 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Link Logger
Re: mNW Alert: 'IraqWorm' propagating via tcp/445 Well, you can visit my web site and look at the reverse engineered code yourself.
»www.unixwiz.net/iraqworm/iraqworm.cpp
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • my web site |
|
| reply to Gladiator_AV
said by Gladiator_AV:
ROFL @PCC
They did forgot to add the UPX 
The worm is only uncompressed detected with PCC 2002
See my pic: NAV detects both compressed and uncompressed worms. :) |
|
 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to Steve
said by Steve:
One other tidbit: if the second or fourth octet of your IP address is in the range 128-255, then I believe the worm's scanner won't ever find use due to boneheaded use of the random number generator. So at home, with my IP of 64.170.X.X, I don't expect to see any scans.
That's odd though. Could there be another variation then? A few days ago when Lawrence started noticing the scan pattern, I was getting about 100 scans in the course of two days on port 445. I'm now getting the odd ones from time to time and my IP is 24.192.x.x The subnet mask though is 255.255.255.192
--
You can catch the Devil, but you can't hold him long. |
|
 phriday613Your Avatar Is Nice... For Me To Poop OnPremium
join:2002-02-06
Eastchester, NY
| reply to NetWatchMan
i noticed 8 hits on port 445 on the 10,12,13th, but no clue as to the payload.. or if it were some idiot trying to exploit my web interface..
my address is 64.252.x.x (dymamic)
--
Help find a cure for Cancer - Join Team Discovery!
[text was edited by author 2002-12-17 00:52:54] |
|
| reply to Randy Bell
Randy, can you check your mail ? |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to NetWatchMan
One thing I don't believe has been really mentioned yet:
Any smart guy with a disassembler could figure this out, but the real magic is Lawrence's myNetWatchman network of reporting agents all over the place that gave him the heads up to know something was going on and to go looking for it.
This is how it's supposed to work: diverse intelligence gathering, centralized analysis.
Thumbs up to Lawrence on this one - he's the hero here.
Steve
P.S. - Phil did great research too
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • my web site |
|
 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to NetWatchMan
Hi guys!
Fantastic job and great info (as usual ).
If someone could, I'd like a little clarification please. I'm not certain how to assess the vulnerablity of several systems where I get panic calls for help.
Basically, I'm assuming that port 445 is open 'out of the box' for both XP Pro and XP Home. My initial concern is for XP Home users. I know several whom are on Optimum On-Line and I've worked with them to screw their systems down pretty tight. So if someone could provide a fuller explanation of what the default settings are, I'd be very interested.
Second, please correct me if my understanding is wrong. This exploit is based upon the 'feature' of being able to get a list of user accounts and groups just by querying for them?
Is there anyone else besides me who's aghast at this 'feature'?
I would like to offer up two new acronyms to cover this situation if my understanding is (so far) correct.
YASMIS (yaz-mis) - Yet Another Stupid Micro$oft Insecurity Setting.
YACSMAIF (yaks-mafe) - Yet Another Completely Stupid Micro$oft Architecturally Insecure Feature.
In all seriousness, please tell me I'm not understanding this correctly. BTW - for all you M$ users out there. Please don't regard this as an attack on M$. While I do dislike M$, I'm much, much more concerned about the security implications. Please tell me that the situation is not as I'm understanding it.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
 FaramPremium
join:2002-03-27
Sweden | reply to NetWatchMan
Reply Just got an e-mail from F-Secure
[FSAV_Database_Version]
Version=2002-12-17_01
has detection included
Great work!  |
|
| reply to Wildcatboy
Re: mNW Alert: 'IraqWorm' propagating via tcp/445 said by Wildcatboy:
That's odd though. Could there be another variation then? A few days ago when Lawrence started noticing the scan pattern, I was getting about 100 scans in the course of two days on port 445. I'm now getting the odd ones from time to time and my IP is 24.192.x.x The subnet mask though is 255.255.255.192
You missed my comments above...Warez Pirates and DDoS bots have been doing semi-automatic exploitation of Null Sessions for a LONG time...they are just being quieter about it...these are the other sources of tcp/445 probes.
The only way to differentiate between the two is to have a sacrifical host so you can *allow* the activity and see what they push at you.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| reply to guycad$
said by guycad$:
If someone could, I'd like a little clarification please. I'm not certain how to assess the vulnerablity of several systems where I get panic calls for help.
I provide the exact commands and tool you need to attempt the EXACT same exploitation technique this worm is using.
Actually create a Null Session to your hosts and run Enum against them. I suggest using the password list we provided and create a dict.txt file to feed into Enums dictionary attack function (-D).
If your hosts allow Null Sessions and enumeration of user accounts...PROBLEM.
If Enum dictionary attack succeeds...BIG PROBLEM.
(actually your probably already compromised by IraqiWorm, Warez Pirates, or a DDoS bot!).
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | said by NetWatchMan:
said by guycad$:
If someone could, I'd like a little clarification please. I'm not certain how to assess the vulnerablity of several systems where I get panic calls for help.
I provide the exact commands and tool you need to attempt the EXACT same exploitation technique this worm is using.
Thank you Lawrence. I guess I shouldn't ask these kinds of questions before I've had time to actually wake up.
I apologize. I wasn't asking about technically testing for the exploit. I'm more interested in knowing if systems are vulnerable 'out-of-the-box'.
I.E. Do I really need to check XP Home systems with always on connections to the web? Most of the ones I deal with are standalone so they're not on internal lans.
I keep having this waking nightmare of millions of XP Home systems with always on broadband connections and, by default, being vulnerable to this. If this is not a default setting, then I'll feel a little easier. It's still an incredibly stupid feature mind you.
I don't have an XP based system of my own to test with so I can't check this for myself. Though, I will be stopping at a friend's house tonight who runs XP Home. And you can be very sure I'll be checking it too!
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by guycad$:
I apologize. I wasn't asking about technically testing for the exploit. I'm more interested in knowing if systems are vulnerable 'out-of-the-box'.
Well, one could use the former to determine the latter, though, right?
said by guycad$:
I.E. Do I really need to check XP Home systems with always on connections to the web? Most of the ones I deal with are standalone so they're not on internal lans.
For XP Home and Pro "out of the box," the all the SMB-based ports are open (the various NetBIOS ports on tcp and udp 137-139 and the direct SMB ports on tcp and udp 445). The firewall is also not active.
There are differences between the Win2k and XP default configuration, particularly that XP employs simple file sharing out of the box. I don't know about null session/RestrictAnonymous setting, but I'll check that, too. Here's a SFS reference:
»support.microsoft.com/default.as···s;304040
(That link looks funky right now to me due to what looks like a broken ?ML tag...Google might have an easier copy to read in its cache...)
said by guycad$:
I keep having this waking nightmare of millions of XP Home systems with always on broadband connections and, by default, being vulnerable to this. If this is not a default setting, then I'll feel a little easier. It's still an incredibly stupid feature mind you.
Another nightmare would be by replacing "systems with always on broadband connections" with "systems with blank Administrator passwords." I don't know about millions of PCs, but Opaserv was at least 5 figures -- that's a huge DDoS pool.
said by guycad$:
I don't have an XP based system of my own to test with so I can't check this for myself. Though, I will be stopping at a friend's house tonight who runs XP Home. And you can be very sure I'll be checking it too!
I'll be interested to read your findings. I'm going to try to test a couple of fairly clean XP installs, but they were on my sacrificial test machine which is where I let the worm loose for testing, so reinstalls may be in order...
Philip Sloss
--
stuff@lupwa.org |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | said by psloss:
said by guycad$:
I keep having this waking nightmare of millions of XP Home systems with always on broadband connections and, by default, being vulnerable to this. If this is not a default setting, then I'll feel a little easier. It's still an incredibly stupid feature mind you.
Another nightmare would be by replacing "systems with always on broadband connections" with "systems with blank Administrator passwords." I don't know about millions of PCs, but Opaserv was at least 5 figures -- that's a huge DDoS pool.
I just realized that the machine I'm seeing tonight has a blank admin password. (ooof!)
It has ZAF, Nod32, SS&D and AdAware. (This is the very same machine which started the eAnthology thread that still won't die.)
I did have a discussion with the owner about strong passwords and setting up individual logins for each family member. But I know she hasn't done anything about it yet. Well, I see for sure when I get there after work.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | 'IraqWorm' and XP: preliminary info I was able to use both XP Home and XP Pro installs for a quick test, so it wasn't too painful...
With just a quick first look, it appears that the extra security measures built into XP provide better protection against null session-based attacks. I found this reference page (among others):
»www.uksecurityonline.com/husdg/w···/lsa.htm
which has this statement:
"So, by default, on an XP system, you can anonymously connect and enumerate shares by default, but you cannot enumerate detailed user information."
One key difference is that the XP Home install I have doesn't have any default file shares while XP Pro has all of them. The only "default" share on XP Home is the IPC$ one (which is a "special" type).
This makes sense: while both come from the NT kernel and development, XP Home is styled after Win9x and XP Pro is styled after Win2k Pro.
More a bit later...
--
stuff@lupwa.org |
|
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to NetWatchMan
Re: mNW Alert: 'IraqWorm' propagating via tcp/445 W32.HLLW.Lioten is now covered in today's NAV definitions
--
All the electrons used in this post have been recycled |
|
| said by John2g:
W32.HLLW.Lioten is now covered in today's NAV definitions
See my post: »mNW Alert: Iraq Worm propagating via tcp/445 (also attached pic of NOD's update) -- this worm is detected by NAV, Trend, McAfee, Panda, F-Secure, KAV, and NOD32 -- almost everybody (all major players) detecting it now. Can anyone confirm or deny whether DrWeb, F-Prot or any of the free windows scanners (AVG, AVAST) detecting it yet? :) |
|
| reply to NetWatchMan
No biggie!
[text was edited by author 2002-12-17 15:43:55] |
|
| Thanks fastM3: too late to edit my original post, so I'll just add it here:
Sophos - W32/Lioten-A
»www.sophos.com/virusinfo/analyse···ena.html |
|
| reply to NetWatchMan
Hi everyone,
You could join us at Gladiator: »forum.gladiator-antivirus.com/in···98&st=15
We have an interesting topic regarding the detection of this worm. As you will see, some AV-companies (in fact most of them) don't detect the 3 different "editions" (not variants) of this Iraq Worm.
We hope to see you soon |
|
guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | reply to psloss
Re: 'IraqWorm' and XP: preliminary info said by psloss:
One key difference is that the XP Home install I have doesn't have any default file shares while XP Pro has all of them. The only "default" share on XP Home is the IPC$ one (which is a "special" type).
I'm beginning to think that the XP Home machines might not be vulnerable 'out-of-the-box'. Not because M$ made any effort to make them more secure in this respect, but because M$ seems to have crippled XP Home enough so this worm appears to not be a problem for Home users. LOL - If this is verified, I'll appreciate any good new I hear, even if it's by accident.
RE: the system I looked at this evening. - This is a new (less than 6 months old) HP system with XP Home. It doesn't appear to have a standard Administrator account. Instead, it has an account called 'Owner'. And there is no direct access to any of the usual adminstrator functions. I don't know if this is an 'XP Home' feature or if this is how HP configured it.
There is a hidden administrator folder with most of the functions I expected, but I had to do a search on it to find and open it. Really strange. The 'Owner' is very unhappy with not having complete control over her machine. I'm not interested in highjacking this thread so please don't. Since it looks like I'll have to learn more than I want to know about XP Pro & Home, I'll have to see about regular access to both before I'm ready to benefit from advice.
I will be posting some of the other things I found in another thread. 
Paul, I'm not quite as worried as I was. Looks like Win2K users might be the ones most vulnerable.
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
