Slashdot Mirror
New Windows Worm Inching Around Internet
helixcode123 writes "The Register is reporting a Windows Worm that
takes advantage of weak default passwords. This
looks pretty nasty, as it mucks with the registry
and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.
I bet they just made a program that tried, "Love, sex, and god".
...for once a security problem that isn't really Microsoft's fault...
Taco: Hell just called. They want you turn back on the heat.
Is the one left open by an Admin who has no business being an Admin....
But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???
Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".
"Please tell me why isn't it Microsoft's fault? "
Please tell me how it's MS's fault that people pick easy to guess passwords?
Unbind network sharing from your external tcp/ip settings.
This should be done by default (but of course, it isn't), and I'm sure 90% of home users don't even realize their network shares are available on the internet. A lot of them probably don't even realize that they have network shares enabled in the first place.
And let's not forget the default hidden shares under win2k....if your admin password is blank, then blamo - full access to your machine.
If you can't beat them, arrange to have them beaten. -George Carlin
Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.
You can't shut us down! The Internet is about the free exchange and sale of other people's ideas!
for once a security problem that isn't really Microsoft's fault.
What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...
Who are you and what have you done with the slashdot editors?!?
--
Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"
I think I'm going to write myself a little VB app that deletes everything (except itself) in the startup folder once in a while. I'd like to make my own list of things that are permitted in there so I'm not 'surprised' by bs like that.
Note to Microsoft: How about providing the user with a "Are you sure you want this here?" dialog every time something's copied in there?
I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.
When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.
This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.
Perhaps the best solution would be biometrics?
I have been pwned because my
On Sunday, March 09th 2003, Symantec posted AntiVirus updates on their site as well as the LiveUpdate.
LiveUpdate:
Virus Definitions released March 9
Norton AntiVirus Corp. Edition Defs Version: 50309h
Norton AntiVirus Corp. Edition Sequence Number: 21592
Total Viruses Detected: 63225
This is peculiar since Symantec does not post any regular updates to their AntiVirus software on the weekends.
They know something, definitely.
Let me guess, UDP port 137 is producing lots and lots of logged events?
Thats normal. There are two solutions;
1. Design, build and spread a virus or trojan which will irrevocably destroy all Windows boxes which are connected to the internet without a firewall.
Or
2. Stop logging UDP port 137.
In the free world the media isn't government run; the government is media run.
Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.
St. PAtricks day is this month.
For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...
what about c$? or admin$?
not all shares are manually set.
if the admnistrator password is weak then the system can be comprimised this way with no shares being set (unless things have changed since NT4.0 that I don't know about.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Multidropper/dropper is nasty, I am coming off of an entire weekend chasing this hunk of code.
1. Once on the system it disables personal security/firewall/virus scanning
2. Copies itself to the start up group
3. With virus scanning disabled it drops several nasty bugs.
4. Network traffic/processor utilization goes thru the roof.
5. It then tries to replicate on the next machine...
next DAT release on the 12th will include that def.
Good Luck
McAfee has an extra.dat that fights it, the
Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.
I feel sorry for those that let their hatred of a company clout their perception on information security.
-Lucas
Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...
Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...
Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.
You can configure Windows to do the same. At my workplace the policy is rather strict, so it actually takes some effort to come up with a good password.
When men used to be men
NO CARRIER
"Please tell me how it's MS's fault that people pick easy to guess passwords?"
Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.
Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).
Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.
The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.
True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.
No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.
For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.
It's a good thought, but consider this:
You should be warned that ena*click*
Are you sure that you want*click*
Sweet. My files are shared.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Hey! My son Temp123 would take offense at that!
-T
From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):
And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)
These get rid of those pesky administrative shares.It boggles the mind how the admins who choose passwords like "password" or "1234" can keep a job. These people are supposed to secure systems and make sure they work in harmony. These usually go hand in hand, too. If you have insecure systems and they are breached, obviously things won't be all harmonious and blissful. If you have problems with the network, security won't matter since problems can usually lead to backdoors. If a system is compromised by this worm, I hope the companies that hired the admins give their security and networking department hell. They deserve it. No system should be cracked by a worm that searches for the sort of passwords you'd expect an idiot (or President Scroob) to have on their luggage.
Slashdot is a waste of time. I enjoy wasting time.
Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.
Life is offtopic.
Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.
Good for those Linux boxes! You're using a weak password.
First, the word you selected happened to be on your desk. Most likely it's a not-uncommon term in either English, your native language (if not English), or a technical term. Any good password cracker dictionary will include all three.
Second, any good password cracker is going to try variations on the words in its dictionary. Minor misspellings, appending numbers, or translation into l33t-speak. Trying every possible minor misspelling and l33t-speak variant is relatively cheap compared to searching the entire key space. Expect them to do it!
Any test the passwd filter is doing is likely based on an attack already in use by a password cracker. It would be nice if the program gave you a reason the password was rejected (I've had apparently random password rejected), but ultimately it doesn't matter. If the passwd filter doesn't like it, a cracking program probably will like it.
Search 2010 Gen Con events
It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.
I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.
In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.
Is that case sensitive?
Keep Austin Weird!
"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."
(*: True in the general case, since the XOR trick only works in certain circumstances.)
The fact that your aunt has breast cancer is Microsoft's fault.
THAT is what I have been telling everyone! Of course they don't believe me, and that is Microsoft's fault too!
DAMN YOU MICROSOFT
"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"
Theres something that IS microsofts fault that will let this worm wreak havok. When you install WinXP Home, and i believe Pro, it does NOT set a password for the Administrator account, or it can be bypassed eiasly (ive seen too many boxes w/o one to think its just a random thing).
Thats right. Usually all it takes to break in to a winXP box is to hit ctrl+alt+del x 2 and your back to the normal winNT login. Then type in Administrator, no password, and unless this person knows anything about windows, and often thats not enough, your in.
Add to that that all accounts made are Administrator by default, and DONT need passwords.
What REALLY hurts windows here is not being truely multiuser on a local machine. This can be felt when you try to lock down say a web kiosk, and as you edit the Local security policy, you can watch the system lock down around you, since you CANT change it on a per user basis.
Add to this things like the viral Xupiter, and windows is chock full of holes. And leaving a winXP box in non-admin node is almost worthless, because SO many programs require admin access rendering it a pain in the ass.
While in the article, the poster mentioned its not microsofts fault, it BLATENTLY is. Windows comes SO dumbed down, i have to spend hours locking it down, turning off all the annoying services and popups, etc. Not only that, it doesnt have a default to make sure you password is at least somewhat secure. The options DO exist. From a sys admin perspective, windows is a waste of time. They NEED to have a deafult "im not a dumb user" setting you choose at startup that will among other things, make sure your system is tight and passworded.
They also need to go truly multiuser, clean up permissions w/o making them useless, and make EACH local user have a SEPERATE security policy, with an emphasis on editing it when you first install.
To put thins in perspective, in a public user setting, you leave an XP box out for use for a week, and an OSX box, i guarentee you, even the most basic setup, the OSX box will be exactly how you installed it, with a bunch of crap on the desktop.
The windows box will have every spyware app on it, stuff deleted, etc, etc.
OH, Xupiter just installed itself again, i have to go...
"Stuff... In my home!? NEVER!" - Zim on Invader Zim
"I want the toilet seat!" - Little Dog on Two Stupid Dogs
This is the seventh posting on the front page in a row by Taco. And none of them are dupes!
/. editors have been replaced with the cyborgs that live among us. I for one, welcome our new android overlords. As a trusted /. personality, I can be helpful in rounding up others to toil in thier underground sugar caves.
Along with that, this post observes that Taco posted a story about a worm that did not contain a snide comment about Microsoft.
It's very clear to me now, obviously the
Enigma
Funny this, but "God" specifically doesn't show up in this set of 260k users.. But there are 143 words containing "god".. Here are the top ones. :)
:)
22 godzilla
5 godfathe
4 goddess
3 godsmack
3 gods
3 godiva
2 sungod
2 netgod
2 iamgod
2 goodgod
There were 294 words with "sex" in them, the top ones are:
84 sexy
25 sexx
17 sexsex
8 sexual
7 sexo
6 sexe
5 sussex
5 sextoy
5 sex4me
5 ilovesex
And 278 with "love" in it..
86 love
33 lover
21 lovers
14 loveme
13 iloveyou
10 loveit
Oddly enough, root came in very low.. The highest one is "rootbeer" with 7.. That'd make it ranking around 3540.. I feel unloved.. If one person had "iloveroot", that would have made my day.
Serious? Seriousness is well above my pay grade.
since the worm doesn't try the most common password: ******