Home | What's New | FAQ | Site Contents | Contact Us | SEARCH |
About Us | Alerts | Events | Improving Security | Other Resources | Reports | Survivability Research | Training and Education |
CERT® Incident Note IN-2000-02The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.Exploitation of Unprotected Windows Networking SharesUpdated: Friday, April 7, 2000Date: Friday, March 3, 2000 OverviewIntruders are actively exploiting Windows networking shares that are made available for remote connections across the Internet. This is not a new problem, but the potential impact on the overall security of the Internet is increasing.
DescriptionWe have received reports indicating a rise in activity related to a malicious Visual Basic Script (VBScript) known as "network.vbs". The malicious script is similar to a harmless example script distributed with some versions of Windows 98, found as:
The malicious network.vbs script attempts to do the following things:
When configuring the C: drive of a Windows 9x machine to be shared, the default share name assigned is "C". If this default share name is used on a vulnerable computer, network.vbs performs it's file copies on the C: drive of the remote system. If network.vbs is successfully copied into a Windows startup folder on a remote system, the remote system could execute network.vbs when the system reboots or a new user logs into the system. We have also seen variations of network.vbs that perform different actions, such as:
The network.vbs script demonstrates one pervasive method of propagation intruders can leverage to deploy tools on Windows-based computer systems connected to the Internet. We are aware of one infected computer that attempted to infect a range of at least 2,400,000 other IP addresses before being detected and stopped. There may also be denial of service issues due to packet traffic if network.vbs is able to infect and execute from a large number of machines in a concentrated area. Abe Singer from the San Diego Supercomputer Center has also published an analysis of network.vbs, available at:
ImpactUnprotected Windows networking shares can be exploited by intruders in an automated way to place tools on large numbers of Windows-based computers attached to the Internet. Because site security on the Internet is interdependent, a compromised system not only creates problems for the system's owner, but it is also threat to other sites on the Internet. The greater immediate risk to the Internet community is the potentially large number of systems attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as those described in
There is great potential for the emergence of other instances of intruder tools that leverage unprotected Windows networking shares on a widespread basis.
SolutionsRemoving the network.vbs script from an infected computer involves removing the running image from memory and deleting the copies of network.vbs from the hard drive. Other tools installed using the same method of propagation may be more difficult to detect and remove. You may wish to insure your anti-virus software is configured to test file names ending in .VBS to help detect virus outbreaks involving malicious VBScript code. Several steps can be taken to prevent exploitation of the larger problem of unprotected Windows networking shares:
AcknowledgmentsWe thank Abe Singer and the San Diego Supercomputer Center for contributions to this Incident Note.
Author: Kevin Houle This document is available from: http://www.cert.org/incident_notes/IN-2000-02.html CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address:
Using encryptionWe strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information.
Getting security informationCERT publications and other security information are available from our web siteTo subscribe to the CERT mailing list for advisories and bulletins, send email to [email protected]. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Conditions for use, disclaimers, and sponsorship information
Copyright 2000 Carnegie Mellon University. |