View Source

Original release date: March 11, 2003<br>
<!-- Last revised: March 11, 2003<br> -->
Source: CERT/CC<br>

<p>A complete revision history can be found at the end of this file.</p>

<br>
<a name="affected"></a>
<h3>Systems Affected</h3>

<ul>
<li>Microsoft Windows 2000</li>
<li>Microsoft Windows XP</li>
</ul>

<br>
<a name="overview"></a>
<h2>Overview</h2>

<p>In recent weeks, the CERT/CC has observed an increase in the number
of reports of systems running Windows 2000 and XP compromised due to
poorly protected file shares.</p>

<br>
<a name="description"></a>
<h2>I. Description</h2>

<p>Over the past few weeks, the CERT/CC has received an increasing
number of reports of intruder activity involving the exploitation of
Null (i.e., non-existent) or weak <i>Administrator</i> passwords on
Server Message Block (SMB) file shares used on systems running Windows
2000 or Windows XP. This activity has resulted in the successful
compromise of thousands of systems, with home broadband users' systems
being a prime target.  Recent examples of such activity are the attack
tools known as W32/Deloder, GT-bot, sdbot, and W32/Slackor, which are
described in more detail below.</p>


<h4>Background</h4>

<p>Microsoft Windows uses the SMB protocol to share files and printer
resources with other computers.  In older versions of Windows (e.g.,
95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on
ports 137/tcp and udp, 138/udp, and 139/tcp.  However, in later
versions of Windows (e.g., 2000 and XP), it is possible to run SMB
directly over TCP/IP on port 445/tcp.</p>

<p>Windows file shares with poorly chosen or Null passwords have been
a recurring security risk for both corporate networks and home users
for some time:

<ul>
<li><a href="http://www.cert.org/incident_notes/IN-2002-06.html">IN-2002-06: W32/Lioten Malicious Code</a></li>

<li><a href="http://www.cert.org/advisories/CA-2001-20.html">CA-2001-20: Continuing Threats to Home Users</a>

<li><a href="http://www.cert.org/incident_notes/IN-2000-02.html">IN-2000-02:
Exploitation of Unprotected Windows Networking Shares</a></li>

<li><a href="http://www.cert.org/incident_notes/IN-2000-03.html">IN-2000-03: 911 Worm</a></li>
</ul>

It has often been the case that these poorly configured shares were
exposed to the Internet.  Intruders have been able to leverage
poorly protected Windows shares by exploiting weak or Null
passwords to access user-created and default administrative shares.
This problem is exacerbated by another relevant trend: intruders
specifically targeting Internet address ranges known to contain a high
density of weakly protected systems.  As described in <a
href="http://www.cert.org/advisories/CA-2001-20.html">CA-2001-20</a>,
the intruders' efforts commonly focus on addresses known to be used by
home broadband connections. </p>

<h4>Recent developments</h4>

<p>The CERT/CC has recently received a number of reports of
exploitation of Null or weak <i>Administrator</i> passwords on systems
running Windows 2000 or Windows XP.  Thousands of systems have been
compromised in this manner.</p>

<p>Although the tools involved in these reports vary, they exhibit a
number of common traits, including

<ul>

<li>scanning for systems listening on 445/tcp (frequently within the
same /16 network as the infected host)</li>

<li>exploiting Null or weak passwords to gain access to the <i>Administrator</i> account</li>

<li>opening backdoors for remote access</li>

<li>connecting back to Internet Relay Chat (IRC) servers to await additional commands from attackers</li>

<li>installing or supporting tools for use in distributed denial-of-service (DDoS) attacks</li>

</ul>

Some of the tools reported have self-propagating (i.e., worm)
capabilities, while others are propagated via social engineering
techniques similar to those described in <a
href="http://www.cert.org/incident_notes/IN-2002-03.html">IN-2002-03:
Social Engineering Attacks via IRC and Instant Messaging</a>. </p>

<p>The network scanning associated with this activity is widespread
but appears to be especially concentrated in address ranges commonly
associated with home broadband users.  Using these techniques, many
attackers have built sizable networks of DDoS agents, each comprised
of thousands of compromised systems.</p>

<h4>W32/Deloder</h4>

<p>The self-propagating W32/Deloder malicious code is an example of
the intruder activity described above.  It begins by scanning the /16
(i.e., addresses with the same first two high-order octets) of the
infected host for systems listening on 445/tcp.  When a connection is
established, W32/Deloder attempts to compromise the
<i>Administrator</i> account by using a list of pre-loaded passwords.
Variants may include different or additional passwords, but reports to
the CERT/CC indicate that the following have appeared thus far:

<dl>
<dd>
<font face="courier">
[NULL]
0
000000
00000000
007
1
110
111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
2002
2003
2600
54321
654321
88888888
Admin
Internet
Login
Password
a
aaa
abc
abc123
abcd
admin
admin123
administrator
alpha
asdf
computer
database
enable
foobar
god
godblessyou
home
ihavenopass
login
love
mypass
mypass123
mypc
mypc123
oracle
owner
pass
passwd
password
pat
patrick
pc
pw
pw123
pwd
qwer
root
secret
server
sex
super
sybase
temp
temp123
test
test123
win
xp
xxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
yxcv
zxcv
</font>
</dd>
</dl>

On successful compromise of the <i>Administrator</i> account,
W32/Deloder copies itself to the victim, placing multiple copies in
various locations on the system. Additionally, it adds a registry key
that will cause the automatic execution of <font
face=courier>dvldr32.exe</font> (one of the aforementioned copies).
The victim will begin scanning for other systems to infect after it is
restarted. </p>

<p>W32/Deloder opens up backdoors on the victim system to allow
attackers further access.  It does this in two ways:
<ol>

<li>attempting to connect to one of a number of pre-configured IRC
servers</li>

<li>installing a copy of <a href="http://www.uk.research.att.com/vnc/">VNC</a> (Virtual Network Computing), an
open-source remote display tool from AT&amp;T, listening on 5800/tcp or 5900/tcp</li>

</ol> 

</p>

<p>Note: VNC in and of itself is not a malicious tool, and has many other legitimate uses.</p>

<p>During the course of infection by W32/Deloder, a number of files may
be created on the system.  Reports indicate that files matching the
following descriptions have been found on compromised systems:

<ul>
<table border=1>
<tr>
  <td align="center"><b>Filename</b></td>
  <td align="center"><b>File Size (bytes)</b></td>
  <td align="center"><b>Description</b></td>
</tr>
<tr>
  <td><font face=courier>dvldr32.exe</font></td>
  <td align="center">745,984</td>
  <td>The self-propagating malicious code</td>
</tr>
<tr>
  <td><font face=courier>inst.exe</font></td>
  <td align="center">684,562</td>
  <td>This file installs the backdoor applications onto the victim host</td>
</tr>
<tr>
  <td><font face=courier>psexec.exe</font></td>
  <td align="center">36,352</td>
  <td>A copy of the Remote Process Launch application (not inherently malicious, but it is what allows the worm to replicate)</td>
</tr>
<tr>
  <td><font face=courier>explorer.exe</font></td>
  <td align="center">212,992</td>
  <td>A renamed copy of the VNC application</td>
</tr>
<tr>
  <td><font face=courier>omnithread_rt.dll</font></td>
  <td align="center">57,344</td>
  <td>VNC dependency file</td>
</tr>
<tr>
  <td><font face=courier>VNCHooks.dll</font></td>
  <td align="center">32,768</td>
  <td>VNC dependency file</td>
</tr>
<tr>
  <td><font face=courier>rundll32.exe</font></td>
  <td align="center">29,336</td>
  <td>The IRC-Pitchfork bot application</td>
</tr>
<tr>
  <td><font face=courier>cygwin1.dll</font></td>
  <td align="center">944,968</td>
  <td>IRC-Pitschfork dependency file</td>
</tr>
</table>
</ul>
</p>

<h4>GT-bot and sdbot</h4>

Intruders frequently use IRC "bots" (automated software that accepts
commands via IRC channels) to remotely control
compromised systems.  GT-bot and sdbot are two examples of
intruder-developed IRC bots.  Both support automated scanning and
exploitation of inadequately protected Windows shares.  These tools
also offer intruders a variety of DDoS capabilities, including the
ability to generate ICMP, UDP, or TCP traffic.</p>

<p>Tools like these are undergoing constant development in the
intruder community and are frequently included as part of other
tools. As a result, the names, sizes, and other characteristics of
the files that might contain these tools vary widely.  Furthermore,
once installed, the tools are designed to hide themselves fairly well,
so detection may be difficult.</p>

<p>The CERT/CC has received reports of sdbot networks as large as
7,000 systems, and GT-bot networks in excess of 140,000 systems.</p>

<h4>W32/Slackor</h4>

<p>The W32/Slackor worm is another example of a tool that
targets file shares.  On a compromised
machine, the worm begins by scanning the /16 of the infected
host for other systems listening on 445/tcp.  When a system
is discovered, W32/Slackor connects to the $IPC share using
a set of pre-programmed usernames and passwords, copies itself
to the <font face=courier>C:\sp</font> directory, and runs its
payload.  The payload consists of the following files:
</p>

<ul>
<table border=1>
<tr>
  <td align="center"><b>Filename</b></td>
  <td align="center"><b>Description</b></td>
</tr>
<tr>
  <td><font face=courier>slacke-worm.exe</font></td>
  <td>The self-propagating malicious code</td>
</tr>
<tr>
  <td><font face=courier>abc.bat</font></td>
  <td>List of usernames/passwords</td>
</tr>
<tr>
  <td><font face=courier>psexec.exe</font></td>
  <td>A copy of the Remote Process Launch application (from sysinternals.com, used for replicating the worm)</td>
</tr>
<tr>
  <td><font face=courier>main.exe</font></td>
  <td>The bot application</td>
</tr>
</table>
</ul>

<p>W32/Slackor also contains an IRC bot.  When this bot joins its IRC
network, a remote intruder controlling the IRC channel can issue
arbitrary commands on the compromised computer, including launching
denial-of-service attacks.</p>


<h4>Network footprint</h4>

<p>Widespread scanning for 445/tcp indicates activity of this type.
Compromised hosts may also have unauthorized connections to IRC
servers (typically on 6667/tcp, although ports may vary).
Additionally, the VNC package installed by W32/Deloder will typically
listen on 5800/tcp or 5900/tcp. If a compromised system is used in a DDoS
attack on another site, large volumes of IP traffic (ICMP, UDP, or
TCP) may be detected emanating from the compromised system.</p>


<br>
<a name="impact"></a>

<h2>II. Impact</h2>

<p>The presence of any of these tools on a system indicates that the
<i>Administrator</i> password has likely been compromised, and the
entire system is therefore suspect. With this level of access, intruders may

<ul>
<li>exercise remote control</li>
<li>expose confidential data</li>
<li>install other malicious software</li>
<li>change files</li>
<li>delete files</li>
<li>launch attacks against other sites</li>
</ul>
</p>

<p>The scanning activities of these tools may generate high volumes of
445/tcp traffic.  As a result, some Internet-connected hosts or networks
with compromised hosts may experience
performance issues (including denial-of-service conditions).</p>

<p>Sites targeted by the DDoS agents installed by this activity may
experience unusually heavy traffic volumes or high packet rates,
resulting in degradation of services or loss of connectivity
altogether.</p>


<br>
<a name="solution"></a>
<h2>III. Solution</h2>

In addition to following the steps outlined in this section, the
CERT/CC encourages home users to review the "<A HREF="http://www.cert.org/tech_tips/home_networks.html">Home Network Security</a>"
and "<a href="http://www.cert.org/homeusers/HomeComputerSecurity/">Home Computer Security</a>" documents.

<h5>Disable or secure file shares</h5>

<p>Best practice dictates a policy of least privilege; if a 
given computer is not intended to be a server (i.e., share
files with others), "File and Printer Sharing for Microsoft
Networks" should be disabled.
</p>

<p>For computers that export shares, ensure that 
user authentication is required and that each account has
a well-chosen password.  Furthermore, consider using a firewall
to control which computer can access these shares.
</p>

<p>By default, Windows NT, 2000, and XP create certain hidden and
administrative shares.  See the 
<A HREF="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech">
HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers
</a> for further guidelines on managing these shares.

</p>

<h5>Use strong passwords</h5>

<p>The various tools described above exploit the use of weak or Null
passwords in order to propagate, so using strong
passwords can help keep them from infecting your systems.
</p>

<p>Microsoft has posted a "<a href="http://www.microsoft.com/security/articles/password.asp">Create Strong Passwords</a>" checklist.</p>


<H5>Run and maintain an anti-virus product</H5>

<P>The malicious code being distributed in these attacks is under
continuous development by intruders, but most anti-virus software
vendors release frequently updated information, tools, or virus
databases to help detect and recover from the malicious code involved
in this activity.  Therefore, it is important that users keep 
their anti-virus software up to date.  The CERT/CC maintains a partial
list of <A HREF="http://www.cert.org/other_sources/viruses.html#VI">anti-virus vendors</A>.

<P>Many anti-virus packages support automatic updates of virus definitions.
The CERT/CC recommends using these automatic updates when available.</P>


<H5>Do not run programs of unknown origin</H5>

<P>Never download, install, or run a program unless you know it to be
authored by a person or company that you trust.  Users of IRC, Instant
Messaging (IM), and file-sharing services should be particularly wary
of following links or running software sent to them by other users, as
this is a commonly used method among intruders attempting to build
networks of DDoS agents.</P>

<H5>Deploy a firewall</H5>

The CERT/CC also recommends using a firewall product, such as a
network appliance or a personal firewall software package.  In some
situations, these products may be able to alert users to the fact that
their machine has been compromised.  Furthermore, they have the
ability to block intruders from accessing backdoors over the network.
However, no firewall can detect or stop all attacks, so it is
important to continue to follow safe computing practices.

<h5>Ingress/egress filtering</h5>

<p>Ingress filtering manages the flow of traffic as it enters a
network under your administrative control.  In the network usage
policy of many sites, external hosts are only permitted to initiate
inbound traffic to machines that provide public services on specific
ports. Thus, ingress filtering should be performed at the border to
prohibit externally initiated inbound traffic to non-authorized
services.</p>

<p>Egress filtering manages the flow of traffic as it leaves a network
under your administrative control. There is typically limited need for
internal systems to access SMB shares across the Internet.</p>

<p>In the case of the intruder activity described above, blocking
connections to port 445/tcp from entering or leaving your network
reduces the risk of external infected systems attacking hosts inside
your network or vice-versa.</p>

<h5>Recovering from a system compromise</h5>

<p>If you believe a system under your administrative control has been
compromised, please follow the steps outlined in</p>

<dl><dd><a
href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps
for Recovering from a UNIX or NT System Compromise</a></dd></dl>

<br>
<a name="references"></a>
<h2>IV. References</h2>

<ol>

<li>Trends in Denial of Service Attack Technology: 
<A HREF="http://www.cert.org/archive/pdf/DoS_trends.pdf">http://www.cert.org/archive/pdf/DoS_trends.pdf</A></li>

<li>Managing the Threat of Denial-of-Service Attacks: 
<A HREF="http://www.cert.org/archive/pdf/Managing_DoS.pdf">http://www.cert.org/archive/pdf/Managing_DoS.pdf</A></li>

<li>IN-2002-06: W32/Lioten Malicious Code: <a href="http://www.cert.org/incident_notes/IN-2002-06.html">http://www.cert.org/incident_notes/IN-2002-06.html</a></li>

<li>CA-2001-20: Continuing Threats to Home Users: <a href="http://www.cert.org/advisories/CA-2001-20.html">http://www.cert.org/advisories/CA-2001-20.html</a>

<li>IN-2000-02: Exploitation of Unprotected Windows Networking Shares: <a href="http://www.cert.org/incident_notes/IN-2000-02.html">http://www.cert.org/incident_notes/IN-2000-02.html</a></li>

<li>IN-2000-03: 911 Worm: <a href="http://www.cert.org/incident_notes/IN-2000-03.html">http://www.cert.org/incident_notes/IN-2000-03.html</a></li>

<li>IN-2002-03:
Social Engineering Attacks via IRC and Instant Messaging: <a href="http://www.cert.org/incident_notes/IN-2002-03.html">http://www.cert.org/incident_notes/IN-2002-03.html</a></li>

<li>VNC (Virtual Network Computing): <a href="http://www.uk.research.att.com/vnc/">http://www.uk.research.att.com/vnc/</a></li> 

<li>Home Network Security: 
<A HREF="http://www.cert.org/tech_tips/home_networks.html">http://www.cert.org/tech_tips/home_networks.html</A>
</li>

<li>Home Computer Security: 
<a href="http://www.cert.org/homeusers/HomeComputerSecurity/">http://www.cert.org/homeusers/HomeComputerSecurity/</a></li>


<li>HOW TO: Create and Delete Hidden or Administrative Shares on Client Computers: <A HREF="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech">http://support.microsoft.com/default.aspx?scid=kb;en-us;Q314984&sd=tech</a></li>

<li>Checklist: Create Strong Passwords: <a href="http://www.microsoft.com/security/articles/password.asp">http://www.microsoft.com/security/articles/password.asp</a>

<li>Anti-virus vendors: <A HREF="http://www.cert.org/other_sources/viruses.html#VI">http://www.cert.org/other_sources/viruses.html#VI</a></li>

<li>Steps for Recovering from a UNIX or NT System Compromise: <a
href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html</a></li>

</ol>

<h2>Reporting</h2>

<p>The CERT/CC is interested in receiving reports of this activity. If
machines under your administrative control are compromised, please
send mail to <a href="mailto:cert@cert.org?subject=CA-2003-08%20Feedback%20%5BCERT%2336888%5D">cert@cert.org</a> with the following text included in the
subject line: "<a href="mailto:cert@cert.org?subject=CA-2003-08%20Feedback%20%5BCERT%2336888%5D">[CERT#36888]</a>".</p>


<hr noshade="noshade">

<p>Feedback can be directed to the authors: <a href="mailto:cert@cert.org?subject=CA-2003-08%20Feedback%20%5BCERT%2336888%5D">Allen Householder and Roman Danyliw</a>

</p>

<p></p>

<!--#include virtual="/include/footer_nocopyright.html" -->


<p>Copyright 2003 Carnegie Mellon University.</p>

<p>Revision History

</p><pre>
March 11, 2003:  Initial release
</pre>
<p></p>