I caught the Dnet worm

[RC5Bri]

Well, I caught the Dnet worm last night after about half an hour of cracking for bymer. It was a matter of coincidence that I noticed it. I rebooted my machine, and it immediately triggered dial-up networking. So I checked the start-up folder(nothing), then checked msconfig and found it. Then I went to the registry, and c:\windows\system, and there were all the files. I checked my log file, and saw that my dnet client was killed about 20 minuted earlier. So I downloaded the wormfree utility from dnet and everything is fine.

The utility told me that I had my c:\ shared over tcp/ip for the dial-up adapter . It was that darn Internet Connection Sharing that winME did. I think/hope that the virus was the only thing that was modified on my computer! Well, I have learned my lesson So if you ever see DUN triggered automatically after reboot, the virus might be the problem.

 

[Kilowatt]

You should never bind "file and print sharing" to your dialup adapter(s).

Only to your nic that's hooked to your internal network.
You'd be surprised how many people have it setup to share over the internet. :disgust:

I'm glad you got it taken care of.

 

[micron]

After I got the worm I installed ZoneAlarm.

 

[dkappos]

How do you have a folder shared over LAN but not over the internet?

 

[Russ]

dkappos,

The key thing is to make sure that Client for Microsoft Networks or Windows Logon are not bound to TCP/IP. As a matter of fact, I don't have them bound to any protocol on my network.

Anybody who'd like to check this stuff should try Shield's Up! This site also has quite a few tips for security on Windows machines.

Russ, NCNE

 

[Eug]

I'm told I'm pretty safe, but not 100% safe:

I'm behind a router. I do file share, but using NetBeui not TCP/IP. I run Norton Internet Security.

Any comments? I'm wondering if running NIS is overkill for my home network, although it does prevent unauthorized outbound stuff.

From Shield's Up on my internal IP:

<< All this is significant to you and the security of your machine having the IP address shown above because all such addresses are, by design, &quot;unreachable&quot; from the external &quot;public&quot; internet. IP Agent has notified the server that it's residing in a machine with this address, but there is no way for the server ? or anyone outside of your own network ? to reach you. Those addresses are simply &quot;undefined&quot; within the Internet's routing tables.

In other words: Your computer is very secure against typical threats and discovery from passing Internet scanners. >>



From Shield's Up on my router's IP:

<< All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet. >>



I guess NIS can't hurt though.

 

[BoberFett]

Eug

If you're behind a router, you're almost completely safe. I say almost because there really is no such thing as invulnerable. For a computer to be C2 certified (think Pentagon security levels ) I don't think your computer can even have a NIC or removable drive installed.

Anyway, I took NetBEUI off my home LAN and run TCP only, and I even have it bound to file sharing. I have no qualms about doing this because of the fact that I run a router. I don't run any servers on my home LAN, I have no port forwarding enabled. No IP traffic from the WAN side will ever be routed to the LAN, so in theory it's impossible for me to be hacked. Heck, just the mere act of using one of the reserved, non-routable IP blocks (10.x.x.x, 192.168.x.x, etc.)for your machines makes hacking nearly impossible. If you do that, the person hacking you would have to be on your subnet.

 

[Robor]

BoberFett: When you say you don't have any ports forwarded do you mean that doing so would leave you open to attack? For instance, if I've got port xxxx forwarded for Napster and port xxxx forwarded for hosting Unreal matches, am I vulnerable to attack? I used to host an FTP server (not on port 21) for a while but I haven't done that in a while because it a PITA. I'm using a Linksys Cable/DSL router and my internal LAN is 192.168.1.x of course.

Thanks!

Rob

 

[BoberFett]

Yep, you are open to attack.

But that doesn't mean you need to panic and shut everything down, just be aware of the risks.

We'll use the UT port as an example. When an incoming packet hits your router on port [UTport], your router doesn't think about it, it simply forwards that packet to the specified computer which is your UT server. At that point, all security lies in UTs hands. It's possible that Epic did a wonderful job and didn't leave any security holes. But it's also possible that someone could hack around with UT and figure out an exploit. Things like buffer overflows and malformed packets. It's possible that all it would do is crash your server. But with the right circumstances (read: sloppy server programming) a hacker could figure out how to send a packet to a UT server that would cause UT to execute a certain piece of code, possibly something embedded within the packet, possibly a system call, who knows. If somebody can do that, then they have found what would be called a &quot;backdoor&quot;, and from the backdoor they may be able to open more holes, use your own computer to create more security breaches, download trojans and so forth.

Here's an example site just to show you the kind of obscure things that dedicated hackers can come up with. For example the third item down at the time of this posting is &quot;ID games Backdoor in quake&quot;, so these things do exist, and hackers do find them.

Like I said, no need to be paranoid, just be aware of the risks.

 

[dennilfloss]

ZoneAlarm puts me in Stealth Mode. I am but a figment of your deranged imagination. I still check every day to make sure that my address has not been changed to Bymer's. :| ViRGE posted last week that the Kris virus now runs along with Bymer. You might want to check that thread and see if you got infected with that too.

 

[Eug]

OK, maybe I'll disable NIS on my laptop then. It's off most of the time anyway, and NIS just adds to the painfully long boot up. 4200 rpm drives are suck.

But, I'll have to think about how to setup my desktop. I was thinking of putting a webserver on it (because I'm sick of my ISP's 10 MB limit) and a ftp server on it (for myself when I'm at work). I'll also be reinstalling UT for it, but it ain't going to be used much so that isn't really an issue. (OGR is on this machine, but will still be working full tilt.)

P.S. Here is my lan setup. Any additions will be either through HPNA or Ethernet, but all will be behind the router.

 

[RC5Bri]

I am just surprised that I got &quot;caught&quot; on a dial-up connection. I figured most hackers would scan cable/dsl ip's rather than waste their time with dial-ups. But a lot of people have there drives shared, so at least I wasn't alone.

I am glad that I noticed the virus posted in this forum. Otherwise, I might not have known about it, and fixed it so quickly.

 

[ViRGE]

The Bymer worm scans for targets on its own, as it just randomly picks IPs.

 

[nickburns]

how do you make sure that it isnt binded?

 

[BoberFett]

nickburns

Make sure what isn't bound? File and print sharing to TCP?

Go to your Network properties. If you have multiple adapters (i.e., NIC and dial up adapter, you'll have multiple TCP entries) do this process for each TCP entry. Choose the TCP entry and get the properties for that. Then click the Bindings tab. If File and Print sharing for Microsoft Networks is checked, then uncheck it and click OK.

That'll do it.

 

[dawks]

Hmm. When I use Zone Alarm, and have it set to maximum security, I cannot access the internet. I need to lower the setting to Medium, any one have an idea as to why this is? I recently just set up a home network, and I need some security.

BTW, Thanks to all in #teamanandtech (irc.teamanandtech.com) for helping me with all my questions! You guys rock!