Security watch

Read about the latest developments in security every month in Security Watch

INCREASED ACTIVITY TARGETIN WINDOWS SHARES
Recently, an increase in the number of reports of systems running Windows 2000 and XP compromised due to poorly protected file shares has been observed.

Description
Intruder activity involving the exploitation of Null (i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP has been reported. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. Examples of such activity are the attack tools known as W32/Deloder, GT-bot, sdbot, and W32/Slackor.

Systems Affected

• Microsoft Windows 2000
• Microsoft Windows XP

Background
Microsoft Windows uses the SMB protocol to share files and printer resources with other computers. In older versions of Windows (e.g., 95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on ports 137/tcp and udp, 138/udp, and 139/tcp. However, in later versions of Windows (e.g., 2000 and XP), it is possible to run SMB directly over TCP/IP on port 445/tcp.

Windows file shares with poorly chosen or Null passwords have been a recurring security risk for both corporate networks and home users for some time.

It has often been the case that these poorly configured shares were exposed to the Internet. Intruders have been able to leverage poorly protected Windows shares by exploiting weak or Null passwords to access user-created and default administrative shares. This problem is exacerbated by another relevant trend: intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems. The intruders' efforts commonly focus on addresses, known to be used by home broadband connections.

Although the tools involved in these reports vary, they exhibit a number of common traits, including:

• Sscanning for systems listening on 445/tcp
• Exploiting Null or weak passwords to gain access to the Administrator account
• Opening backdoors for remote access
• Connecting back to Internet Relay Chat (IRC) servers to await additional commands from attackers
• Installing or supporting tools for use in distributed denial-of-service (DDoS) attacks

Some of the tools reported have self-propagating (i.e., worm) capabilities, while others are propagated via social engineering techniques like Social Engineering Attacks via IRC and Instant Messaging.

The network scanning associated with this activity is widespread but appears to be especially concentrated in address ranges commonly associated with home broadband users. Using these techniques, many attackers have built sizable networks of DDoS agents, each comprised of thousands of compromised systems.

W32/Deloder
The self-propagating W32/ Deloder malicious code is an example of the intruder activity described above. It begins by scanning the /16 (i.e., addresses with the same first two high-order octets) of the infected host for systems listening on 445/tcp. When a connection is established, W32/Deloder attempts to compromise the Administrator account by using a list of pre-loaded passwords.

On successful compromise of the Administrator account, W32/ Deloder copies itself to the victim, placing multiple copies in various locations on the system. Additionally, it adds a registry key that will cause the automatic execution of dvldr32.exe (one of the aforementioned copies). The victim will begin scanning for other systems to infect after it is restarted.

W32/Deloder opens up backdoors on the victim system to allow attackers further access. It does this in two ways:

1. Attempt to connect to one of a number of pre-configured IRC servers
2. Install a copy of VNC (Virtual Network Computing), an open-source remote display tool from AT&T, listening on 5800/5900/tcp

BUFFER OVERFLOW IN CORE MICROSOFT WINDOWS DLL
A buffer overflow vulnerability exists in the Win32 API libraries shipped with all versions of Microsoft Windows 2000. This vulnerability, which is being actively exploited on WebDAV-enabled IIS 5.0 servers, will allow a remote attacker to execute arbitrary code on unpatched systems. Sites running Microsoft Windows 2000 should apply a patch or disable WebDAV services as soon as possible.

Description
Microsoft Windows 2000 (and possibly prior versions of Windows) contains a dynamic link library (DLL) named ntdll.dll. This DLL is a core operating system component used to interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll, which is utilized by many different components in the Windows operating system.

The WebDAV (RFC2518) component of Microsoft IIS 5.0 is an example of one Windows component that uses ntdll.dll. The IIS WebDAV component utilizes ntdll.dll when processing incoming WebDAV requests. By sending a WebDAV request to an IIS 5.0 server, an attacker may be able to execute arbitrary code in the Local System security context, essentially giving the attacker complete control of the system.

Because the vulnerable Win32 API component is utilized by many other applications, it is possible other exploit vectors exist. However, we have only been told of systems compromised running IIS 5.0 with WebDAV enabled. Sites using Windows 2000 but not running IIS 5.0 with WebDAV need to carefully weigh the trade-offs before applying patches to systems where the core vulnerability exists.

Microsoft has issued the following bulletin regarding this vulnerability:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp

Systems Affected

• Systems running Windows 2000

Impact
Any attacker who can reach a vulnerable web server can gain complete control of the system and execute arbitrary code in the Local System security context. Note that this may be significantly more serious than a simple "web defacement."

Solution/Patches
Apply a patch from your vendor
A patch is available from Microsoft at microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929 B&displaylang=en

Disable vulnerable service
Until a patch can be applied, you may wish to disable IIS: http://support.microsoft.com/default.aspx?scid=kb;en-us;321141

If you cannot disable IIS, consider using the IIS lockdown tool to disable WebDAV (removing WebDAV can be specified when running the IIS lockdown tool).

Restrict buffer size
If you cannot use the IIS lockdown tool, consider restricting the size of the buffer IIS utilizes to process requests by using Microsoft's URL Buffer Size Registry Tool. This tool can be run against a local or remote Windows 2000 system running Windows 2000 Service Pack 2 or Service Pack 3. The tool, instructions on how to use it, and instructions on how to manually make changes to the registry are available at:

URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875

You may also wish to use URLScan, which will block web requests that attempt to exploit this vulnerability. Information about URLScan is available at http://support.microsoft.com/default.aspx?scid=kb;[LN];326444