Audit Your Windows Shares

Detect exploitive tools on your system!

Security UPDATE, Web exclusive, March 19, 2003



(contributed by Mark Joseph Edwards, News Editor, [email protected])


CERT \[\] issued an advisory last week regarding exploitation of Windows shares. The team is receiving an increasing number of reports about intrusion against shares on Windows XP and Windows 2000 systems. Intruders who exploit weak Administrator account passwords have compromised thousands of systems.

CERT said the recent examples of tools used to compromise systems include W32/Deloder, GT-bot, sdbot, and W32/Slackor. Each of these tools can automatically scan networks for other systems to compromise, which lets such tools spread rapidly to countless systems. Attackers could use compromised systems to launch still other attacks in the future, such as Distributed Denial of Service (DDoS) attacks; or intruders could use the compromised systems to cover nefarious activities.

W32/Deloder and W32/Slackor scan for systems with a listening port 445, which handles Server Message Block (SMB) sessions over TCP/IP. W32/Deloder includes a Virtual Network Computing (VNC) tool that lets a remote intruder view the compromised system's desktop. Internet Relay Chat (IRC) is one way that all four tools let a remote intruder gain control over a compromised system. GT-bot and sdbot both include functionality that directly facilitates DDoS attacks. CERT's advisory contains descriptions of these tools, including their components, and offers advice about how to detect them on your systems.

With remote access to a system, intruders can perform many possible actions. If you notice large amounts of traffic destined for or targeting port 445, you might consider checking to determine the source of the traffic--it might be coming from one compromised system. CERT advises, for example, that if a given system isn't meant to be a file server, that system shouldn't have share points, and such sharing should be disabled on all nonserver systems. CERT's advice includes disabling hidden administrative shares on XP and Win2K platforms.

CERT advises--as security professionals have long emphasized--that you use strong passwords, antivirus software, firewalls, and ingress and egress filtering to help curb unwanted network traffic. And never run programs that you don't implicitly trust.

CERT's recommendations, as always, are sound. In addition to following that advice, be sure to use the security scanner of your choice and security checklists that Microsoft and other third-party companies publish to examine your system's security. A good place to begin is with Microsoft's checklists \[\] and guides \[\].

And if you aren't aware of it already, another version of the Code Red worm, called Code Red F, is spreading around the Internet. You can read about that in the related news story "New Code Red Variant Spreading" in the Security Roundup section of this newsletter. By now, you should have patched your systems so that they aren't susceptible to Code Red, but if you haven't done so, read the news story to learn about the Microsoft IIS patch that can help prevent infection. Also, be sure to read the vulnerability report "Unchecked Buffer in Windows 2000 WebDAV," regarding the newly reported problem with WWW Distributed Authoring and Versioning (WebDAV). It's important that you patch your servers as soon as possible.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.