identity.
A feeling of having made the same mistake before: Deja Foobar
Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.
1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.
Good Luck
McAfee has an extra.dat that fights it, the
Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.
I feel sorry for those that let their hatred of a company clout their perception on information security.
-Lucas
Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...
Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...
Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
Just to be the devil's advocate (literally
And second, I wonder why Microsoft hasn't jumped on the bandwagon of enforcing secure passwords (eg. password too easy, try again)? Personally, I think SUSE's restrictions are too much, but there must be a middle ground where at least very weak passwords are prohibited.
NO CARRIER
Please tell me how it's MS's fault that people pick easy to guess passwords?
Some systems I haved used in the past have a built in list and/or password analyzer, for the purpose of forbidding use of easily predictable passwords. While users tend to hate what these methods limit them to, break-ins tend to be limited to those people they know.
You can't fault Microsoft for not including such a feature. Chances are, if Microsoft did build in such a feature, someone would be taking issue with it on slashdot.
A modest proposal:
Suggest Microsoft include the ability for the administrator to select a tool (yeah, I know they typically want you to use only Microsoft Brand stuff, hence the aforementioned 'issue') Does Microsoft accept advice from users, or do they only innovate buy buying up a company that already makes such a product, integrating it, then driving all competitors out of the market? (oops, I did it myself...)
A feeling of having made the same mistake before: Deja Foobar
It's not hidden in nt/2k/xp. Though when you try to delete it, you get told it's there and necessary for administrative purposes.
"[A] high IQ is like a Jeep; you will still get stuck, just farther from help!" --Just d' FAQs, c.g.a
"Please tell me how it's MS's fault that people pick easy to guess passwords?"
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.
It's a good thought, but consider this:
You should be warned that ena*click*
Are you sure that you want*click*
Sweet. My files are shared.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Hey! My son Temp123 would take offense at that!
-T
From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):
And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)
These get rid of those pesky administrative shares.These aren't default passwords. They are just bad passwords. Haven't we learned that wide open systems with bad passwords are not a good idea? I bet 90% of the exploited systems have blank passwords. Complex password requirements can be enabled.
I see a lot of people talking about the default shares (C$, D$, etc). To use these you need full admin rights. If I have full admin rights I don't need those shares. I could set those shares up myself. They don't get me anything.
It's about time people figured out that blank passwords and the Internet don't go together. Cheap NAT routers are $30 now. Go buy one. Get one for your mom. Get one for your users that work from home.
This, again, isn't a MS problem. Users need to be responsible. I also think ISPs should be blamed as well. NAT routers are cheap enough they should be built in to cable/dsl modems now. They aren't a "real" firewall but they do the job just fine.
Is the one left open by an Admin who has no business being an Admin....
For 99.997% (Manhattan Project, anyone?) of the cases, I'd agree wholeheartedly. The rest of them, like our Network Admin where I work, are under the thumb of some stupid BEEYOTCH of an IT Director who wants to continue to use the same passwords used by the old Network Administrator (who was shitcanned by her), and refuses to allow the new guy to set newer, more secure passwords. And believe me, it's not a matter of people just not getting along. For Pete's sake, she's even yelled at me for encrypting DSN strings and sticking them in the registry of the server, instead of plopping them in a text file like everyone else, open to the world. And she totally f*cking flipped (when she read the documentation I wrote about the procedure) upon hitting the section that described how every time the DSN was accessed, read, edited, or yelled at sternly the code modified and scrambled it with a new, different algorithm. She described it as "unsafe, and taking things to an extreme that was unnecessary". She also said made some asinine comment about how we would never be able to recover the passwords if the code were ever lost, to which I recall thinking "Well first, that's job security for me, second, don't forget your goddamn passwords, and third, that's what sa access is for, you dumb bitch."
Yep, this type of commentary coming from someone who not only has no business being an IT Director, but swears on a stack of bibles she can reverse engineer MD5 in her head (we have another application that uses MD5 to hash passwords, she simply recognizes the default password hash).
I swear to God I'm not making this shit up. I wish the nasty bitch would stick to pushing pencils and leave the real work to those of us who know.
Spread the RC luvin'
It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.
Slashdot is a waste of time. I enjoy wasting time.
What it should do when it is about to install a service that could, theoretically, compromise the system is this (assuming the admin password has not yet been set):
The final thing would be for the OS to perform the same checks on a password when anyone wants to use the control panel tool to change it. Now the premise here is that the OS won't *FORCE* you to pick a good password, but if it made a user jump through hoops like this, you can bet your ass that there'd be WAAAAAAAY less problems with people who used MS products.
Of course, then what would the Linux and BSD zealots have left to bitch about?
File under 'M' for 'Manic ranting'
So set up a share for your mp3s, set only to that directory, marked remote read only. Just as easy when it's done and much more secure.
if the answer isn't violence, neither is your silence / freedom of expression doesn't make it alright
Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.
"disables network sharing."
:)
Thank you god. Now all it has to do is infect our network and all those open Sharedocs shares that WinXP automaticially creates that are full of Nimda are history. Although the PC would most likely be history too.
Either way nimda would be off the network
In Soviet Russia, Trojan exploits YOU!
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
Search 2010 Gen Con events
It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.
I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.
In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.
Is that case sensitive?
Keep Austin Weird!
The shares you talk about, you moron, are administrative shares... If your admin password is 123, you might as well pack your stuff and become a lumberjack or something.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Same as above, go you lumberjack... GO NOW!
"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."
(*: True in the general case, since the XOR trick only works in certain circumstances.)
What a bunch of b.s. If you've really used Mandrake, you'd know you don't have to write any code to make anything work. I've been using RH7.3 as my desktop OS exclusively for a year now, and I haven't had to write any code.
I'm not saying Linux is perfect, but saying you need to write code to get Linux to even work is just a damn lie. Everything your average joe wants is usually on your distro's install cds in rpm or whatever format. Put in the disc, click on the RPM and tell it to install. How hard is that? Yes, if you WANT to be on the bleeding edge you can compile things youself. I do sometimes, but it is not a necessity.
windows guy: "You're operating system isn't anything by default!"
Linux does work by default, it just doesn't set up a bunch of network services that leave your ass out in the breeze. After using KDE, gaim, mozilla, etc for so long, using a windows box can be just frustrating. I don't think your agrument makes sense at all, all these thing as installed and work by default.
Windows, is a very secure operating system, but not out of the box.
Care to back this up? OpenBSD is a very secure operating system. I would say an updated RH6.X box is, by now, a very secure OS. Windows? Some GUI toolbox type stuff is actually run in "protection ring 0" or whatever it's called. How is that secure? How are you going to fix that without access to the kernel source?
Yeah you can tweak things to fix other problems like default administrative shares but how is an OS "very secure" if it has a flawed security model and you have to cover it with band-aids?
What proof do you have that windows can be very secure? Over the last two years:
Get an idea what those numbers are, then compare them to the other operating systems I mentioned. Maybe you'll change your mind.
Finally, even if you think you can secure windows by doing a bunch of work, how is this better than all that work you claim it takes to get a linux system going?
Life is too short to proofread.
The fact that your aunt has breast cancer is Microsoft's fault.
THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!
DAMN YOU MICROSOFT
"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"
Everyone knows it's because your aunt worked as a secretary on her Windows 3.1 machine for years, and those ugly white windows kept the ancient monitor's CRT burning so hot straight at her chest from 9 to 5 everyday. Sheilding didn't used to be so good, you know.
Everything IS Microsoft's fault. Duh.
CAn'T CompreHend SARcaSm?
Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
"Stuff... In my home!? NEVER!" - Zim on Invader Zim
"I want the toilet seat!" - Little Dog on Two Stupid Dogs
This is the seventh posting on the front page in a row by Taco. And none of them are dupes!
/. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.
Along with that, this post observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.
It's very clear to me now, obviously the
Enigma
I see we have the expected collection of replies from people who think they're experts on passwords because they've turned on all the security settings on their debian box and ran a cracker over a shadow file. *sigh*
Here's the straight dope: passwords suck. No, seriously, I mean they really really suck. A password is either insecure because it's too "simple", or it's too hard to remember for anyone but us nerds who breezed high school without having to learn anything due to amazing powers of recall. Hard passwords are nearly always written down somewhere (how many of you carry passwords, or obfuscated passwords, in you wallet/purse, eh?). You can enforce really "hard" passwords, but all you'll do is make your users hate you. And watch you don't actually end up reducing the search space!
But hell, it doesn't matter anyway, because a complete brute-force search of the 8-character ascii domain is feasible, and is only going to get easier. (Longer passwords? Great, until you find a system you need to support that truncs at 8 -- suddenly you've got an even less secure password because the randomness in the first 8 chars wasn't an issue. Or you have to let people use phrases, and English's entropy isn't that high. What, you mean you don't manage domains of hosts with common auth? Sit back down then.)
The good news is, this doesn't mean shit. What are you trying to protect? Most people don't need uber-secure passwords. Who'd want to hack into my mother's webmail account? The effort involved wouldn't be worth any payoff.
But:
- mib
p.s. Useradd/passwd is not account management.
Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)
:)
22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod
There were 294 words with "sex" in them, the top ones are:
84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex
And 278 with "love" in it..
86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit
Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day.
Serious? Seriousness is well above my pay grade.
since the worm doesn't try the most common password: ******
Cantral Command (also known as the Vexira Anti-Virus people have a good bit more detail -- including a password list. If historical data is any indication, I'd expect about a 10-20% hit ratio just with the password 'password' (and simple variants thereof).
OS Software is like love: The best way to make it grow is to give it away.