I believe you are describing a feature introduced in WindowsME called "Net Crawler" and "Web Crawl." During this crawl of the entire network, shared resources including drives, printers, and faxes are enumerated. In a sane world this behavior could be called worm-like functionality built into an Operating System. Nevertheless the behavior was extended in WindowsXP to provide Net Crawl and Web Crawl persistence by default to the first 32 resources successfully mapped in, or available to, My Network Places | Add Network place. Periodically, XP scans the network, identifies shared resources, queries them, then adds a shortcut link in "My Network Places" or "Printers and Faxes" to that resource. So, contrary to popular opinion and evidenced by this behavior, Microsoft actually did learn something from Nimda. Way back in time mapping drives over FTP and HTTP was introduced in IE 4.01 and Office 2000 as an implementation of "Web Folders," "HTML Data Binding," and "Office Server Extensions." Recommendations for Office 2000 included providing a collaborative workspaces over HTTP via an IIS FPSE extended web using mapped drives and WebDAV. FTP too. One needs only look to MS01-018's WebDAV vulnerability to see this is enabled on the server side by default in IIS 5.x. (Q307934) So it follows the client side is enabled by default in ME and XP. Some of the places to look for remnants of this crawling are Hkey_Current_User\Software\Microsoft\Windows\CurrentVersion\Explorer \WorkgroupCrawler \NetCrawl \WebCrawl As a semi-related and FUD filled addendum, gaining control of a remote site to which persistent mappings are enabled or automatic crawling is reachable could allow, depending on end user choices, the hijacker to gather creds from all the clients. Offering resources across the Internet to unsuspecting Home Users(tm) with limited security training and insufficient defenses might also prove effective in similar credential grabbing endeavors. To start turning the crawl off on the client side, go to Folder Options and clear the tick box "Automatically search for network folders and printers." I suppose myriaded somewhere in the GPO we can push something out to the clients to stop the crawling as well. http://support.microsoft.com/support/kb/articles/Q256/2/48.ASP http://support.microsoft.com/support/kb/articles/Q276/3/22.ASP http://support.microsoft.com/support/kb/articles/q320/1/38.ASP http://support.microsoft.com/support/kb/articles/q307/9/34.asp http://www.microsoft.com/technet/prodtechnol/winxppro/proddocs/webfoldr_overview.asp Matt Scarborough 2002-04-13 On Tue, 9 Apr 2002 01:55:29 -0700, Eric Weaver wrote: > >Re: POSSIBLE WORM / DDOS > >Sorry for the delayed response. > >I have concluded that this activity is caused by another Microsoft >misfeature. (Weather it is a virus or not, XP is caching previously >accessed url/unc somewhere, leaving these hosts/shares potential victims for >a virus/worm) > >Findings: > >Upon access to certain local directories of the "hot" machine (E:\, >E:\download\ ). Windows (XP Pro), causes orderly probing to previously >accessed ftp url & unc's. (This explains the many samba queries after the >FTP attempts) > >The following caused the network activity: > >Start/ Run / E:\ <cr> >Start/ Run / E:\download <cr> > > >I searched through the local registry for the targeted IP's & sharenames >(also search for possible aliases) but was unable to find anything. I >deleted the temporary internet cache, history, etc. Rebooted. Machine still >caused same network activity. > >Reapplying generic-folder-options to the directories that were "triggering" >this activity seemed to fix the problem. > >I wonder where Microsoft is storing this information? Those directories did >not have any abnormal/hidden files. Odd. > >Someone mentioned this may be ACEBot or GTBot. I found no traces of these >Trojans. > >I have not ruled out a virus. > >The fact that this happens in regular windows explorer (not shortcut/link >inside a browser) worries me. > > >Thanks for everyone's $0.02. > >> tcpdump: >> >> 06:29:17.078874 10.2.2.241.1890 > 204.152.189.113.21: S >> 3272713560:3272713560(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:29:20.081771 10.2.2.241.1891 > 204.152.189.113.21: S >> 3273527112:3273527112(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:29:23.087434 10.2.2.241.1892 > 209.250.0.132.21: S >> 3274340020:3274340020(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:29:26.089861 10.2.2.241.1893 > 209.250.0.132.21: S >> 3275149251:3275149251(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:29:29.301291 10.2.2.241.1028 > 10.2.2.14.53: 161+ A? >> hawking.res.cmu.edu. (37) >> 06:29:29.302121 10.2.2.14.53 > 10.2.2.241.1028: 161 NXDomain 0/1/0 (118) >> (DF) >> 06:30:29.836128 10.2.2.241.1938 > 198.133.219.27.21: S >> 3293275935:3293275935(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:30:32.782191 10.2.2.241.1939 > 62.243.72.50.21: S >> 3294076486:3294076486(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:30:35.786356 10.2.2.241.1940 > 129.128.5.191.21: S >> 3294859714:3294859714(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) >> 06:30:38.690326 10.2.2.241.1941 > 66.26.238.15.21: S kOK> (DF) <some snipped> ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Apr 14 2002 - 14:56:32 PDT