Open shares, how do these cause virus infection?

  • Thread starter Thread starter Ned
  • Start date Start date
N

Ned

I keep seeing that open shares can lead to virus/worm/trojan infections, but
how does this work?
eg if your machine only has a single shared directory that contains data
only - say for p2p sharing.
Can a remote machine run an executable that affects the local machine?
thanks
 
from said:
I keep seeing that open shares can lead to virus/worm/trojan infections, but
how does this work?
eg if your machine only has a single shared directory that contains data
only - say for p2p sharing.
Can a remote machine run an executable that affects the local machine?
thanks
Click to expand...

If you only had a data directory, and you didn't ever execute anything
on it (by clicking it, for instance), you might get away with it.
However most people have a lot more than that shared ... try mapping a
network drive to
\\<your machine name>\c$ for instance - what happened?
 
eg if your machine only has a single shared directory that contains data
only - say for p2p sharing.
Click to expand...

This isn't a problem. The problem is those who share their root (or
windows) directory because that is the easiest for sharing any files
they need on a LAN.

Unfortunately it also allows sharers access to their operating system
files and there are numerous ways of editing these so that any program
on the machine can be set to run automatically at startup.


Jim.
 
Ned said:
I keep seeing that open shares can lead to virus/worm/trojan
infections, but how does this work?
eg if your machine only has a single shared directory that contains
data only - say for p2p sharing.
Can a remote machine run an executable that affects the local machine?
thanks
Click to expand...

With a share open for writing its trivial to place a file on it. You can
then wait for the user to open it, or you can then try an "exploit" against
the target machine that forces it to run a program already placed on it --
e.g. your file you just placed on the share.
 
Hi,
I keep seeing that open shares can lead to virus/worm/trojan infections, but
how does this work?
Click to expand...

I have to admit I'm not an expert, but I must be doing something right
as I never caught any virus since '98, so... ;)

....I don't know if there are any dangers in just having a normal data
share, except of course the constant risk of buffer overflow and other
code weaknesses.
But to state the (I guess) currently most dangerous share to be
exploited by malware: Windows NT/2K/XP implement so-called
administrative shares. These are shares that make it easier for a
network administrator to maintain the machines remotely. Slight
differences between the windows versions are likely, so I won't go into
too much detail, but you should be aware of this:
Windows offers any hdd drive you have as a share named according to the
drive letter plus a "$" that makes it an invisible share - you won't
see it by \\(machine_name) but it's there. Also, admin shares cannot be
disabled - they're always there (They're supposed to be switched off by
adding certain registry keys, but when I tried it on W2K it did not
work, so be careful!).
So your C drive, with all the system files, becomes accessible by
\\(machine_name)\C$. The administrative shares are, of course,
password-protected - you need to know the admin password of the machine
to access them.
BUT... many users, especially 2K/XP home users, have an empty admin
password.
So if a virus wants to infect a file in your C:\windows directory, it
may simply try to access \\(machine_name)\C$\windows\(file_name). If
you've got an empty admin password it will work. :(
 
Robert Moir said:
With a share open for writing its trivial to place a file on it. You can
then wait for the user to open it, or you can then try an "exploit" against
the target machine that forces it to run a program already placed on it --
e.g. your file you just placed on the share.
Click to expand...
By exploit, do you mean an external equivalent of someone double clicking on
a document which would then cause windows to open its associated application
called Word.exe which is really a virus exe masquerading as the original?
(phew, long badly phrased sentence)
 
It workws by using NetBIOS over IP to gain entry into the workings of a PC that
was NOT properly "locked down". Either the shares are setup with strong
passwords or a FireWall is used to block access.
Click to expand...

Hi Dave
You've baffled me. Can you explain this in simpler terms. Im not a total
networking thicky, Ive heard/read these phrases before, but I dont actually
understand either of your first 2 sentences.
thanks
 
NetBIOS is the bassis for all MS Networking. There has to be a Network Transport
to use this across LANs. The two Routable Network Transports are TCP/IP and
IPX/SPX. The non-Routable one is NetBEUI. Since IPX/SPX is NOT the language of
the Internet, that leaves NetBIOS over IP.

NetBIOS over IP uses several TCP and UDP ports of the TCP/IP family. The most
notable are ports 137, 138 and 139. They are known as; NetBIOS Name Sservice,
NetBIOS Datagramd and NetBIOS Session. Also used are 135, location Service is
used for MS Remote Procedure Calls (RPC) and 445 Microsof Directory Service.

If a Microsoft PC can be directly seen from the POV of the Internet these ports
have to be protected. If it is a singular PC, chances are the services should be
turned-off or at least protected via a personal FireWall. If the PC participate
in a LAN, then the services are neede for a LAN and can't be turned off then you
MUST have a FireWall.

The term "locked-down" means that they are secured. Such as using unique multy
character passwords (uses lower, UPPER, numbers (1 2 3 4 5 6 7 8 9) and special
charachters (! $ & ^ %, etc.) when a directory is shared. It also refers to the
use of a FireWall. The FireWall, if setup correctly, won't let TCP/UDP posrts
135 ~ 139 and 445 leak into the Internet nor Hackers or Internet Worms from
attacking.


Dave


|
| > It workws by using NetBIOS over IP to gain entry into the workings of a PC
| that
| > was NOT properly "locked down". Either the shares are setup with strong
| > passwords or a FireWall is used to block access.
|
| Hi Dave
| You've baffled me. Can you explain this in simpler terms. Im not a total
| networking thicky, Ive heard/read these phrases before, but I dont actually
| understand either of your first 2 sentences.
| thanks
|
|
 
MS is fil of holes. When person (WhiteHat or BlackHat) finds a hole this is
deemed a vulnerability. When someone deliberatey tries to gain access or perform
nefarious actions upon a vulnerability this is know as an exploit.

Dave


| By exploit, do you mean an external equivalent of someone double clicking on
| a document which would then cause windows to open its associated application
| called Word.exe which is really a virus exe masquerading as the original?
| (phew, long badly phrased sentence)
|
|
 
This wouldn't work anymore, but as an example I could
place an executable in c:\your_shared_directory called
Very_bad_thing.exe and then send you an e-mail with
a meta refresh to file:/ /c:/your_shared_directory/Very_
bad_thing.exe and cause that exe to exe - cute huh?
Click to expand...

ah.... I see now. thanks for that ftr
 
You could also be sent to a web page that says in order for you
navigate the web site you need to see the flash movie the navigation
bar is on and that you need to install the flashmovie.ocx so you can
see the navigation bar. Then the .ocx (activex) control gives the web
page complete control of your computer.
Click to expand...

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html

All of the Windows O/S are vulnerable to attack. Windows 9'x and ME with
ME being some kind of Win 98 that should never have happened are even
more vulnerable, since they are root based O/S(s).

Duane :)
 
Windows XPlode even more so , what with it's ability to do raw sockets
Click to expand...

One could use something like Socketlock to lock down the raw sockets on
the XP Home O/S. I myself when I go to XP I will be using XP Pro and 2K3
and these O/S's have access rights based on user account security
context.

I run with the Admin account on the Win 2k machines and raw sockets is
wide open. I can do this, because I have a host based FW solution on the
machines that protects the O/S and a NAT router sitting in front of the
machines protecting the network.

Duane :)
 
Duane Arnold wrote:

One could use something like Socketlock to lock down the raw sockets
on the XP Home O/S. I myself when I go to XP I will be using XP Pro
and 2K3 and these O/S's have access rights based on user account
security context.

I run with the Admin account on the Win 2k machines and raw sockets is
wide open. I can do this, because I have a host based FW solution on
the machines that protects the O/S and a NAT router sitting in front
of the machines protecting the network.
Click to expand...

Oh no. Raw sockets. Phone Steve Gibson. Phone CNN. WON'T SOMEONE PLEASE
THINK OF THE CHILDREN.

Sheesh.
 
On that special day, Ned, ([email protected]) said...
By exploit, do you mean an external equivalent of someone double clicking on
a document which would then cause windows to open its associated application
called Word.exe which is really a virus exe masquerading as the original?
(phew, long badly phrased sentence)
Click to expand...

There are many exploits.

One of the first worms to infect MS-Os running PCs over the internet,
was qaz. It was rather benign, compared to the later specimens. It would
copy itself in place of the accessory notepad.exe, and save the original
program as note.com.

Every time someone wanted to see something in the editor, he/she would
execute notepad (ie the worm), which would then call note.com to do the
job of displaying text, but by now the worm was active and did scan for
new IP numbers with computer with open shares (at least on C:\windows),
and copy itself onto the newly found hard disk, to find another user to
execute it.

In this case, the exploit was twofold:
- copying itself as a common program to open shares
- relying on users to run said application.


A new twist was the wrong MIME type exploit, that made the worm
autoexecutive. A mail with a attachment was sent, which was declared to
be a music piece (wave or midi). But in fact it was an executable.

The Outlook Express and Internet Explorer versions from 5.0 until 5.5
*without* the Service Pack 2 were designed to show mail contents in
advance, in the preview panel, and hand executables to the OS, so that
the infection method went like this:

Recipient previews mail.
OE detects a "music piece", and wants to "play" it.
OE finds (from the beginning of the code that is read) that this cannot
be music, but is an executable. It passes the executable to Windows.
Windows sees that the executable has been handed over from a local
program (OE), so it must be a local executable must be a local program,
too.
Windows executes the worm, the PC gets infected.

This one didn't rely on open shares, but used a double exploit, too:
- OE runs "music files" in the preview pane, whatever they might be
- Windows executes everything passed from OE, whatever it is

An open share dependent worm also uses exploits:
- worm copies itself to open shares on critical places like C:\Windows
or C:\Programs (this is the main exploit)
and performs things like this:
* worm overwrites commonly used applications with own version
* worm copies itself into C:\Windows\startup (auto execution at boot
time)
* worm changes registry (autostart via run and runonce keys)
* worm writes a start entry into win.ini of the kind run=worm.exe or
load=worm.exe
* worm copies itself to a different place, but drops a component into
said autostart slots, and after being run, check every n minutes if the
dropped component is still there, if not, it copies the dropped
component again
....

- worm copies itself over other internet services like KaZaA, drops a
component into the autostart, creates a folder and shares it to the
world, so that others will start downloading it (benjamin and clones)
- worm copies itself over ICQ or IRC and relies on the recipient's
curiosity by adding a message like "look at this, you just must"


Some worms already don't rely on a single spreading method any more, but
combine several exploits, to make sure that they will find more victims.


The MiMail is only new in so far, as it uses an exploit which hadn't
been used by any worm before, and that it will probably "serve" as a
model for virus coders, to make more of these.


Gabriele Neukam

(e-mail address removed)
 
Back
Top