The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>W32/Lioten Malicious Code</h2> Release Date: December 17, 2002<p> <a name="systems"> <h4>Systems Affected <p>Systems running Microsoft Windows 2000</p> <a name="overview"> <h3>Overview</h3> <p>The CERT/CC has received reports of self-propagating malicious code known as W32/Lioten affecting systems running Windows 2000. This malicious code exploits weak or null passwords in order to propagate. Reports to date indicate that thousands of systems are scanning in a manner consistent with W32/Lioten's known behavior. Various sources have referred to this malicious code as <font face="monospace">IraqiWorm</font> and <font face="monospace">iraqi_oil.exe</font>.</p> <a name="description"> <h3>I. Description</h3> <p>W32/Lioten scans for 445/tcp. When it finds a responsive potential victim, it establishes a null session and retrieves (enumerates) a list of user accounts on the victim system. For each account it finds, it then attempts a number of trivial passwords: <dl> <dd>[NULL]<br/> <font face="monospace">server<br/> !@#$%^&*<br/> !@#$%^&<br/> !@#$%^<br/> !@#$%<br/> asdfgh<br/> asdf<br/> !@#$<br/> 654321<br/> 123456<br/> 1234<br/> 123<br/> 111<br/> root<br/> admin</font><br/> </dd> </dl> On success, it copies itself to the victim system as <font face="monospace">iraqi_oil.exe</font> and uses the Task Scheduler (via <font face="monospace">at</font>) to run the copy a few minutes later. Presence of the <font face="monospace">iraqi_oil.exe</font> file and scanning for 445/tcp are therefore symptoms of compromise. </p> <p>Additional analysis of W32/Lioten can be found at <a href="http://www.mynetwatchman.com/kb/security/articles/iraqiworm/">MyNetWatchman.com</a>. </p> <p>Reports to the CERT/CC indicate that attackers are monitoring for systems infected with W32/Lioten and further exploiting them via other tools for use in distributed denial-of-service (DDoS) attacks.</p> <a name="impact"> <h3>II. Impact</h3> <p>Systems infected by W32/Lioten scan for 445/tcp. By watching for this scanning activity, attackers are able to easily identify targets with weak passwords and can subsequently compromise those systems for use in other attacks.</p> <p>Additionally, as with other self-propagating malicious code, W32/Lioten may cause denial-of-service conditions in networks where multiple systems are affected.</p> <a name="solution"> <h3>III. Solution</h3> <h4>Restrict or disable null sessions</h4> <p>Depending on the services your systems are required to provide, it may be possible for you to restrict or disable anonymous null sessions on your Windows 2000 hosts. This can be done through the <font face="monospace">HKLM\SYSTEM\CurrentControlSet\Control\LSA</font> key with the following parameters: <dl> <dd>Value: <font face="monospace">RestrictAnonymous</font></dd> <dd>Value Type: <font face="monospace">REG_DWORD</font></dd> <dd>Value Data: <font face="monospace">0x1</font> or <font face="monospace">0x2</font> (Hex)</dd> </dl> According to <a href="http://support.microsoft.com/default.aspx?scid=KB;en-us;q246261">Microsoft Knowledge Base Article Q246261</a>, this key can take on the following values: <dl> <dd><font face="monospace">0x0</font> = None. Rely on default permissions</dd> <dd><font face="monospace">0x1</font> = Do not allow enumeration of SAM accounts and names</dd> <dd><font face="monospace">0x2</font> = No access without explicit anonymous permissions</dd> </dl> Note that this configuration could cause problems in certain network environments. The CERT/CC encourages you to review <a href="http://support.microsoft.com/default.aspx?scid=KB;en-us;q246261">Microsoft Knowledge Base Article Q246261</a> before making any of these changes to your system(s). </p> <p>Windows XP sets the <font face="monospace">RestrictAnonymousSam</font> key to <font face="monospace">0x1</font> by default. Therefore, unless this setting has been altered by the system administrator, W32/Lioten should not be able to retrieve the account list via a null session on Windows XP systems.</p> <h4>Require strong passwords</h4> <p>W32/Lioten exploits the use of weak or null passwords in order to propagate, hence requiring the use of strong passwords can help keep it from infecting your systems.</p> <h4>Ingress/egress filtering</h4> <p>Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services.</p> <p>Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for internal systems to access NetBIOS shares across the Internet. </p> <p>In the case of W32/Lioten, blocking connections to port 445/tcp from entering or leaving your network reduces the risk of external infected systems attacking hosts inside your network or vice-versa.</p> <p> <hr noshade="" width="100%"/> <b>Author</b>: Allen D. Householder<br/> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2002 Carnegie Mellon University.</p> </p></a></a></a></a></h4></a></p> |