RE: Mysterious "Support" account created on Win2k server

[<kyle () kylelai com>]

No, attackers cannot use "net use." to create user accounts, but
YES, they can create user accounts after they use "net use" to connect to
victimized systems.

Just to demonstrate, here is one of the methods of attack:

1.  "net use \\machine\ipc$" with admin id and weak password.  assume it
successfully connected to the system.
2.  use "psexec" from sysinternals.com to copy necessary files to the
victimized systems
3.  use "psexec" to execute commands on the victimized system, i.e.
Addusers.  They can run any commands, programs, or viruses/worm/trojans now
since they can copy all necessary files to the victimized system and run
them as an administrator.

That above method was the method used in the ocxdll.exe / taskmngr.exe
worm/Trojan.

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
617-921-5410
klai () klcconsulting net
www.klcconsulting.net

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 12/30/2002


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com