Re: Probes to previously accessed FTPs and UNCs in XP

[Matt Scarborough <vexversa () usa net>]

I believe you are describing a feature introduced in WindowsME called "Net
Crawler" and "Web Crawl."  During this crawl of the entire network, shared
resources including drives, printers, and faxes are enumerated. In a sane
world this behavior could be called worm-like functionality built into an
Operating System.

Nevertheless the behavior was extended in WindowsXP to provide Net Crawl and
Web Crawl persistence by default to the first 32 resources successfully mapped
in, or available to, My Network Places | Add Network place.  Periodically, XP
scans the network, identifies shared resources, queries them, then adds a
shortcut link in "My Network Places" or "Printers and Faxes" to that resource.
So, contrary to popular opinion and evidenced by this behavior, Microsoft
actually did learn something from Nimda.

Way back in time mapping drives over FTP and HTTP was introduced in IE 4.01
and Office 2000 as an implementation of "Web Folders," "HTML Data Binding,"
and "Office Server Extensions." Recommendations for Office 2000 included
providing a collaborative workspaces over HTTP via an IIS FPSE extended web
using mapped drives and WebDAV. FTP too. 

One needs only look to MS01-018's WebDAV vulnerability to see this is enabled
on the server side by default in IIS 5.x. (Q307934) So it follows the client
side is enabled by default in ME and XP.

Some of the places to look for remnants of this crawling are
Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer
 \WorkgroupCrawler
 \NetCrawl
 \WebCrawl

As a semi-related and FUD filled addendum, gaining control of a remote site to
which persistent mappings are enabled or automatic crawling is reachable could
allow, depending on end user choices, the hijacker to gather creds from all
the clients. Offering resources across the Internet to unsuspecting Home
Users(tm) with limited security training and insufficient defenses might also
prove effective in similar credential grabbing endeavors.

To start turning the crawl off on the client side, go to Folder Options and
clear the tick box "Automatically search for network folders and printers." I
suppose myriaded somewhere in the GPO we can push something out to the clients
to stop the crawling as well.

http://support.microsoft.com/support/kb/articles/Q256/2/48.ASP
http://support.microsoft.com/support/kb/articles/Q276/3/22.ASP
http://support.microsoft.com/support/kb/articles/q320/1/38.ASP
http://support.microsoft.com/support/kb/articles/q307/9/34.asp
http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/webfoldr_overview.asp

Matt Scarborough 2002-04-13


On Tue, 9 Apr 2002 01:55:29 -0700, Eric Weaver wrote:
> Re: POSSIBLE WORM / DDOS
>
> Sorry for the delayed response.
>
> I have concluded that this activity is caused by another Microsoft
> misfeature.  (Weather it is a virus or not, XP is caching previously
> accessed url/unc somewhere, leaving these hosts/shares potential victims for
> a virus/worm)
>
> Findings:
>
> Upon access to certain local directories of the "hot" machine (E:\,
> E:\download\ ). Windows (XP Pro), causes orderly probing to previously
> accessed ftp url & unc's. (This explains the many samba queries after the
> FTP attempts)
>
> The following caused the network activity:
>
> Start/ Run / E:\ <cr>
> Start/ Run / E:\download <cr>
>
>
> I searched through the local registry for the targeted IP's & sharenames
> (also search for possible aliases)  but was unable to find anything.  I
> deleted the temporary internet cache, history, etc. Rebooted.  Machine still
> caused same network activity.
>
> Reapplying generic-folder-options to the directories that were "triggering"
> this activity seemed to fix the problem.
>
> I wonder where Microsoft is storing this information?  Those directories did
> not have any abnormal/hidden files.  Odd.
>
> Someone mentioned this may be ACEBot or GTBot.  I found no traces of these
> Trojans.
>
> I have not ruled out a virus.
>
> The fact that this happens in regular windows explorer (not shortcut/link
> inside a browser) worries me.
>
>
> Thanks for everyone's $0.02.
>
> > tcpdump:
> >
> > 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S
> > 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S
> > 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S
> > 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S
> > 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53:  161+ A?
> > hawking.res.cmu.edu. (37)
> > 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028:  161 NXDomain 0/1/0 (118)
> > (DF)
> > 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S
> > 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S
> > 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S
> > 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
> > 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S
kOK> (DF)
<some snipped>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com