Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual volume: UDP:137 probes

From: Matt Power <mhpower () bos bindview com>
Date: Sat, 5 Oct 2002 04:03:44 -0400
Date: Fri, 4 Oct 2002 14:13:55 +0700
From: Alain Fauconnet <alain () cscoms net>

...

I  know that Win95 had its share of bugs regarding SMB passwords.

...

http://security-archive.merton.ox.ac.uk/bugtraq-200010/0228.html


I was able to confirm this for Windows 98. In other words, the
Opaserv worm is apparently exploiting the vulnerability from
http://www.microsoft.com/technet/security/bulletin/MS00-072.asp

(see also CVE-2000-0979 and http://online.securityfocus.com/bid/1780)

Basically, a long and complex password for the C share doesn't prevent
the worm from writing scrsvr.exe and modifying win.ini, or even slow
it down. This differs from some previous reports, e.g.,

http://www.f-secure.com/v-descs/opasoft.shtml says:

  2. In case the resource is protected by a password the worm tries to
  open it with all one-symbol passwords (brute-force attack).
  ...
  The worm caused global epidemy in the beginning of October 2002 and
  hit many Win9x systems because of following reasons:
  ...
    - many users don't pay enough attention to password length and
      security.

Also,
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0210&L=ntbugtraq&F=P&S=&P=72
says:

  Two new worms are of particular concern due to the fact they spread
  via network shares.

  Both rely upon open network shares, that is, shares which have no
  passwords.


Some of the conclusions seem straightforward. Loading the MS00-072
patch needs to be part of the procedure used in recovery of a machine
compromised by Opaserv. People who have Windows 9x systems, with
read/write file sharing, that are exposed to untrusted networks
should, in advance of compromise, try to get MS00-072 onto those
systems. (In practice, it's not only the open Internet that's an
untrusted network.)

My testing approach was as follows. Do a new installation of two
Windows 98 Second Edition systems on an isolated network. Set up one
with the IP address 192.168.155.2, and the other 192.168.155.3. On
192.168.155.2, share the C drive with the share name C. Configure a
long and complex full-access password, and no read-only password.

On 192.168.155.3, copy the Opaserv worm program (28672 bytes, MD5
checksum d6018381ee9c28caf40bb34d65cc6c2c) to C:\windows\scrsvr.exe.
Run scrsvr.exe. (Upon running it, a new value was added to
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.) Then, within a
minute, C:\windows\scrsvr.exe was found on 192.168.155.2. Also, on
192.168.155.2, the third line of win.ini was modified to be
"run=c:\windows\scrsvr.exe". On 192.168.155.2,
HKLM\Software\Microsoft\Windows\CurrentVersion\Run was not modified.

Disconnect 192.168.155.3 from the network. Format the disk on
192.168.155.2, and then reinstall it with the same setup as before.
This time, however, load the MS00-072 patch. Format the disk on
192.168.155.3, reinstall it with its previous setup, connect it to the
network, and again run scrsvr.exe. Wait an hour. This time,
C:\windows\scrsvr.exe was not found on 192.168.155.2.

This was repeated a few times to try to establish validity. Perhaps of
interest is that when 192.168.155.2 had the MS00-072 patch and had a
one-character full-access password for the C share, it was not
compromised within an hour after starting scrsvr.exe on 192.168.155.3.

(I've sent a Bcc copy of this to the previous reports' authors.)

Matt Power
BindView Corporation, RAZOR Team
mhpower () bos bindview com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: