New Windows Worm Inching Around Internet

helixcode123 writes "The Register is reporting a Windows Worm that takes advantage of weak default passwords. This looks pretty nasty, as it mucks with the registry and disables network sharing." Basically if it finds SMB shares with weak passwords, it drops an executable in the startup folder... for once a security problem that isn't really Microsoft's fault.

What were those commons passwords in Hackers?

[Eese]

I bet they just made a program that tried, "Love, sex, and god".

Re:What were those commons passwords in Hackers?

[mumkin]

According to F-secure, these are the passwords it tries :

[empty], xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, admin, Admin, password, Password, 1, 12, 123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 654321, 54321, 111, 000000, 00000000, 11111111, 88888888, pass, passwd, database, abcd, abc123, oracle, sybase, 123qwe, server, computer, Internet, super, 123asd, ihavenopass, godblessyou, enable, xp, 2002, 2003, 2600, 0, 110, 111111, 121212, 123123, 1234qwer, 123abc, 007, alpha, patrick, pat, administrator, root, sex, god, foobar, a, aaa, abc, test, test123, temp, temp123, win, pc, asdf, secret, qwer, yxcv, zxcv, home, xxx, owner, login, Login, pwd, pass, love, mypc, mypc123, admin123, pw123, mypass, mypass123, pw

the pat / patrick is rather weird, eh? only name in the list.

Re:What were those commons passwords in Hackers?

[ackthpt]

Thank goodness it didn't include 'cowboyneal4ever', since I use that for everything and it has never let me down for security purposes.

Re:What were those commons passwords in Hackers?

[galaxy300]

I'm surprised that ****** isn't in the list. That's my password for just about everything. As a matter of fact, I've noticed that it's just about everyone's password!!!

Re:What were those commons passwords in Hackers?

[LBArrettAnderson]

if the hackers need any help, here are the most common passwords for my website:

password, mypassword, asdf, fdsa, [the user's username], [the user's username backwards], guitar, qwerty, starwars, [the user's first name], [the user's last name], [the user's initials], internet, love, 12345 (spaceballs...), mercedes, batman, superman, ilove[insert name of opposite sex], [username]420, computer.

9.1% of passwords are "password", 2.6% of passwords are the username, 1.7% of passwords are the user's first name.

hope that helps!

Re:What were those commons passwords in Hackers?

[JWSmythe]

My own survey of 267,000 passwords, here are the top ones.. If we've found them abused, they've already been changed, which I believe is why "password" is lowered from the #1 position to #2.. :)

505 1234
494 password
319 6969
241 harley
231 123456
201 golf
180 pussy
169 mustang
169 1111
143 shadow
135 1313
134 fish
130 5150
127 7777
121 qwerty
120 baseball
118 2112
116 letmein
114 12345678
114 12345

Other than these, the users name, with the variations of a leading or trailing numeral, or the name spelled backwards also rank very high, but of course, don't show properly in this list..

Sadly enough, people very frequently try to pick the same userid and password, which we no longer allow. We have some people who are *VERY* into their cars, and one who was upset because he couldn't have the name of his favorite car (Honda).. I pulled a quick report of the car manufacturers I could think of.. There are lots of variations on Chevy and Ford and their models. On one site, someone even has the userid of "Yugo".. I guess you have to have pride in what you drive. :)

If I had coded the worm, I would have gzip'd in a good dictionary file just to make things simplier.

The web site password crackers that I've seen use dictionary files, and for the passwords they try:

word
drow (word backwards)
[0-9]word (read as regex, not literal)
word[0-9]
[0-9]drow
drow[0-9]

Then they try the above with all caps, alternating capitalization, and swapping numbers for letters. (like zero for "oh", or three for "ee")

Anyone who reads this and now realizes that I hit your userid:passwd, *CHANGE YOUR PASSWORD*. You're using a stupid password, and if it's anything someoen wants to get into, they will. Even if it seems simple like a password to a web site, your web Email, or your Windows file share that no one is suppose to use.

BTW, in-store machines, like cash registers and those self-serve photo stations use words that are just as simple..

I had a few drinks before I went shopping the other day. My friend was waiting for them to find his cigarettes, so I was standing by one of the Kodak scanning stations. I tried the basic ones (1234 - 4321 - 12345), so I looked at the sales reciept. I found the store number, and voila, I was in.. I didn't bother to do anything else, I was hungry, so I went home. :) I figure if it took me 30 seconds with a buzz, it's probably too easy. BTW, there are all kinds of interesting options to set on those machines. :)

Re:What were those commons passwords in Hackers?

[LoztInSpace]

[the user's username backwards]. Heh heh. Reminds me of a friend telling someone to use this. Bad advice aside, imagine him saying this as he simultaneously realises that the user's name is Lana.

Re:What were those commons passwords in Hackers?

[Enigma2175]

I don't store plaintext passwords, so I just guessed the top 2, which are:

53: 123456
21: password

keep in mind we require a >= 6 char password. We only have about 4,000 users.

After reading your post, I thought I would try a few myself. Sure it's a small sample, although probably not statistically valid it certainly adds to the anecdotal evidence

mysql> select count(*) from auth;

count(*)
873
Total Users

mysql> select count(*) from auth where password = md5(username);

count(*)
90
username same as password

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.fname);

count(a.username)

44
password is first name

mysql> select count(a.username) from auth as a, contact as b where a.password = md5(b.lname);

count(a.username)
24
Password is last name

mysql> select count(*) from auth where password = md5('password');

count(*)
10
hmmm, only 10 users with a password of password

Some more ....
mysql> select count(*) from auth where password = md5('12345');

count(*)
10

I've got to put some text here to break up the queries, hopefully it will help out a little bit. Does anyone who has read through the slashcode know what criteria is used for the lameness filter? Is is the ratio of junk characters to nonjunk characters or is there something else to it?

It seems like it causes problems.

mysql> select count(*) from auth where password = md5('1234');

count(*)
2

Now I suppose I must do a very lengthy conclusion because the lame /. lameness filter. It seems as if many of my users use passwords that are inherently insecure. There are a few I could check for, but it would involve coding time and these days management doesn't look to kindly upon code that doesn't make money. I doubt I have enough to get through the filter, but I'll give it a shot. OK, now I have had to strip several of the server responses of dashes, hopefully this time 8crosses fingers8

Jesus, what a fucking pain in the ass. Is it really that painful to the community to have a few ASCII porn pics posted? Damn I hate to have to go through this huge fucking ordeal just to post a simple fucking comment. How about a goddamn lameness filter exemption for people with excellent karma? How many ASCII goatse.cx picxtures have you seen posted with a plus 1 bonus?

It still will not post. I have stripped just about every nonletter from my post and it still will not fucking go up. what next do i need to strip the punctuation and caps so that i can get more non motherfucking bullshit junk characters in my post i guess it just goes back to the saying often quoted on slashdot i will paraphrase those who give up essential posting liberties for a little temporary safety from goatsex deserve goatsex twentyfour seven i wonder if it has ever occured to the nitwits that run this site that people might actually want to post something that is meaningful to the conversation that is not plain old text sometimes it makes things much more readable if you have some formatting and punctuation in there to break things up a bit gee its news for nerds cant these guys forsee that some geeks are going to want to post code and other things that may have more punctuation and special characters than your standard text

motherfuckers

A cold day in...

[asparagus]

...for once a security problem that isn't really Microsoft's fault...

Taco: Hell just called. They want you turn back on the heat.

The Most Open Security Hole....

[scottm52]

Is the one left open by an Admin who has no business being an Admin....

But (more seriously), doesn't is just scare the hooey out of you that brute force password cracking is now running around as an autonamous virus on the Net???

Yeesh, I get the willies thinking of every user that I've told "you can't use password as the password".

Re:The Most Open Security Hole....

[afidel]

I liked a friend of mines way of dealing with this, he ran a dictionary attack against the password database and a couple other tools, if your password was guessed the account was disabled and a note put in as to why, then when you called to have it re-enabled the helpdesk did an internal charge of $100 to your department, most managers would only let one crack go =)

Re:Microsoft's fault?

[Anonvmous+Coward]

"Please tell me why isn't it Microsoft's fault? "

Please tell me how it's MS's fault that people pick easy to guess passwords?

Risks of default passwords

[ma++i+ude]

Default passwords are of course a problem, especially when many of these systems are operated by people who probably don't even know they are running an SMB server.

Also, even those who know better often seem to leave passwords to default if the system shouldn't be accessible from the outside. A typical example of such a system is an ADSL router / firewall. I know several of these whose password is left as standard. Granted, attacking them will be more difficult (and probably cannot be automated like in this case) but once one of the hosts inside is rooted, it's easy to connect to the router from within the LAN and gain access to the rest of the services.

ACK!!!

[revery]

for once a security problem that isn't really Microsoft's fault.

What!! On Slashdot!! a story that absolves Microsoft of guilt when blind-eyed finger pointing would have been so easy...

Who are you and what have you done with the slashdot editors?!?

--

Dilbert - "If aliens take over your boss's body, is that a bad thing?"
Wally - "It depends on the aliens"

Dictionary attack + 1

[ObviousGuy]

I'd hate to see a worm built with a password guessing algorithm that just used a dictionary attack with a capitalized first letter and '1' appended at the end.

When the admin requires a password that must be at least 6 characters long, mixed case, and contain both numbers and letters, this is the most standard type of password that is generated by users. Easy to remember.

This isn't a problem with Windows, per se. It's a problem with braindead network administration that requires either nothing in the way of password requirements or such outrageously difficult "strong" passwords that users have to write them on Post-Its stuck on the monitor.

Perhaps the best solution would be biometrics?

Re:Microsoft's fault?

Because this is slashdot. The fact that your aunt has breast cancer is Microsoft's fault.

pat/patrick

St. PAtricks day is this month.

For employees that are forced to change the password monthly picking a holiday from the month is easy to remember...

Hypocrites

[Nintendork]

"for once a security problem that isn't really Microsoft's fault"

Give Microsoft a break. Open source software has its own fair share of exploits and worms that take advantage of unpatched boxes. I subscribe to all of the securityfocus mailing lists and I can tell you that I see a lot more *nix than MS activity.

I feel sorry for those that let their hatred of a company clout their perception on information security.

-Lucas

It's not a worm, it's a DDOS countermeasure

[eagl]

Browsing through my firewall logs, a simple "file://attackeripaddy" in a browser window results in around 80% success using either no username/password, or a simple "guest" username with no password. On occasion, I'll have to throw a "C$" on the end (file://attackeripaddy/c$) but that's only necessary with fools running winNT or winXP instead of win9x. Sometimes it's even obvious that the people with compromised and unsecured computers are spammers...

Banging on my firewall then leaving their own computer open is arguably an invitation to come on in and look around. Leaving a guest account open is a clear invitation to come on in and look around just like having anonymous ftp available is an invitation to enter and at the very least look around. They're both file servers, both well known and documented...

Lock that 80% out of the internet, or even slap them upside the head temporarily, and 80% of the computers whacking away at my firewall will stop. That doesn't sound like a bad thing to me. Stupid/ignorant people who let their computer get used as a DDOS or other worm/trojan client through a basic lack of care don't get any pity from me.

WRONG!

[dotgod]

Sorry, but "administrator" can't be one of the passwords the worm tries because I use that for the password on my box and everyt

NO CARRIER

Re:Microsoft's fault?

[Guppy06]

"Please tell me how it's MS's fault that people pick easy to guess passwords?"

Please tell me how it's not Microsoft's fault for making both partitions and the system directory shares by default. How the hell else would the worm get access to the StartUp folder? The people most vulnerable don't even know where that particular directory is, let alone how to share it.

Please tell me how it's not Microsoft's fault to make XP users members of the Administrators group by default (the only ones who can access those default shares).

Please tell me how it's not Microsoft's fault that XP doesn't even bother asking for a password for a new (admin!) user account unless the account is made the old-fashioned Win2k way.

The "shiney new" way XP handles user accounts by default is almost as bad as 95/98/Me. By default, all system users are listed at the log-in screen for you to pick. One of them has a password? Move on down to the next in the list. Odds are at least one of them doesn't have a password and yet has admin privileges.

True, no self-respecting XP user would have anything to do with the accounts script in the Control Panel, but the better method of dealing with user accounts is both counter-intuitive ("Performance and Maintenance?" But "User Accounts" is right there!) and practically hidden (Performance & Maintenance -> Administrative Tools -> Computer Management (Local) -> Local Users and Groups), at least as far as former 95/98/Me users are concerned.

No, this is a design flaw in XP, part of Microsoft's attempts to dumb down the NT kernel for the home user. Perhaps MSFT wouldn't have to spend so much money on patching these security holes if they instead spent a little capital on trying to educate users a little about (extremely) basic user accounts security. This current "security hole" has been around since NT 3.1 and hasn't been that much of a problem until Microsoft decided to give everybody admin rights by default.

Re:Microsoft's fault?

[ahaning]

For example, make it really clear to users enabling file sharing that people can and will try to break in if they connect to the Internet, so strong passwords or other security means are really necessary.

It's a good thought, but consider this:

You should be warned that ena*click*

Are you sure that you want*click*

Sweet. My files are shared.

Re:love of the Irish.

[Theaetetus]

The pat / patrick is rather weird, eh? only name in the list

Hey! My son Temp123 would take offense at that!

-T

Re:Microsoft's fault?

[roolmarty]

From Technet article 318751 (HOWTO: Remove Administrative Shares in Windows 2000):

To remove automatic creation of the administrative shares by using Registry Editor:

• Start Registry Editor (Regedt32.exe).
• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters\AutoShareServer

• Change the value of the AutoShareServer key to zero (0).
  NOTE: A setting of zero (0) prevents the administrative shares, such as C$, D$, and Admin$ from being created automatically.
• Quit Registry Editor.

NOTE: If the AutoShareServer key does not exist, create the AutoShareServer key by using the following steps:

• Locate and then click the following key in the registry:
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\LanmanServer\Parameters
• On the Edit menu, click Add Value.
• Type AutoShareServer, click REG_DWORD, and then click OK.
• Type 0, and then click OK.
• Quit Registry Editor, and then restart the computer.

And... From 314984 (HOWTO: Create and Delete Hidden or Administrative Shares on Client Computers) (This is for Windows XP, W2K Pro, WinNT4 Workstation)

To delete the hidden administrative shares for all root partitions and volumes (such as C$) and the system root folder (ADMIN$) and prevent Windows from re-creating them, add an AutoShareWks DWORD value to the following registry key and set its value data to 0:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\LanmanServer\Parameters

These get rid of those pesky administrative shares.

Re:SAMBA protocol

[sn0wman3030]

Just so we're clear, SAMBA is not a protocol. The protocol you are thinking of is SMB (Server Message Block). Samba allows unix users to use SMB. Here's some info.

Re:Microsoft's fault?

[IDIIAMOTS]

Any local account without a password in Windows XP is prohibited from remotely connecting to that machine.

Yeah, but...

[jrwillis]

Is that case sensitive?

Re:Yeah, but...

[_xeno_]

Yeah, I just checked. 88888888 won't work.

Re:love of the Irish.

[Jerf]

"Son, it's time we had that special man-to-man talk about where babies come from. See, your mom and I tried to, uhhh, 'swap location', and everybody knows that to swap two variables, you need a temporary variable*. Well, you're that temporary variable. You just better hope you don't go out of scope soon..."

(*: True in the general case, since the XOR trick only works in certain circumstances.)

who's on first?

[djupedal]

"What's your password?" "It's random." "Great, glad you use a smart strategy, now tell me what it is, please." "I told you, it's 'random'" "How can it be random...you have to decide it when you rotate, and of course it's picked at random...so, anyhow, tell me what it is right now... " " it's random....I just told you!!!"

Re:who's on first?

[Scumbag+Tracker]

To avoid being hacked, I set my password to "pi". Only problem is, now it takes me forever to log on in the morning. :-/

Luckily the world is safe...

[ardu]

since the worm doesn't try the most common password: ******