AUSCERT External Security Bulletin Redistribution

                 ESB-2003.0162 -- CERT Advisory CA-2003-08
                Increased Activity Targeting Windows Shares
                               12 March 2003


        AusCERT Security Bulletin Summary

Product:                Windows 2000 and XP File Shares
Operating System:       Windows
Impact:                 Administrator Compromise
Access Required:        Remote

Ref:                    AU-2003.005

Comment: AusCERT recommends using a defence-in-depth approach to
         combatting these attacks. Implementing only one of the defences
         in Section "III. Solution" may not suffice. For example, AusCERT
         have received reports of automated root-kits (see AA-2002.03 and
         AU-2002.010) that have a similar impact to these worms but are
         *not* always detected by anti-virus utilities alone. Similarly,
         border firewalls alone will not prevent the spread of a worm
         internally after initial infection.

- --------------------------BEGIN INCLUDED TEXT--------------------


CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares

   Original release date: March 11, 2003
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

     * Microsoft Windows 2000
     * Microsoft Windows XP


   In recent weeks, the CERT/CC has observed an increase in the number of
   reports  of  systems  running  Windows  2000 and XP compromised due to
   poorly protected file shares.

I. Description

   Over the past few weeks, the CERT/CC has received an increasing number
   of  reports  of  intruder  activity involving the exploitation of Null
   (i.e., non-existent) or weak Administrator passwords on Server Message
   Block  (SMB)  file  shares  used  on  systems  running Windows 2000 or
   Windows XP. This activity has resulted in the successful compromise of
   thousands of systems, with home broadband users' systems being a prime
   target. Recent examples of such activity are the attack tools known as
   W32/Deloder,  GT-bot,  sdbot,  and W32/Slackor, which are described in
   more detail below.


   Microsoft  Windows  uses  the  SMB protocol to share files and printer
   resources  with  other  computers. In older versions of Windows (e.g.,
   95,  98,  Me,  and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on
   ports  137/tcp  and  udp,  138/udp,  and  139/tcp.  However,  in later
   versions  of  Windows  (e.g.,  2000 and XP), it is possible to run SMB
   directly over TCP/IP on port 445/tcp.

   Windows  file  shares with poorly chosen or Null passwords have been a
   recurring security risk for both corporate networks and home users for
   some time:
     * IN-2002-06: W32/Lioten Malicious Code
     * CA-2001-20: Continuing Threats to Home Users
     * IN-2000-02: Exploitation of Unprotected Windows Networking Shares
     * IN-2000-03: 911 Worm

   It  has  often  been the case that these poorly configured shares were
   exposed  to  the Internet. Intruders have been able to leverage poorly
   protected  Windows  shares  by  exploiting  weak  or Null passwords to
   access user-created and default administrative shares. This problem is
   exacerbated   by   another   relevant  trend:  intruders  specifically
   targeting  Internet  address ranges known to contain a high density of
   weakly  protected  systems. As described in CA-2001-20, the intruders'
   efforts commonly focus on addresses known to be used by home broadband

Recent developments

   The  CERT/CC has recently received a number of reports of exploitation
   of  Null  or  weak  Administrator passwords on systems running Windows
   2000 or Windows XP. Thousands of systems have been compromised in this

   Although  the  tools  involved  in  these reports vary, they exhibit a
   number of common traits, including
     * scanning  for  systems listening on 445/tcp (frequently within the
       same /16 network as the infected host)
     * exploiting   Null   or  weak  passwords  to  gain  access  to  the
       Administrator account
     * opening backdoors for remote access
     * connecting  back  to  Internet  Relay  Chat (IRC) servers to await
       additional commands from attackers
     * installing   or   supporting   tools   for   use   in  distributed
       denial-of-service (DDoS) attacks

   Some   of  the  tools  reported  have  self-propagating  (i.e.,  worm)
   capabilities,  while  others  are  propagated  via  social engineering
   techniques   similar   to   those   described  in  IN-2002-03:  Social
   Engineering Attacks via IRC and Instant Messaging.

   The  network  scanning associated with this activity is widespread but
   appears  to  be  especially  concentrated  in  address ranges commonly
   associated  with  home  broadband  users. Using these techniques, many
   attackers  have  built sizable networks of DDoS agents, each comprised
   of thousands of compromised systems.


   The  self-propagating  W32/Deloder malicious code is an example of the
   intruder  activity  described  above.  It  begins  by scanning the /16
   (i.e.,  addresses  with  the  same first two high-order octets) of the
   infected  host  for systems listening on 445/tcp. When a connection is
   established,  W32/Deloder  attempts  to  compromise  the Administrator
   account  by using a list of pre-loaded passwords. Variants may include
   different or additional passwords, but reports to the CERT/CC indicate
   that the following have appeared thus far:

          [NULL]  0  000000  00000000  007  1  110 111 111111 11111111 12
          121212  123 123123 1234 12345 123456 1234567 12345678 123456789
          1234qwer  123abc  123asd  123qwe  2002  2003  2600 54321 654321
          88888888  Admin  Internet  Login Password a aaa abc abc123 abcd
          admin  admin123  administrator  alpha  asdf  computer  database
          enable  foobar  god  godblessyou  home  ihavenopass  login love
          mypass mypass123 mypc mypc123 oracle owner pass passwd password
          pat  patrick  pc pw pw123 pwd qwer root secret server sex super
          sybase    temp    temp123    test    test123    win    xp   xxx
          xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yxcv zxcv

   On  successful  compromise  of  the Administrator account, W32/Deloder
   copies  itself  to  the  victim,  placing  multiple  copies in various
   locations  on  the  system.  Additionally, it adds a registry key that
   will  cause  the  automatic  execution  of  dvldr32.exe  (one  of  the
   aforementioned  copies).  The  victim  will  begin  scanning for other
   systems to infect after it is restarted.

   W32/Deloder opens up backdoors on the victim system to allow attackers
   further access. It does this in two ways:

    1. attempting  to  connect  to  one of a number of pre-configured IRC
    2. installing   a   copy  of  VNC  (Virtual  Network  Computing),  an
       open-source  remote  display tool from AT&T, listening on 5800/tcp
       or 5900/tcp

   Note: VNC in and of itself is not a malicious tool, and has many other
   legitimate uses.

   During  the  course of infection by W32/Deloder, a number of files may
   be  created  on  the  system. Reports indicate that files matching the
   following descriptions have been found on compromised systems:

   File Size (bytes) 

   The self-propagating malicious code

   This file installs the backdoor applications onto the victim host

   A copy of the Remote Process Launch application (not inherently 
   malicious, but it is what allows the worm to replicate)

   A renamed copy of the VNC application

   VNC dependency file

   VNC dependency file

   The IRC-Pitchfork bot application

   IRC-Pitschfork dependency file

    GT-bot and sdbot

   Intruders  frequently  use IRC "bots" (automated software that accepts
   commands  via  IRC  channels) to remotely control compromised systems.
   GT-bot and sdbot are two examples of intruder-developed IRC bots. Both
   support  automated scanning and exploitation of inadequately protected
   Windows  shares.  These  tools  also offer intruders a variety of DDoS
   capabilities,  including  the  ability  to  generate ICMP, UDP, or TCP

   Tools  like  these are undergoing constant development in the intruder
   community  and  are  frequently  included as part of other tools. As a
   result,  the names, sizes, and other characteristics of the files that
   might  contain  these  tools vary widely. Furthermore, once installed,
   the  tools  are  designed to hide themselves fairly well, so detection
   may be difficult.

   The  CERT/CC  has received reports of sdbot networks as large as 7,000
   systems, and GT-bot networks in excess of 140,000 systems.


   The  W32/Slackor  worm  is another example of a tool that targets file
   shares.  On a compromised machine, the worm begins by scanning the /16
   of  the  infected  host for other systems listening on 445/tcp. When a
   system  is  discovered, W32/Slackor connects to the $IPC share using a
   set  of  pre-programmed  usernames and passwords, copies itself to the
   C:\sp  directory,  and  runs  its payload. The payload consists of the
   following files:

   The self-propagating malicious code
   List of usernames/passwords
   A copy of the Remote Process Launch application (from sysinternals.com, 
   used for replicating the worm)

   The bot application

   W32/Slackor  also  contains  an  IRC  bot. When this bot joins its IRC
   network,  a  remote  intruder  controlling  the  IRC channel can issue
   arbitrary  commands  on  the compromised computer, including launching
   denial-of-service attacks.

    Network footprint

   Widespread  scanning  for  445/tcp  indicates  activity  of this type.
   Compromised  hosts  may  also  have  unauthorized  connections  to IRC
   servers   (typically   on   6667/tcp,   although   ports   may  vary).
   Additionally,  the VNC package installed by W32/Deloder will typically
   listen  on  5800/tcp or 5900/tcp. If a compromised system is used in a
   DDoS  attack  on another site, large volumes of IP traffic (ICMP, UDP,
   or TCP) may be detected emanating from the compromised system.

II. Impact

   The  presence  of  any  of  these tools on a system indicates that the
   Administrator  password  has  likely  been compromised, and the entire
   system is therefore suspect. With this level of access, intruders may
     * exercise remote control
     * expose confidential data
     * install other malicious software
     * change files
     * delete files
     * launch attacks against other sites

   The  scanning  activities  of these tools may generate high volumes of
   445/tcp  traffic.  As  a  result,  some  Internet-connected  hosts  or
   networks  with  compromised  hosts  may  experience performance issues
   (including denial-of-service conditions).

   Sites  targeted  by  the  DDoS  agents  installed by this activity may
   experience  unusually  heavy  traffic  volumes  or  high packet rates,
   resulting   in   degradation  of  services  or  loss  of  connectivity

III. Solution

   In  addition  to  following  the  steps  outlined in this section, the
   CERT/CC  encourages  home  users to review the "Home Network Security"
   and "Home Computer Security" documents.

      Disable or secure file shares

   Best  practice  dictates  a  policy  of  least  privilege;  if a given
   computer  is  not  intended  to  be  a  server (i.e., share files with
   others),  "File  and Printer Sharing for Microsoft Networks" should be

   For  computers  that export shares, ensure that user authentication is
   required   and   that   each   account  has  a  well-chosen  password.
   Furthermore,  consider  using a firewall to control which computer can
   access these shares.

   By  default,  Windows  NT,  2000,  and  XP  create  certain hidden and
   administrative  shares.  See  the  HOW TO: Create and Delete Hidden or
   Administrative  Shares  on  Client Computers for further guidelines on
   managing these shares.

      Use strong passwords

   The  various  tools  described  above  exploit the use of weak or Null
   passwords  in  order  to propagate, so using strong passwords can help
   keep them from infecting your systems.

   Microsoft has posted a "Create Strong Passwords" checklist.

      Run and maintain an anti-virus product

   The  malicious  code  being  distributed  in  these  attacks  is under
   continuous  development  by  intruders,  but  most anti-virus software
   vendors  release  frequently  updated  information,  tools,  or  virus
   databases  to help detect and recover from the malicious code involved
   in  this  activity.  Therefore,  it is important that users keep their
   anti-virus  software  up to date. The CERT/CC maintains a partial list
   of anti-virus vendors.

   Many   anti-virus   packages   support   automatic  updates  of  virus
   definitions. The CERT/CC recommends using these automatic updates when

      Do not run programs of unknown origin

   Never  download,  install,  or  run a program unless you know it to be
   authored  by a person or company that you trust. Users of IRC, Instant
   Messaging  (IM), and file-sharing services should be particularly wary
   of following links or running software sent to them by other users, as
   this  is  a  commonly  used method among intruders attempting to build
   networks of DDoS agents.

      Deploy a firewall

   The  CERT/CC  also  recommends  using  a  firewall  product, such as a
   network  appliance  or  a  personal firewall software package. In some
   situations, these products may be able to alert users to the fact that
   their machine has been compromised. Furthermore, they have the ability
   to block intruders from accessing backdoors over the network. However,
   no  firewall  can  detect  or  stop all attacks, so it is important to
   continue to follow safe computing practices.

      Ingress/egress filtering

   Ingress  filtering  manages the flow of traffic as it enters a network
   under your administrative control. In the network usage policy of many
   sites,  external  hosts are only permitted to initiate inbound traffic
   to  machines  that  provide  public  services on specific ports. Thus,
   ingress  filtering  should  be  performed  at  the  border to prohibit
   externally initiated inbound traffic to non-authorized services.

   Egress  filtering  manages  the flow of traffic as it leaves a network
   under your administrative control. There is typically limited need for
   internal systems to access SMB shares across the Internet.

   In  the  case  of  the  intruder  activity  described  above, blocking
   connections  to  port  445/tcp  from  entering or leaving your network
   reduces  the  risk of external infected systems attacking hosts inside
   your network or vice-versa.

      Recovering from a system compromise

   If  you  believe  a  system under your administrative control has been
   compromised, please follow the steps outlined in

          Steps for Recovering from a UNIX or NT System Compromise

IV. References

    1. Trends     in     Denial    of    Service    Attack    Technology:
    2. Managing     the     Threat    of    Denial-of-Service    Attacks:
    3. IN-2002-06: W32/Lioten Malicious Code:
    4. CA-2001-20:      Continuing     Threats     to     Home     Users:
    5. IN-2000-02: Exploitation of Unprotected Windows Networking Shares:
    6. IN-2000-03: 911 Worm:
    7. IN-2002-03:   Social  Engineering  Attacks  via  IRC  and  Instant
       Messaging: http://www.cert.org/incident_notes/IN-2002-03.html
    8. VNC (Virtual Network Computing):
    9. Home Network Security:
   10. Home Computer Security:
   11. HOW  TO:  Create  and  Delete  Hidden  or Administrative Shares on
       Client Computers:
   12. Checklist: Create Strong Passwords:
   13. Anti-virus vendors:
   14. Steps  for  Recovering  from  a  UNIX  or  NT  System  Compromise:


   The  CERT/CC  is  interested in receiving reports of this activity. If
   machines  under  your  administrative  control are compromised, please
   send  mail  to  cert@cert.org  with the following text included in the
   subject line: "[CERT#36888]".

   Feedback  can  be directed to the authors: Allen Householder and Roman

   This document is available from:

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890

   CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
   EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
   during other hours, on U.S. holidays, and on weekends.

    Using encryption

   We  strongly  urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   If  you  prefer  to  use  DES,  please  call the CERT hotline for more

    Getting security information

   CERT  publications  and  other security information are available from
   our web site

   To  subscribe  to  the CERT mailing list for advisories and bulletins,
   send  email  to majordomo@cert.org. Please include in the body of your

   subscribe cert-advisory

   *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
   Patent and Trademark Office.

   Any  material furnished by Carnegie Mellon University and the Software
   Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied  as  to  any matter including, but not limited to, warranty of
   fitness  for  a  particular purpose or merchantability, exclusivity or
   results  obtained from use of the material. Carnegie Mellon University
   does  not  make  any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2003 Carnegie Mellon University.

   Revision History
March 11, 2003:  Initial release

Version: PGP 6.5.8


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.

Version: 2.6.3i
Charset: noconv
Comment: http://www.auscert.org.au/render.html?it=1967