CERT® Incident Note IN-2000-02

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Exploitation of Unprotected Windows Networking Shares

Updated: Friday, April 7, 2000
Date: Friday, March 3, 2000


Overview

Intruders are actively exploiting Windows networking shares that are made available for remote connections across the Internet. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.

Description

SARA Editorial Note: The description below was typical for exploiting open shares in 2000. Though the techniques have become more sophisticated, this example description illustrates the damage that could be done through open shares.

We have received reports indicating a rise in activity related to a malicious Visual Basic Script (VBScript) known as "network.vbs". The malicious script is similar to a harmless example script distributed with some versions of Windows 98, found as:

c:\windows\samples\wsh etwork.vbs

The malicious network.vbs script attempts to do the following things:

When configuring the C: drive of a Windows 9x machine to be shared, the default share name assigned is "C". If this default share name is used on a vulnerable computer, network.vbs performs it's file copies on the C: drive of the remote system. If network.vbs is successfully copied into a Windows startup folder on a remote system, the remote system could execute network.vbs when the system reboots or a new user logs into the system.

We have also seen variations of network.vbs that perform different actions, such as:

The network.vbs script demonstrates one pervasive method of propagation intruders can leverage to deploy tools on Windows-based computer systems connected to the Internet. We are aware of one infected computer that attempted to infect a range of at least 2,400,000 other IP addresses before being detected and stopped. There may also be denial of service issues due to packet traffic if network.vbs is able to infect and execute from a large number of machines in a concentrated area.

Abe Singer from the San Diego Supercomputer Center has also published an analysis of network.vbs, available at:

http://security.sdsc.edu/publications/network.vbs.shtml

Impact

Unprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised system not only creates problems for the system's owner, but it is also threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of systems attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in

IN-2000-01, Windows Based DDOS Agents
Another threat includes malicious and destructive code, such as viruses or worms, which leverage unprotected Windows networking shares to propagate. One such example is the 911 worm described in

IN-2000-03, 911 worm

There is great potential for the emergence of other instances of intruder tools that leverage unprotected Windows networking shares on a widespread basis.

Solutions

Removing the network.vbs script from an infected computer involves removing the running image from memory and deleting the copies of network.vbs from the hard drive. Other tools installed using the same method of propagation may be more difficult to detect and remove.

You may wish to insure your anti-virus software is configured to test file names ending in .VBS to help detect virus outbreaks involving malicious VBScript code.

Several steps can be taken to prevent exploitation of the larger problem of unprotected Windows networking shares:

Acknowledgments

We thank Abe Singer and the San Diego Supercomputer Center for contributions to this Incident Note.

Author: Kevin Houle


This document is available from: http://www.cert.org/incident_notes/IN-2000-02.html
CERT Copyright Material