Ident FAQ
Windows Ident
Macintosh Ident
Unix Ident
Microsoft ICS
Proxies & Firewalls
Routers
Security Check
Akill Information
Specific Fixes
Contact Us

The Win NT/2000 Open Shares Problem - Information for ISP's & Service Providers.

This information is intended for system administrators, ISP's and other Internet Services to help them understand what they can do to combat a serious and growing problem for all users of the Internet today. Please use it to secure your own networks and encourage your friends and colleagues to secure the netspace they are responsible for as well.

What is the problem and who does it affect?

Windows 2000 and XP have hidden administrative shares enabled by default. If these are made accessible over the Internet they are prime targets for attack, especially as most users leave the 'Administrator' account active and many do not specify any password at all, let alone a secure password. The fact that these shares are not readily visible leads many users to believe they have no shares active, giving them a false sense of security. Further, normal Win2k and XP password lockouts do not apply to these shares making brute force cracking trivially simple. Simply logging on to a domain is enough to activate these hidden shares and once activated they cannot easily be disabled. Worst affected are Cable Modem and DSL providers who have large numbers of users on high speed always on connections. Those offering unlimited duration dial-up are also at risk to a lesser extent.

Is this being actively exploited and to what extent?

Yes, these insecure shares are being actively exploited. Estimates on the extent of the exploitation vary but it is not unrealistic to say that entire class A netblocks are routinely scanned for machines vulnerable to these attacks via self replicating, automated tools. The last estimate which reached us was of over 100,000 unique hosts compromised with that number growing daily. These exploits are being continually developed with rumors of P2P control systems and packet source spoofing capabilities being present in the next version.

What is the likely result of these exploits?

Most of the exploits seen to date are 'zombie bots' used in Denial of Service attacks. Recently a combined threat has appeared which boasts DoS capabilities (ICMP & UDP), ftp server, web server, port redirect (IRC bouncer), full remote update capability, password security and automated scanning for new hosts to compromise. Once a vulnerable host is found it is automatically compromised and begins scanning for further hosts to infect. DDoS attacks aggregating to over 60 Gbit/sec have been observed from groups of such bots in the recent past with correspondingly detrimental effects on both the source providers and the targets of the attacks.

What action can we as service providers take to combat this issue?

Many providers already filter the traditional netbios ports (137 - 139) for security reasons. We strongly advise adding port 445 to the filtered list as soon as possible. This will prevent further exploitation of insecure shares but will do nothing to address the large numbers already compromised. We suggest monitoring outbound traffic flows for unusual traffic patterns in the ICMP or UDP protocols, as when these bots are actively attacking traffic on one or both of these protocols is likely to spike significantly. Offending IP addresses can then be traced and isolated until the problem has been resolved by their owners. Present versions of these bots also connect to a control server on port 6667, often on a small IRC network or even a stand-alone server accessed via a dynamic DNS redirect.