> I posted this question to the list 3 weeks ago but the moderator > failed to act on my post and thus it was returned to me. I have > been a ridicilious amount of netbios traffic at my main firewall. Probably Opaserv... > This morning I read this article. It seems to hint at a way to run > arbitarty code via netbios, ... It hints that rather weakly. But note that Opaserv itself could be described, rather loosely, in those terms, so... > ... now my question is does anyone know > anything about this; ... You have posted far too little information for anyone to contribute anything strongly meaningful. A report such as I have been ["seen"?] a ridicilious amount of netbios traffic at my main firewall. hardly counts as a useful data point. Perhaps there was a reason your initial post was dropped... > ... is anyone seeing the netbios traffic and I think you'll find lots of people are, though its probably tailing off somewagt now. > finally is it just the author of the article (who is not a security > writer like a brian mcwillaims or a thomas greene) didnt really > understand what was going on? This was from the securitynewsportal > site. There could be an element of that too... > A teenage hacker attacked an online chatroom run by The Edge radio <<blah, blah, blah>> > > ... The teenager claims to have written a trojan program > called "FB3" with a friend known online as "lynx". The program > exploits a "Netbios" vulnerability in Windows PCs related to file > and print sharing, to plant itself on unsuspecting users' computers. This is, as I said above, a sufficiently loose decription of how Opaserv works. It scans the IP address space looking for machines apparently running SMB over TCP/IP then tries faking the full one-character password space to "crack" Win9x/ME machines not patched against MS00-072. If it suceeds in connecting to the C: drive of such a machine, it then writes a copy of itself to the machine and a startup command in a system configuration file and starts all over again from that machine when it is next restarted. This is all enabled by a horrendous comedy of errors starting with a mind-numbingly stupid (in security terms) "feature" of the share- level password authentication scheme, the ease with which MS allows this "not really secure enough for physically secured networks anyway" to be enabled on a (by design) grossly insecure and largely unaudited public network such as the Internet, the default binding of network protocols and services on thoses OSes such that, by default, nearly every such machine with an Internet connection will be publicly exposing this vulnerability, teh default use of entirely predictable share names and installation directories, and so on... > The infected computers (bots - short for robots) signal their > presence to a computer in the United States which the teenager uses > to send out the instructions to attack. ... And this is just a different payload to the basic Opaserv installation mechanism. In fact, it could even be easier than this. Thousands upon thousands of Windows machines on the Internet have publicly exposed shares _with no password at all_ exposing their system directories to whoever wishes to rape and/or plunder. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 09 2002 - 21:45:15 PST