CERT Advisory CA-2003-08 Increased Activity Targeting Windows Shares
Original release date: March 11, 2003
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Microsoft Windows 2000
* Microsoft Windows XP
Overview
In recent weeks, the CERT/CC has observed an increase in the number of reports of systems running Windows 2000 and XP compromised due to poorly protected file shares.
I. Description
Over the past few weeks, the CERT/CC has received an increasing number of reports of intruder activity involving the exploitation of Null
(i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. Recent examples of such activity are the attack tools known as W32/Deloder, GT-bot, sdbot, and W32/Slackor, which are described in more detail below.
Background
Microsoft Windows uses the SMB protocol to share files and printer resources with other computers. In older versions of Windows (e.g.,
95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on ports 137/tcp and udp, 138/udp, and 139/tcp. However, in later versions of Windows (e.g., 2000 and XP), it is possible to run SMB directly over TCP/IP on port 445/tcp.
Windows file shares with poorly chosen or Null passwords have been a recurring security risk for both corporate networks and home users for some time:
* IN-2002-06: W32/Lioten Malicious Code
* CA-2001-20: Continuing Threats to Home Users
* IN-2000-02: Exploitation of Unprotected Windows Networking Shares
* IN-2000-03: 911 Worm
It has often been the case that these poorly configured shares were exposed to the Internet. Intruders have been able to leverage poorly protected Windows shares by exploiting weak or Null passwords to access user-created and default administrative shares. This problem is exacerbated by another relevant trend: intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems. As described in CA-2001-20, the intruders' efforts commonly focus on addresses known to be used by home broadband connections.
Recent developments
The CERT/CC has recently received a number of reports of exploitation of Null or weak Administrator passwords on systems running Windows 2000 or Windows XP. Thousands of systems have been compromised in this manner.
Although the tools involved in these reports vary, they exhibit a number of common traits, including
* scanning for systems listening on 445/tcp (frequently within the same /16 network as the infected host)
* exploiting Null or weak passwords to gain access to the Administrator account
* opening backdoors for remote access
* connecting back to Internet Relay Chat (IRC) servers to await additional commands from attackers
* installing or supporting tools for use in distributed denial-of-service (DDoS) attacks
--------------------------
Full article at:
CERT Advisory CA-2003-08
Original release date: March 11, 2003
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Microsoft Windows 2000
* Microsoft Windows XP
Overview
In recent weeks, the CERT/CC has observed an increase in the number of reports of systems running Windows 2000 and XP compromised due to poorly protected file shares.
I. Description
Over the past few weeks, the CERT/CC has received an increasing number of reports of intruder activity involving the exploitation of Null
(i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. Recent examples of such activity are the attack tools known as W32/Deloder, GT-bot, sdbot, and W32/Slackor, which are described in more detail below.
Background
Microsoft Windows uses the SMB protocol to share files and printer resources with other computers. In older versions of Windows (e.g.,
95, 98, Me, and NT), SMB shares ran on NetBIOS over TCP/IP (NBT) on ports 137/tcp and udp, 138/udp, and 139/tcp. However, in later versions of Windows (e.g., 2000 and XP), it is possible to run SMB directly over TCP/IP on port 445/tcp.
Windows file shares with poorly chosen or Null passwords have been a recurring security risk for both corporate networks and home users for some time:
* IN-2002-06: W32/Lioten Malicious Code
* CA-2001-20: Continuing Threats to Home Users
* IN-2000-02: Exploitation of Unprotected Windows Networking Shares
* IN-2000-03: 911 Worm
It has often been the case that these poorly configured shares were exposed to the Internet. Intruders have been able to leverage poorly protected Windows shares by exploiting weak or Null passwords to access user-created and default administrative shares. This problem is exacerbated by another relevant trend: intruders specifically targeting Internet address ranges known to contain a high density of weakly protected systems. As described in CA-2001-20, the intruders' efforts commonly focus on addresses known to be used by home broadband connections.
Recent developments
The CERT/CC has recently received a number of reports of exploitation of Null or weak Administrator passwords on systems running Windows 2000 or Windows XP. Thousands of systems have been compromised in this manner.
Although the tools involved in these reports vary, they exhibit a number of common traits, including
* scanning for systems listening on 445/tcp (frequently within the same /16 network as the infected host)
* exploiting Null or weak passwords to gain access to the Administrator account
* opening backdoors for remote access
* connecting back to Internet Relay Chat (IRC) servers to await additional commands from attackers
* installing or supporting tools for use in distributed denial-of-service (DDoS) attacks
--------------------------
Full article at:
CERT Advisory CA-2003-08
