Re: netbios vuln

[Nick FitzGerald <nick () virus-l demon co uk>]

> I posted this question to the list 3 weeks ago but the moderator
> failed to act on my post and thus it was returned to me.  I have
> been a ridicilious amount of netbios traffic at my main firewall. 

Probably Opaserv...

> This morning I read this article.  It seems to hint at a way to run
> arbitarty code via netbios, ...

It hints that rather weakly.

But note that Opaserv itself could be described, rather loosely, in 
those terms, so...

> ... now my question is does anyone know
> anything about this; ...

You have posted far too little information for anyone to contribute 
anything strongly meaningful.  A report such as

   I have been ["seen"?] a ridicilious amount of netbios traffic at 
   my main firewall.

hardly counts as a useful data point.  Perhaps there was a reason 
your initial post was dropped...

> ... is anyone seeing the netbios traffic and

I think you'll find lots of people are, though its probably tailing 
off somewagt now.

> finally is it just the author of the article (who is not a security
> writer like a brian mcwillaims or a thomas greene) didnt really
> understand what was going on?  This was from the securitynewsportal
> site.

There could be an element of that too...

> A teenage hacker attacked an online chatroom run by The Edge radio
<<blah, blah, blah>>
> ... The teenager claims to have written a trojan program
> called "FB3" with a friend known online as "lynx". The program
> exploits a "Netbios" vulnerability in Windows PCs related to file
> and print sharing, to plant itself on unsuspecting users' computers.

This is, as I said above, a sufficiently loose decription of how 
Opaserv works.  It scans the IP address space looking for machines 
apparently running SMB over TCP/IP then tries faking the full 
one-character password space to "crack" Win9x/ME machines not patched 
against MS00-072.  If it suceeds in connecting to the C: drive of 
such a machine, it then writes a copy of itself to the machine and a 
startup command in a system configuration file and starts all over 
again from that machine when it is next restarted.

This is all enabled by a horrendous comedy of errors starting with a
mind-numbingly stupid (in security terms) "feature" of the share- 
level password authentication scheme, the ease with which MS allows 
this "not really secure enough for physically secured networks 
anyway" to be enabled on a (by design) grossly insecure and largely 
unaudited public network such as the Internet, the default binding of 
network protocols and services on thoses OSes such that, by default, 
nearly every such machine with an Internet connection will be 
publicly exposing this vulnerability, teh default use of entirely 
predictable share names and installation directories, and so on...

> The infected computers (bots - short for robots) signal their
> presence to a computer in the United States which the teenager uses
> to send out the instructions to attack.  ...

And this is just a different payload to the basic Opaserv 
installation mechanism.

In fact, it could even be easier than this.  Thousands upon thousands
of Windows machines on the Internet have publicly exposed shares
_with no password at all_ exposing their system directories to
whoever wishes to rape and/or plunder.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com