| Opaserv: Lessons Learned I have spent the last few weeks taking countless phone calls from IT Managers, business owners, and home Internet users who had been compromised by the Opaserv worm and received an myNetWatchman alert email (I'm sending upwards of 20,000!/day now).
Many affected companies ARE protected by centralized firewalls or NAT routers...unfortunately all you need is one transient laptop moving in and out of this "protected" network to wreck havoc. Joe Salesguy dials up from his hotel room with his Laptop, gets infected, goes back to the office and passes it on his coworkers as soon as he jacks into the LAN.
The real riot is literally watching anti-virus popups flash across the desktops like a wave...the users click to dis-infect, only to see the process repeat itself repeat only minutes later. You'd think these anti-virus products would give the users a bit more info like: "hey dumb-ass, you're sharing your C-drive with no password...might want to rethink that."
Another interesting scenario is Sally Secretary who finds it essential to fire up an AOL client on her work computer so she can check on email. No one seems to realize that by doing so she has created a VPN-like tunnel right through the company firewall and now has a second (public) IP address which enables external threats to fly right through the firewall like a hot knife through butta. I've seen several cases of this...user Opaserv compromised in minutes.
Spoke to one Cox user with two computers...by the time his Mom got notified by Cox's abuse department for spraying udp/137 probes her son had already re-formated and re-installed windows as the system had been mysteriously "slow"..fortunately I got to him before he turned on file sharing again...his *intent* of course was to only share files with his second computer. Here's a distrubing observation, when looking to share his cable connection amounst two computers, Cox was more than happy to accomodate by selling him a second IP for $7.00/m. Did they suggest that sticking with one IP and spending $50 on a NAT router might have been a cheaper AND safer way to go?? I don't think so.
Here's another good one...we're up to something like NINE different variants of Opaserv..it's not uncommon for one host to become infected with 3 or 4 different variants at the same time...this tends to be a bit too resource intensive for Win9x leaving users constantly rebooting and pleading for mercy.
Lessons Learned:
Convential Thinking vs. Reality
1)I'm an Internet Nobody so I'm not a target
> Wrong. Most threat do not differentiate or seek out specific targets...they simply target *random* IPs...thus EVERYONE is a target.
2) I don't advertise my IP I can't be found
-or-
My IP changes often (dialup, blah, blah) I'm safe
> Wrong. The most widespread worms (Opaserv, Code Red, Nimda, etc.) have amassed an huge army of infected hosts 100s of THOUSANDS in size each one attempting to infect as many hosts as they can. Collectively these infected hosts are able attempt to infect EVERY, SINGLE IP on the Internet in a very short time. My estimates for Code Red/Nimda is that every IP is scanned every 4 hours. I'm not sure if Opaserv is purely random, but it appears to be hitting many IPs at a rate of 20/hour...thus I don't care how you connect, or for how long you connect, if you allow yourself to be vulnerable you WILL be infected.
3) I have a corporate firewall, I'm protected.
> Wrong. Central firewall protect the perimeter...Joe Sales Guy and Sally Secretary work *behind* the perimeter
4) I run anti-virus, I'm protected.
Sigh...need I say more.
What I want to know is where is the MS Security patch that:
a) Forces passwords on all file shares
b) Disables sharing on ALL Dialup adapters
(make the users re-enable it if they really think they need that)
c) Disables sharing on any network interface with a public IP
Sigh...I guess we should be used to this nonsense..with Microsoft the only thing that's not enabled by default is security.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| Some people just dont care. A friend of mine is running a loosely configured apache server, and his port 139 is standing wide open. I have warned him several times but he says he doesn't care... i guess he will have to get 0wn3d before he will learn his lesson. |
|
|
|
| reply to NetWatchMan
Nice post Net!
No matter how many times you flog a dead horse, it won't get up and take notice.
I have a similar situation at my work. NO AT/AW/Firewall, just Norton's Corporate Edition AV "it will stop everything, the salesman said so" crap.
Can't tell individuals about security, said "I'am not paranoid like you". Well, when some got the latest bugbear virus, guess who they asked "where to go to cure it".
I told a couple "where to go all right" after they insisted they were OK, they can 'find it themselves to fix it' only to find they could not. *sigh*
Hell, I even had one person who refused to update because it "wasn't a good idea to have those virus signatures" on her PC. ROFLMFAO.
--
Cheers, Rat: I have a photographic memory. It's just that sometimes I forget to load the damn film! |
|
| reply to tunedcivic
I'll trust in my common sense and NIS 2003 for protection.  :) |
|
| reply to Tiffany$
said by Tiffany$:
Hell, I even had one person who refused to update because it "wasn't a good idea to have those virus signatures" on her PC. ROFLMFAO.
You made me remember an even funnier one. A woman was very proud that she had the permissions on here C-share set to Read Only. Though she obviously didn't get Opaserv, she had no clue this meant she Read-Only TO THE ENTIRE INTERNET!.
I'm not sure if I was encouraged or discouraged by that case...
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| lol... it's a wonder a whole nest of RATS did not take up residence. |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to NetWatchMan
Sound like the needlpoint virus to me..but who is really learning the lesson????
Security tightened after 'Needlepoint' virus
»Security tightened after 'Needlepoint' virus
--
GAV-Gladiator AntiVirus Forum-»www.forum.gladiator-antivirus.com/ |
|
 bjf123We Want... A ShrubberyPremium
join:2000-02-11
Hamilton, OH | said by MyNetWatchman:
Another interesting scenario is Sally Secretary who finds it essential to fire up an AOL client on her work computer so she can check on email. No one seems to realize that by doing so she has created a VPN-like tunnel right through the company firewall and now has a second (public) IP address which enables external threats to fly right through the firewall like a hot knife through butta. I've seen several cases of this...user Opaserv compromised in minutes.
Lawrence, Can you give some more details on how that works? We just finished getting rid of Opaserv at one office, which we caught by my seeing a lot of activity hitting on Link Logger from our frame relay LAN which is not connected to the Internet. Our IT people have finally gotten around to thinking they need to install AV and AT programs on our of our PCs, along with firewalls. However, we don't have a company email system, so many people have AOL installed and set up a separate screen name to use for work. Since that will get right past the firewall, I'd like some more information to pass on about that (I'm just a lowly accountant, so I can't possibly know more about PC security  ). Thanks.
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly. |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to NetWatchMan
bjf123.
Here is the info on AOL at work and that firewall.
»AIM vs ZA - What the heck is happening?
--
GAV-Gladiator AntiVirus Forum-»www.forum.gladiator-antivirus.com/ |
|
| reply to NetWatchMan
Thanks for pushing me to formalize this issue as it's an important one...here you go:
This article examines the architecture of AOL's client (NOT Instant Messenger) when used in TCP/IP mode from within a firewall (or NAT router) protected network.
AOL Client: How to disable your corporate firewall.
--
Lawrence Baldwin
myNetWatchman
The Internet Neighborhood Watch |
|
| Very nice, Lawrence! |
|
 DrStrangeTechnically feasiblePremium
join:2001-07-23
West Hartford, CT
kudos:1
| reply to NetWatchMan
With all the discussion of NAT, firewalls, antivirus etc. I don't see one trick to stop Opaserv that costs nothing but a few minutes of setup time. Look here:
»grc.com/su-bondage.htm
It's 'How to Turn Off Drive Sharing For Dummies'.
With all the flak Steve Gibson gets, it's only fair to mention it when he's doing something right.
If you turn off NetBIOS, Opaserv won't find a lot to do on your machine.
[of course, when you get little elves installing AOL, all bets are off - hopefully the AOL adapter doesn't install with open shares? I wouldn't know ]
[text was edited by author 2002-11-23 13:57:11] |
|
| ---[of course, when you get little elves installing AOL, all bets are off - hopefully the AOL adapter doesn't install with open shares? I wouldn't know ]
Not by default.
AOL is... well it's a friggin nightmare. First of all, it installs it's own network adapter into Windows. The reason for this is to control multiple logins from differing locations, but it has serious problems. Don't ever try to run AOL and a NetWare client on the same computer; you are asking for a headache if you do. Secondly, AOL uses a VPN-like connection to connect to the AOL-Internet. This means that even if the corp firewall blocks something, an AOL client can grab it anyways, via the 'vpn' passing thru the firewall. It also makes the connection hard to secure. Since everything (mail, http, trojan commands) are all coming down to the client computer via the 'vpn' there is no way to get the protection of NAT, nor will a softwall be able to say: this machine didn't make a request from that port. (I may be wrong on the second half of the previous statement.) It is due to the innability to protect this connection that we come to the third point: AOL is the classic example of the end-around attack.... in reverse. A typical end-around attack is that you know a user who VPN's from home to a corp network, so you attack that computer from the internet and then ride the VPN into the corp network. In the case of AOL, you ride the AOL 'vpn' into the corp network and then attack. Since the AOL adapter is virtually impossible to harden, this method is actually easier to acomplish than a classic end-around. All it requires is that the attacker has an AOL account.
AOL: the thing NEVER to have on a corp network.
--Demonspawn |
|
| said by Demonspawn:
Secondly, AOL uses a VPN-like connection to connect to the AOL-Internet. This means that even if the corp firewall blocks something, an AOL client can grab it anyways, via the 'vpn' passing thru the firewall.
I think it has been established in past threads here, that the VPN will bypass a NAT router, but a firewall like ZA will still work on a VPN. said by Demonspawn:
It also makes the connection hard to secure. Since everything (mail, http, trojan commands) are all coming down to the client computer via the 'vpn' there is no way to get the protection of NAT, nor will a softwall be able to say: this machine didn't make a request from that port. (I may be wrong on the second half of the previous statement.)
See my previous statement: ZA still provides protection for VPNs. :) |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | reply to NetWatchMan
See my previous statement: ZA still provides protection for VPNs.
Even when AOL sneaks it into your trusted zone.
--
GAV-Gladiator AntiVirus Forum-»www.forum.gladiator-antivirus.com/ |
|
| reply to NetWatchMan
I don't doubt that they would work for VPN's, I just wonder if they do work for AOL. AOL works differently from any other type of network connection (it installs it's own adapter to communicate). If you do know of ZA working for AOL, I'd like to hear about that. I still wouldn't use AOL, however
--Demonspawn |
|
 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | Speaking of AOL in the context of insecurity. Does anyone know if their adapter/software is required for AOL broadband?
BTW - It was my impression that the original reason for their custom adapter was an attempt to prevent an end run around AOL's internal controls for newsgroup access. IE You can open any browser you want after making a dialup connection with AOL. But any newsgroup reader (like Agent) would freeze when you attempted to connect to a newsgroup. This impression is based upon my personal attempts at accessing newsgroups when I used to have an AOL dialup account. Their news reader is so bad!
--
My Pictures.People who describe M$ software as 'mediocre' don't know the half of it.WinDoze Free 2003 |
|
TheWiseGuyDog And ButterflyPremium,MVM
join:2002-07-04
Yonkers, NY
kudos:1 Reviews:
 ·Optimum Online
| reply to NetWatchMan
said by NetWatchMan:
This article examines the architecture of AOL's client (NOT Instant Messenger) when used in TCP/IP mode from within a firewall (or NAT router) protected network.
Thanks for the easy to understand explanation of the vulnerability.
--
Dog and Butterfly |
|
| reply to Demonspawn
said by Demonspawn:
I don't doubt that they would work for VPN's, I just wonder if they do work for AOL. AOL works differently from any other type of network connection (it installs it's own adapter to communicate). If you do know of ZA working for AOL, I'd like to hear about that.
I did some searching, and here are some old threads I've found:
How to make Zonealarm 3 work with AOL?
»How to make Zonealarm 3 work with AOL?
in particular, the post by Mele20  : »How to make Zonealarm 3 work with AOL? said by Mele20:
I used to use AOL with ZA just fine. This was through September 2001, so what ever version of ZA was current at that time worked just fine with AOL. I used ZA for over a year with AOL with no problems.
Also, see the remarks by LowWaterMark here: »AOL 7.0 and ZA Plus said by LowWaterMark:
AOL works on my system, with ZA+ at High, and it doesn't need special port permissions or server access rights either.
AOL 7.0 and ZA Plus
»AOL 7.0 and ZA Plus |
|
