> I posted this question to the list 3 weeks ago but the moderator
> failed to act on my post and thus it was returned to me. I have
> been a ridicilious amount of netbios traffic at my main firewall.
Probably Opaserv...
> This morning I read this article. It seems to hint at a way to run
> arbitarty code via netbios, ...
It hints that rather weakly.
But note that Opaserv itself could be described, rather loosely, in
those terms, so...
> ... now my question is does anyone know
> anything about this; ...
You have posted far too little information for anyone to contribute
anything strongly meaningful. A report such as
I have been ["seen"?] a ridicilious amount of netbios traffic at
my main firewall.
hardly counts as a useful data point. Perhaps there was a reason
your initial post was dropped...
> ... is anyone seeing the netbios traffic and
I think you'll find lots of people are, though its probably tailing
off somewagt now.
> finally is it just the author of the article (who is not a security
> writer like a brian mcwillaims or a thomas greene) didnt really
> understand what was going on? This was from the securitynewsportal
> site.
There could be an element of that too...
> A teenage hacker attacked an online chatroom run by The Edge radio
<<blah, blah, blah>>
>
> ... The teenager claims to have written a trojan program
> called "FB3" with a friend known online as "lynx". The program
> exploits a "Netbios" vulnerability in Windows PCs related to file
> and print sharing, to plant itself on unsuspecting users' computers.
This is, as I said above, a sufficiently loose decription of how
Opaserv works. It scans the IP address space looking for machines
apparently running SMB over TCP/IP then tries faking the full
one-character password space to "crack" Win9x/ME machines not patched
against MS00-072. If it suceeds in connecting to the C: drive of
such a machine, it then writes a copy of itself to the machine and a
startup command in a system configuration file and starts all over
again from that machine when it is next restarted.
This is all enabled by a horrendous comedy of errors starting with a
mind-numbingly stupid (in security terms) "feature" of the share-
level password authentication scheme, the ease with which MS allows
this "not really secure enough for physically secured networks
anyway" to be enabled on a (by design) grossly insecure and largely
unaudited public network such as the Internet, the default binding of
network protocols and services on thoses OSes such that, by default,
nearly every such machine with an Internet connection will be
publicly exposing this vulnerability, teh default use of entirely
predictable share names and installation directories, and so on...
> The infected computers (bots - short for robots) signal their
> presence to a computer in the United States which the teenager uses
> to send out the instructions to attack. ...
And this is just a different payload to the basic Opaserv
installation mechanism.
In fact, it could even be easier than this. Thousands upon thousands
of Windows machines on the Internet have publicly exposed shares
_with no password at all_ exposing their system directories to
whoever wishes to rape and/or plunder.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Dec 10 2002
Intro
