W32.Licum Gaelicum.A

[Virus Guy]

Grandma doesn't have a NAT router

Does Grandma use ICS?

Win ME (and some versions of '98 according to Steve
Gibson) have the upnp service port open.

Windows ME and XP include native UPnP services; Windows 98 and 98SE do
not include a native UPnP service, but one can be installed via the
Internet Connection Sharing client that ships with Windows XP. (So
any upnp vulnerability that Win-98 has is not something that's going
to hit a standard or default installation of 98).

Win 9x/ME also has RPC services enabled by default. The only
way I found to close the port is to rename RPCSS.EXE to
RPCSS.OLD in plain DOS.

I'm not sure what the relationship is between DCOM and RPCSS (on
win-98) vs what NT/2k/XP does with RPCSS (besides use it for DCOM).
RPC functionality is not critical to 9x (like you did by stopping
RPCSS.EXE, which is the DCOM listening agent). I don't know - does
Windows Updates (or any other "update" service) need/use RPC/Dcom?

But RPC and DCOM is a moot point for Win-98. When you drill down
Microsoft's web pages for those Security Bulletins, you will see that
Win-98 is not affected anyways.

See:

http://www.jsware.net/jsware/viinfo.html
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

I've observed that when a vulnerability in 2k or XP is discovered and
a bulletin is written up, if Win-98 is not affected then it is not
mentioned specifically as "not affected" (although ME will be
mentioned if applicable). When you drill down into the details of
such a bulletin (usually the FAQ section) where the question is "Is
Windows 98 affected by this vulnerability" the answer is something
like "Win-98 is no longer supported bla bla bla" (yet Micro$haft will
still list the vulnerability status of NT even though it was _REALLY_
supposed to reach end-of-life last December and 98 has been extended).

I think it's Microsoft's way of down-playing 98's LACK of
vulnerability to any new exploit by specifically not putting it in the
"not affected" list (which is uauslly pretty short).

Win 98 has a number of vulnerabilities
I can only remember one off hand that I specifically tested
on '98 which was a TCP/IP stack overrun vulnerability.

I can only find these two items that might be what you're talking
about:

Fragmented IGMP Packet Vulnerability
http://www.winguides.com/security/display.php/53/

Incomplete TCP/IP Packet Vulnerability
http://www.winguides.com/security/display.php/170/

The first one is (at worst) a DoS problem and the second one is only
possible if file/print sharing was turned on.

Frankly, I still don't see much in terms of vulnerability when you
take a plain vanilla default install of Win-98(se) and hook it up to
the internet (without going through a NAT router/firewall).

If you start using IE, or OE, or other software, then sure - there are
specific updates for that stuff. But when it comes to the underlying
OS, 98 just plain isin't vulnerable to an exploit that would result in
a back-door or trojan being installed.

 

[Virus Guy]

... and made sure all ports were closed. The point is that
this can be done with any version of Windbloze.

There are some services in NT/2k/XP that are a *bitch* to close or
turn off and are turned on by default.

Besides that, NT/2K/XP have some very sneaky ways to hide files and
directories (like the recycler) that is just plain stupid when some
hacker has turned your NT box into their own personal FTP site and you
don't even know where the hell the files are being kept.

You can't argue that when it comes to XP that it's a *good thing* (tm)
for an OS to go to extreme lengths to prevent even experienced users
from having full access and control over their system.

I dare you to try to delete "MSN Gaming Zone" directory from your XP
system. You can't! If you were *really good*, you could do it before
SP2. Now you can't.

There's no reason grandma needs to be less safe using
the NT based OS than the DOS based ones. Her "safe hex"
rules are the same in any event. She just needs a
utility to harden her OS, since she can't be trusted
to follow a procedure involving editing the registry

Wouldn't it be nice to give grandma an OS that was safe
"out-of-the-box" ???

Who's going to be around to write that utility for her anyways?

 

[Art]

Does Grandma use ICS?

That would be disabled on grandma's OS, as well as whole shitpot
full of unnecessary stuff. Remember, grandma is only interested
in browsing and email.

Windows ME and XP include native UPnP services; Windows 98 and 98SE do
not include a native UPnP service, but one can be installed via the
Internet Connection Sharing client that ships with Windows XP. (So
any upnp vulnerability that Win-98 has is not something that's going
to hit a standard or default installation of 98).

Then why did Steve say "some versions"? There are various special OEM
versions of Windows.

I'm not sure what the relationship is between DCOM and RPCSS (on
win-98) vs what NT/2k/XP does with RPCSS (besides use it for DCOM).
RPC functionality is not critical to 9x (like you did by stopping
RPCSS.EXE, which is the DCOM listening agent). I don't know - does
Windows Updates (or any other "update" service) need/use RPC/Dcom?

Windows Update works fine. I dunno what other updating services you
have in mind. Certainly any av and spyware apps I've ever used
work fine.

But RPC and DCOM is a moot point for Win-98. When you drill down
Microsoft's web pages for those Security Bulletins, you will see that
Win-98 is not affected anyways.

See:

http://www.jsware.net/jsware/viinfo.html
http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx

That talks about a vulnerability on the NT based OS which has nothing
to do with having a port open on '98.

I can only find these two items that might be what you're talking
about:

Fragmented IGMP Packet Vulnerability
http://www.winguides.com/security/display.php/53/

Incomplete TCP/IP Packet Vulnerability
http://www.winguides.com/security/display.php/170/

The first one is (at worst) a DoS problem and the second one is only
possible if file/print sharing was turned on.

Vulnerablities nevertheless.

Frankly, I still don't see much in terms of vulnerability when you
take a plain vanilla default install of Win-98(se) and hook it up to
the internet (without going through a NAT router/firewall).

I'd never advise newbies to not patch and harden their OS, regardless
of which one it is. As to specific Trojans that may take advantage of
raw default installs of '98, I don't know offhand. Remember there are
the the script kiddie and hacker situations to be considered as well.
Closing ports and disabling services is always a good idea.

Art

http://home.epix.net/~artnpeg

 

[Art]

There are some services in NT/2k/XP that are a *bitch* to close or
turn off and are turned on by default.

I don't seem to have that problem on Win 2K Pro.

Besides that, NT/2K/XP have some very sneaky ways to hide files and
directories (like the recycler) that is just plain stupid when some
hacker has turned your NT box into their own personal FTP site and you
don't even know where the hell the files are being kept.

You're not suppposed to take hits.

You can't argue that when it comes to XP that it's a *good thing* (tm)
for an OS to go to extreme lengths to prevent even experienced users
from having full access and control over their system.

I don't argue for XP since I've never used it.

Wouldn't it be nice to give grandma an OS that was safe
"out-of-the-box" ???

Sure. Too bad there aren't any from MS.

Who's going to be around to write that utility for her anyways?

Is the world coming to a end?

Art

http://home.epix.net/~artnpeg

 

[Virus Guy]

Then why did Steve say "some versions"? There are various
special OEM versions of Windows.

http://www.cert.org/advisories/CA-2001-37.html

UpnP was shipped with ME (but disabled as default) and also came with
XP (enabled as default) and can be installed on 98/98SE.

Strange - no mention of 2k (in any UpnP context).

Regarding DCOM/RPC:

That talks about a vulnerability on the NT based OS which
has nothing to do with having a port open on '98.

See

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?Vname=RPC DCOM BUFFER OVERFLOW

And this one:

http://www.microsoft.com/technet/security/bulletin/MS04-012.mspx

You tell me what it's trying to say about Win-98.

I like Steve's "dcom-bobulator":

http://grc.com/dcom/

Vulnerablities nevertheless.

No OS is perfect.

I'm sure it's a fluke that a default install of 98 is (more or less)
intrusion or trojan or worm-proof (and I think I've countered all your
arguments to the contrary).

I think your position is that 98 and 2k and XP are (in a default
install for a single-desktop, non-local-networked but
internet-connected situation) equally "expoitable" to rogue code or
access mechanisms from the internet. I say that 98's exploitability
(in the above context) is either low or non-existant and that 2k and
XP are not.

And (more to the point) that the several years that 2k and XP were
vulnerable that it caused a lot of dammage for the computing industry
in general and specifically for individuals who might have had their
identity stolen, their computer hacked, the propagation of mal-ware
via infected systems, spam, etc. The ultimate point being that
Micro$haft put ease-of-use and ease-of-support at the top of their
list, along with their own cost/benefit analysis as to how to supply
(or what to supply) the home computer market in late 2001 / early
2002.

I say they were criminally negligent at not properly thinking through
the implications of suppling an OS designed for corporations to the
home market with little to no thought given to the network-based
vulnerabilities inherent in XP. What's more galling is that XP
brought no real benefit to the home computer over 98. It was a
marketing-driven decision to keep the planned obselescence of 98 on
track, regardless of the suitability of XP to replace it for the home
computer market.

 

[Art]

I'm sure it's a fluke that a default install of 98 is (more or less)
intrusion or trojan or worm-proof (and I think I've countered all your
arguments to the contrary).

I think your position is that 98 and 2k and XP are (in a default
install for a single-desktop, non-local-networked but
internet-connected situation) equally "expoitable" to rogue code or
access mechanisms from the internet.

Nope. Not my position at all. Far from it. I suggest that you get off
your ranting long enough to read what I've been saying.

My position is that any version of Windbloze can be "dumbed down" to
make it reasonably safe for grandma to do her browsing and email
without being concerned with having to have a shitload of "protection"
sw/hw, and keeping them updated. In fact, grandma is better off
not depending on a sw firewall since people sometimes disable them for
just a short time and take hits. It's always best to harden the OS
(and patch it). And never trust any "out of the box" install.

Exactly how well dumbing down certain versions of XP might go, I
dunno since I haven't used any of them. But I do know it's pretty easy
to harden Win 2K:

http://www.claymania.com/windows2000-hardening.html

Now, it may be that people have gotten away with running some of the
DOS based OS ... Win 9X/ME ... without hardening and patching. In
fact, I did that for awhile in 1999 with Win 98 original ... before I
became interested in prevention, and started learning some things.
I never had a malware problem doing that either, but I don't recommend
it. And certainly you can't do that with the NT based OS. But to me,
that's beside the point.

Art

http://home.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, Virus Guy, ([email protected]) said...

Incomplete TCP/IP Packet Vulnerability
http://www.winguides.com/security/display.php/170/

"services"? Does that mean, that a TCP/IP-based server must be
installed on the win98 machine, to see this effect happening?

There is this Internet Connection Service thingie for Win98 SE and ME,
but else I cannot think of any native Win9x application, that would be
subject to this attack.

And hardening the XP *without* a "Personal Firewall" (or rather a host
pased packet filter) can be done by shutting services which aren't
needed, especially not needed to listen to everything coming in via the
net.

For this reason, Torsten Mann created the ntsvcfg script. Download and
usage are both on
http://www.ntsvcfg.de/ntsvcfg_eng.html

I think this script should be recommended for all newbies. It is setup
in a fashion that it can be used even by beginners, and their computers
will still run as intended (and even better For the faint at heart,
there is even an undo function.


Gabriele Neukam

(e-mail address removed)

 

[Virus Guy]

"services"? Does that mean, that a TCP/IP-based server must be
installed on the win98 machine, to see this effect happening?

There is this Internet Connection Service thingie for Win98 SE
and ME, but else I cannot think of any native Win9x application,
that would be subject to this attack.

I think that the "server service" is only applicable to NT. Having
file and print sharing turned on (and binding it to TCP/IP) is perhaps
the only way to activate port 139 on Win 98 (yes?) and maybe ME too.

Funny thing about this "vulnerability". It seems that Microsoft may
have never released a patch for 9x/Me, as this page indicates:

http://www.microsoft.com/technet/security/bulletin/MS00-091.mspx

"Why isn't there a patch for the Windows 95, 98, 98 Second Edition, or
Windows Me? Answer: The vulnerability only affects computers with
File and Printer sharing enabled. Microsoft recommends disabling the
use of File and Printer sharing services on any Windows 9x or Windows
Me machine directly connected to the Internet. Customers who need a
robust file server solution should use either Windows NT 4.0 or
Windows 2000."

The above document was generated Nov 30, 2000. I don't know if
Micro$loth caved in and ultimately released a fix for Win-9x.

Worst case is that it causes network functionality on the target
computer to freeze or become non-responsive while malformed packets
were being fired at it. No indication that the machine would become
comprimized or that external code could be run on it during the
attack.

And hardening the XP *without* a "Personal Firewall" (or rather
a host pased packet filter) can be done by shutting services
which aren't needed, especially not needed to listen to
everything coming in via the net.

Do you really trust Micro$haft's handling of TCP/IP packets, even if
you turn off as many ports as you can (and remember you can't turn off
the IPC stuff with 2K and XP).

A NAT router makes a pretty good firewall, and if you re-direct port
113 to a non-used local IP then you'll be able to achieve total
stealth.

Torsten Mann created the ntsvcfg script.
I think this script should be recommended for all newbies.

Was it asking too much of Micro$hit to configure XP-home according to
ntsvcfg?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| Gabriele Neukam wrote:
||
| I think that the "server service" is only applicable to NT. Having
| file and print sharing turned on (and binding it to TCP/IP) is perhaps
| the only way to activate port 139 on Win 98 (yes?) and maybe ME too.
|
| Funny thing about this "vulnerability". It seems that Microsoft may
| have never released a patch for 9x/Me, as this page indicates:
|
| http://www.microsoft.com/technet/security/bulletin/MS00-091.mspx
|
| "Why isn't there a patch for the Windows 95, 98, 98 Second Edition, or
| Windows Me? Answer: The vulnerability only affects computers with
| File and Printer sharing enabled. Microsoft recommends disabling the
| use of File and Printer sharing services on any Windows 9x or Windows
| Me machine directly connected to the Internet. Customers who need a
| robust file server solution should use either Windows NT 4.0 or
| Windows 2000."
|
| The above document was generated Nov 30, 2000. I don't know if
| Micro$loth caved in and ultimately released a fix for Win-9x.
|
| Worst case is that it causes network functionality on the target
| computer to freeze or become non-responsive while malformed packets
| were being fired at it. No indication that the machine would become
| comprimized or that external code could be run on it during the
| attack.
||
| Do you really trust Micro$haft's handling of TCP/IP packets, even if
| you turn off as many ports as you can (and remember you can't turn off
| the IPC stuff with 2K and XP).
|
| A NAT router makes a pretty good firewall, and if you re-direct port
| 113 to a non-used local IP then you'll be able to achieve total
| stealth.
||
| Was it asking too much of Micro$hit to configure XP-home according to
| ntsvcfg?

No. TCP Port 139 is a NetBIOS Session. This just allows accessing shares. It doesn't mean
a NetBIOS share.

 

[Larry Sabo]

For this reason, Torsten Mann created the ntsvcfg script. Download and
usage are both on
http://www.ntsvcfg.de/ntsvcfg_eng.html

When I click the download button on that page, I always get...

"Internet Explorer cannot download svc2kxp.cmd from www.ntsvcfg.de.

Internet Explorer was not able to open this Internet site. The
requested site is either unavailable or cannot be found. Please try
again later."


I've tried several times throughout today, but 'll try again tomorrow.
Can't find it elsewhere.

Larry

 

[Guest]

Internet Explorer was not able to open this Internet site.

This one: http://www.ntsvcfg.de/svc2kxp.cmd ?

It's a text file (technically it's a .bat file).

When I click on it, it's displayed in a plain text window.

You're supposed to left-click on it, then select "save target as". If
you click the ZIP file icon right beside it, you should get a prompt
to save it somewhere.

 

[Larry Sabo]

For this reason, Torsten Mann created the ntsvcfg script. Download and
usage are both on
http://www.ntsvcfg.de/ntsvcfg_eng.html

When I click the download button on that page, I always get...

"Internet Explorer cannot download svc2kxp.cmd from www.ntsvcfg.de.
[snip]

I've tried several times throughout today, but 'll try again tomorrow.
Can't find it elsewhere.

Larry

===========

Just tried it this morning and it downloaded fine. Neat program!
Thanks for the tip.

Larry

 

[Larry Sabo]

This one: http://www.ntsvcfg.de/svc2kxp.cmd ?

It's a text file (technically it's a .bat file).

When I click on it, it's displayed in a plain text window.

You're supposed to left-click on it, then select "save target as". If
you click the ZIP file icon right beside it, you should get a prompt
to save it somewhere.

Thanks for the suggestion. Site must have been down yesterday;
downloaded fine this morming.

Cheers,
Larry

 

[Roger Wilco]

Wouldn't it be nice to give grandma an OS that was safe
"out-of-the-box" ???

While on your soapbox you switch back and forth between Microsoft's
admittedly buggy software and their penchant for the non-minimalist
approach to the 'out of the box' experience. Hundreds of thousands of
"grandma's" calling them up to ask how to re-configure their machine to
offer services they now feel they need for some reason was to be avoided
by the non-minimalist approach. So, Microsoft has polluted the internet
with "grandma servers" in this respect just as they have done with other
forms of allowing clueless users to use computers. If you are advocating
only clueful users be enabled to use computers, then you will run into
opposition from many folks. Microsoft has done quite alot to enable the
common man to use a computer, and you have to take the bad with the
good. All software can have bugs, and the more complex it is - the more
likely it is. A safe 'out of the box' OS would be a minimalist approach
because less of the bugs would be exposed to outside influences - and
less functionality would be offered the user without any re-configuring
done by said user. Many people on soapboxes would be complaining about
Microsoft not anticipating the needs and wants of the computing
community and making it so difficult for the grandma's to configure.

 

[Art]

And hardening the XP *without* a "Personal Firewall" (or rather a host
pased packet filter) can be done by shutting services which aren't
needed, especially not needed to listen to everything coming in via the
net.

For this reason, Torsten Mann created the ntsvcfg script. Download and
usage are both on
http://www.ntsvcfg.de/ntsvcfg_eng.html

I think this script should be recommended for all newbies. It is setup
in a fashion that it can be used even by beginners, and their computers
will still run as intended (and even better For the faint at heart,
there is even an undo function.

My idea of such a utility is broader in scope. It would work on any
current Windows version. I thought of the humorous name GOST for
"Grandma's Own Safety Tool" Besides closing all internet ports, it
would look to see if alternate browser and email apps are installed,
and if not, insist on downloading them. It would check to see if all
critical security patches, sps and rollups are installed, and if not,
it would dump grandma at Windows Update and insist she download and
install them all. Finally, it would present a screen of a few simple
"safe hex" instructions.

GOST would, of course, have the capability of re-enabling services,
one by one. But grandma would see dire warnings on screen every step
of the way.

Art

http://home.epix.net/~artnpeg

 

[Virus Guy]

While on your soapbox you switch back and forth between
Microsoft's admittedly buggy software and their penchant
for the non-minimalist approach to the 'out of the box'
experience.

There's no switching involved. Those 3 items (buggy software,
non-minimalist software, and "out-of-box" configuration) exist
simultaneously with XP (and 2K).

MS's non-minimalist approach is driven by their internal need to put
out a new OS every 2 years. It requires them to come up with new
mechanisms, additional complexity to help insure the obselescence of
older OS's. Security was LOW on their list because their target,
their most prized and primary customer base (mid to large-size
corporations, institutions, gov'ts, etc) hid their computers behind
firewalls (assuming their networks even had gate-way access to the
internet).

The single largest difference between Win-98 and NT/2K was DESKTOP
LOGIN SECURITY and PERMISSION-BASED FILE/NETWORK ACCESS, neither of
which was needed for the single-user/home-user/soho situation.

Hundreds of thousands of "grandma's" calling them up to ask how
to re-configure their machine to offer services they now feel
they need for some reason was to be avoided by the non-minimalist
approach.

The home market was, and continues to be largely irrelevant to MS.
How much do you think MS is getting for XP-home on a Dell pc that is
selling for $399?

How many grandma's out there would ultimately need to activate desktop
sharing or remote administration, or netbios or default administrative
shares or network DDE or administrative alerts?

So, Microsoft has polluted the internet with "grandma servers"
in this respect just as they have done with other forms of
allowing clueless users to use computers.

Yes they have, and eventually more people will look above the trees
and see this forest for what it really is. In the mean time, most
everyone will be too focused on those "evil doers" who are exploiting
XP boxes and look upon MS with awe as they release patch after patch
and even subscription-based solutions to fix the situation that they
themselves created.

If you are advocating only clueful users be enabled to use
computers

I am advocating that people question the merits of XP over Win-98 for
home use and put some blame on MS for knowingly releasing what is
essentially a mega-trojan (Windows XP) when not administered by a
proper IT department.

Microsoft has done quite alot to enable the common man
to use a computer

Only because it suits them, and only in ways that strengthen their
monopoly position. They've also done a lot to intimidate and
strong-arm alternatives and competitors.

XP on home computers starting in early 2002 was a major setback to the
internet and people's use of it. The internet is the PRIMARY (and in
many cases the only) reason why so many homes have computers. It's
too bad Microsoft has made so many people's computing experience so
tortuous and complicated.

 

[kurt wismer]

Art wrote:
[snip]

My idea of such a utility is broader in scope. It would work on any
current Windows version. I thought of the humorous name GOST for
"Grandma's Own Safety Tool" Besides closing all internet ports, it
would look to see if alternate browser and email apps are installed,
and if not, insist on downloading them. It would check to see if all
critical security patches, sps and rollups are installed, and if not,
it would dump grandma at Windows Update and insist she download and
install them all. Finally, it would present a screen of a few simple
"safe hex" instructions.

all this talk of grandma and safe-hex is starting to get a little
disturbing...

 

[Art]

all this talk of grandma and safe-hex is starting to get a little
disturbing...

LOL! Security and virus groups can use a bit more humor IMO.
Even if it does get rather peculiar

Art

http://home.epix.net/~artnpeg

 

[Art]

And hardening the XP *without* a "Personal Firewall" (or rather a host
pased packet filter) can be done by shutting services which aren't
needed, especially not needed to listen to everything coming in via the
net.

For this reason, Torsten Mann created the ntsvcfg script. Download and
usage are both on
http://www.ntsvcfg.de/ntsvcfg_eng.html

Here's another internet port closer called "Stop Listening":

http://www.nonebar.com/sl.html

Art

http://home.epix.net/~artnpeg

 

[Roger Wilco]

There's no switching involved. Those 3 items (buggy software,
non-minimalist software, and "out-of-box" configuration) exist
simultaneously with XP (and 2K).

Two things - the non-minimalist approach refers to the default
configuration. Win9x also suffers from buggy software and non-minimalist
default configuration. True there are less services causing
vulnerabilities to be accessible remotely in Win9x but the buggy
software and the non-minimal configuration is still there.

MS's non-minimalist approach is driven by their internal need to put
out a new OS every 2 years.

No, it is to cut down on incoming support calls from grandma when she
wants or needs to bind protocols.

It requires them to come up with new
mechanisms, additional complexity to help insure the obselescence of
older OS's.

Actually, their obsolescence was guaranteed at the time they were
conceived - no need for any additional 'planned obsolescence' mechanisms
when technology changes this fast.