As The Worm Turns

Yet another worm is wreaking havoc around the world. First indications are that the malware comes in and starts on machines running that other OS with

  • port 3389/tcp (RDP) open, and
  • really weak passwords for “Administrator”.

Of course, then all Hell breaks loose. The thing was new and not detected by any of the malware scanners but it literally tried to take over the world and plugs connections to the Internet with attempts to spread via RDP.

While this is a vulnerability globally, it appears that the system software is functioning as intended but the vulnerability relies on poor/no system administration. Someone had to pick really weak passwords and leave “Administrator” available. Of course, human stupidity is in great supply as is that other OS so the lights could dim around the world as this thing spreads. M$ has a fix but it may not be applied by the twits with the weak passwords…

see Worm spreading via RDP and M$ has been working on this for days

The mind boggles that people still depend on a monoculture of that other OS and it can all fall down so easily. If you want to leave 3389 open on your systems and not fall down, I suggest using GNU/Linux. It works and it would at least leave some of your system alive. Please use decent passwords.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

23 Responses to As The Worm Turns

  1. oiaohm says:

    Robert Pogson
    “They still need the correct username/password or username/key to gain access. SSH is layered. You can add layers, of course, but the default is usually good enough.”

    Problem here that is really not good enough. Human are down right poor at creating passwords. I wish I could say humans were good at creating passwords is just not the case. Also lot of cases usernames to systems can be go by emails used from system. Yes spam mailing lists are a gold mine to break a lot of systems since it gives you the usernames to try against them to look for weak passwords.

    Half of the username/passwords has to be presumed lost to attacker in a lot of cases. ie username as a known item. Password if weak has to be presumed to be a known item to attacker as well.

    ssh does support checking ip,client key against user. This is a setup issue. Client key checking removes username and password from being the only key.

    Specifying authorized keys for users is really a min requirement to bring ssh up to something an attacker is not likely to breach by brute force. Due to the average users poor password selection.

    But if you allow ssh server to go username and password less you are fully depending on the key pair to be generated correctly without flaw.

    When you can lock the incoming ip to users as well that Single Packet Authorization allows.

    A single layer is what you want to avoid at all costs. Username and password is only 1 layer alone.

    A encryption key is only 1 layer alone. Both required becomes 2 layers. 2 layers is many times harder to break than 1. Since attacker has to get lucky twice instead of just once.

    Good secuirty is accepting parts of the system maybe flawed. And having enough layers that if 1 layer is flawed attacker don’t win.

    When you get to 3 layers with Single Packet Authorization + ssh. Attack breaking something like that is going to be insane rate.

    There are also cases that the combination of ssh + key + one time password devices are used over wire. Again this gets to up to 2 layers.

    Even a single layer ssh using key authorization plus single packet authorization set IP source for user. Stopped the badly generated openssl keys from causing any issue to networks using it. Since most cases users were on there own IP’s with no attackers. So the fact the key was flawed and in theory attacker could have got in. There was zero success against the systems using both techs. Even when the single packet authorization and the ssh both contained flawed generated openssl keys.

    Reason the attackers did not find the single packet authorization because it gives away no evidence that its there unless you get the pass phrase encoded by key pair + date and time right.

    Yes the secuirty by obscurity has been real world proven to work. When the obscurity truly does work and the attacker does not know enough.

    A man in middle attack is technically able to breach a single packet authorization and ssh combination when the keys are flawed. Of course that requires the attack breaking the servers in the middle and monitoring undetected. This is not really that simple to do. Most attacks(over 99.99 percent) are not operating from machines in a location to do a man in middle attack. Also monitoring to do a man in middle attack normally does show up as a performance drop reason why it does not normally remain undetected.

    Systems without the single packet authorization some of them got breached.

    Already using single packet authorization in combination with ssh has proven it worth when things go wrong. Real world events prove you should not depend on 1 layer.

    Single packet authorization is a good thing if you are using key authentication with ssh and not sure that every pair is proper generated.

    Yes single packet authorization is using 1 pair. ssh is another pair. This means 2 pairs of keys has to be faulty for a breach to stand a chance as long as you are not sharing external ip with the attacker.

    One of the other more interesting layers is a geoip lock. Not as tight as Single packet authorization but it can massively reduce you attack rate.

    Again its a layer. Single layer is too weak. Double is the min you need. Triple is ideal. Quad you are normally in the class of paranoid. But some things that is a good thing.

  2. oiaohm says:

    “Old school port knocking that was secuirty theater because you had made an id on user knocking and it also suffered from replay.”

    Epp major typo on my part.

    Old School port knocking that was secuirty theater because you had not made an id of the user knocking and it also suffered from replay.

    Missing 1 word a not makes a major difference in meaning.

    I find windows servers major frustrating trying to proper secure them in a way attacker does not stand a chance. Simple things like Single Packet Authorization missing limit hands so much.

    Even with vpn you can hide those behind Single Packet Authorization as well.

    Yes increases secuirty also reduces point that someone with a valid key can attempt a DOS on.

    Reason unless you have been monitoring traffic to the server you don’t know what port the Single Packet Authorization is listening on. So you don’t know where you have to hit to cause cpu load and otherwise stress server.

    Yes there are reasons why some VPN services don’t show as a open port or otherwise respond until the client encryption information is validated. This is DOS prevention.

    Attacker does not have to get in to cause disruption.

    “I already have my 4096-bit RSA private key” The reason why this idea is flawed. Keeping services that don’t need to be exposed from being exposed reduces attackers options to break the system.

    Port knocking started in the unix world because this was worked out a long time ago that the number services + number of users they are exposed to directly relates to the compromise rate.

    The modern form Single Packet Authorization addresses all the design flaws of port knocking. Yet solves the same problem. Reduces number of services exposed and the number of users those services are exposed to. So reducing attack surface area. In some cases to a Zero number. Zero non approved users.

    Issue is there is one OS where you don’t have the option of Single Packet Authorization to protect the server.

  3. oiaohm wrote, “So anyone with a rdp or ssh client can connect.”

    They still need the correct username/password or username/key to gain access. SSH is layered. You can add layers, of course, but the default is usually good enough. One can specify known hosts and authorized keys. If the server has a known IP address, the handshaking checks for host keys. If a user knows the host key, authentication should be safe against man-in-the-middle, too.

  4. oiaohm says:

    Ssh and rdp are lacking by default settings something dynamic. Also default they don’t check the client key that the client key is on an approved list by default since they cannot know what IP a remote user will be coming from in advance. So anyone with a rdp or ssh client can connect. Hello problem. This problem is why they are a secuirty risk.

    There are 3 basic ways to be solid. Two are based around Single Packet Authorization. Third is based around vpn tech.

    “Single Packet Authorization” is not just obfuscated port. It is far more. Authorization is the key word here.

    “Single Packet Authorization” the good versions. The IP that you knock from is the only one opened up to access. Even better the knock packet also does ID user. So you go to log in only users than can login is the user that owns to that single packet authorization knock. This massively limits the surface area since now only 1 user is open to that IP not everyone than can access that service. Now attacker needs to know it all. username, password, User RSA key required for that user and knock. Get any wrong and you are returned to square 1. Since the knock has changed attacker is back to breaking knock to get another attempt.

    Option 1) Ssh + Single Packet Authorization set up at strict is an attackers worst nightmare. Not only has the Single Packet Authorization set the user that can from a particular IP. It also set the encrypted key that ssh will accept from that IP. So attacker odds even make it to username or password attempt location is low to impossible. So a poor password is almost a zero problem because attacker most likely will not make it that far before running into a wall and starting to trip secuirty.

    Option 2) https + Single Packet Authorization is basically the same thing I have done with SSH. Where the Single Packet Authorization has set the acceptable IP address of users the web interface will accept. This is weaker than my ssh setups yes because I don’t have matched client RSA keys. Again trying wrong users will see the Single Packet Authorization voided and access cut off. So with this I am reduced to 2 factor instead of 3. Reason for weaker here is in fact Windows Update and IE. Windows update has the bad habit of deleting client certificates. Client certificates can get me to a 3 factor with https + Single Packet Authorization same as ssh if IE stops losing client certificates due to Windows update deleting them. Basically for people using Firefox and Chrome I can do this solid and not be driven batty that the can not login because the OS update system is a moron.

    Option 3) RSA 4096 VPN with One Time Password/token, username and password is final option. Again this is 3 factor. Attacker has to break 2 static and 1 dynamic item. Again the RSA, One Time Password/Token and Username get to be compared. Failure to match failure to login.

    Old school port knocking that was secuirty theater because you had made an id on user knocking and it also suffered from replay.

    Really the Single Packet Authorization daemons are not complex. There is way less code in them to audit than RDP, http or ssh servers. So from a secuirty point of view they are better the first line exposed is simpler and easy-er to be sure its not flawed.

    More complex the program exposed the bigger the secuirty risk. At no point have I really increased “increasing the attack surface” more than I have reduced it on Linux and Unix systems.

    “It would be very inconvenient if servers offering remote access required you to run some silly port-knocking software just to get access.”
    Just like its very inconvenient to require keys to open a car door. Early cars there were no locks on the cars doors.

    Secuirty does cause some inconvenient issues. Just the way it is. Do you want secuirty or do you want break ins. Yes locks on car doors were called stupid at one point as well.

    Linux Apostate the secuirty incompetent say what you said. Attackers are not giving a chance.

    RDP is my weakest interface. Reason Single Packet Authorization cannot integrate with it. So I am partly depending on obscurity with it. I don’t have my 3 layers.

    Windows due to not having a good Single Packet Authorization system. I cannot reduce the surface anywhere near as much as I can on Linux, Unix and Mac systems. Windows due to having a bad update system also drives me nuts because it undermines the secuirty I can do.

  5. Linux Apostate says:

    If the SSH daemon (or indeed RDP) is not secure enough to run with an open port, then it’s also not secure enough to run with an obfuscated port either.

    It would be very inconvenient if servers offering remote access required you to run some silly port-knocking software just to get access. I already have my 4096-bit RSA private key – what more do you want? The substantial extra inconvenience is not justified by the negligible improvement in security.

    I call bullshit on the whole thing. Security by obscurity… no, worse, it’s security theatre. Running a completely superfluous and complex daemon for extra “security” and thus increasing the attack surface of your server? People who take “computer secuirty serous-ally” know to avoid that sort of thing.

  6. oiaohm says:

    Robert Pogson really why is RDP exposed in the first place.

    Even with SSH on Linux I have it hidden behind a single packet knock. http://cipherdyne.org/fwknop/

    This is something I have not got about windows unless the windows box is sitting behind a Linux box of some form.

    This really does stuff attackers. You need the knock you need the username and your need the password.

    Since the knock is an encrypted form of token than changes every time cannot be replayed. Odds of even my flawed windows boxes being infected by this kind of worm or flawed ssh installed boxes being hit is basically zero unless I happen to knock from an infected machine and it happens to go while the door is open. Still basically zero.

    JairJy the proper fix is add a knocking system. So RDP access ports and other ports that are only admin are not left open. I have also used knocking to protect a hidden http server with the administration interfaces for word-press and the like on. Yes have one http port number for general users and another port number has the administration stuff on it that you cannot see or interface with unless knocked in.

    I don’t believe in giving attackers a chance.

    Linux Apostate yes anyone running SSH exposed on a Unix with the broad range of single packet knocking systems that exist needs there ass kicked.

    It is also possible to run SSH with a token password system. Reason why I prefer single packet knocking is attacker does not know the service is even there unless then can find evidence of its existence.

    Please I don’t know of a Single Packet Authorization for windows at all that it can directly run.

    This is one area where windows is very very weak. There is a long history on Linux and Unix of designing systems to hide the existence of services.

    You cannot HIT what you cannot SEE.

    About time people take computer secuirty serous-ally. Lot of things are still like the old days when cars and houses could be left unlocked.

  7. twitter says:

    Yes, I think I understand that you are completely unreasonable.

  8. Contrarian says:

    “The only thing consistent in the position is that they just have to have Windows and nothing else will do.”

    You are finally getting a clue, #twitter! What sort of wonder will be next?

  9. twitter says:

    If this were a similar problem to ssh password guessing and the only problem Windows has, it would not be a big deal. The problem is that it isn’t and it’s not, so it is a big deal. The easy answer is to run all your Windows trash in a VM. Use VirtualBox if you insist on a GUI for everything.

    A funny thing here is that Windows boosters want to have things both ways when it comes to what they call “sheeple.” They claim these people are too stupid to learn thing like Android but then take offense when people call them out for lazy administration that forces Windows on people. The only thing consistent in the position is that they just have to have Windows and nothing else will do.

  10. Bad guys can still get by some other account and escalate.

  11. JairJy says:

    “It took days for M$ to come up with a fix.”

    There is’t a fix because is’t a bug. It’s a malware and to “fix it” Microsoft only need to add it to their malware database so their security software (like MSE, who it’s free) can detect it and delete it.

    So any user who uses Microsoft Security Essentials already has the updated database so this worm is useless by now.

    What “took days” was the malware report with complete analysis and information about this malware. Try to find a research like this on the FOSS world, like the last Apache vulnerability some days ago, who also “took days” for a patch. The report from Microsoft is more accurate, with more info about the malware, how it spreads and how prevent the spread.

  12. radu says:

    Oops, I forgot to correct the first paragraph:

    I keep saying it is an issue of taking responsibility of the operation of a device you own. I am rereading “Zen and the Art of Motorcycle Maintenance” and I am being reminded some people will only look at the exterior form of things, with no appreciation of their underlying structure and therefore simply refuse to maintain their gear, whether it is a motorcycle or a computer.

  13. radu says:

    I keep saying it is an issue of taking responsibility of the operation of a device you own. I am rereading “Zen and the Art of Motorcycle Maintenance” and I am being reminded some people will only look at the exterior form of their underlying structure things and therefore simply refuse to maintain their gear, whether it is a motorcycle or a computer.

    Microsoft, by trying to be everything for everybody with half-baked solutions, has created a Frankestein of an OS, haunted by past decisions made to achieve faster a monopoly status: the DLL hell of 3.x, bolting the browser to the OS in 95. Nevertheless the NT kernel is quite robust and secure. Yet quite often, the fault lies not in “the other OS” as such, but in the bad practices Microsoft has encouraged/catered for in users or vendors: e.g. the various applications of my commercial SDL Trados Suite 2009(!!) will still not interact properly (at least not out of the box) unless I ran them with administrator rights! Even worse, Microsoft cons its SOHO customers into believing no administration and maintenance are necessary with their OS.

    By contrast, Jobs’ Apple has managed to meet the needs of people who refuse technical knowledge by providing aesthetically appealing computers which are relatively safe out of the box thanks to Apple’s tight control over hardware, a decent foundation for their OS and their aggressively discarding of “legacy” functionalities. Yet, “even” OSX is not perfect and free of any vulnerability, as the the recent LDAP bug has shown once again.

    You and oldman can confirm that a computer with Linux or that other OS properly configured to enterprise standards by a specialist can be perfectly safe and functional in the hands of a non-technical user. Anyway, some administration/maintenance is always necessary and best practices must be complied with for any tool to be safe.

    Therefore, in my opinion the lesson to take home is that any PC owner should understand the basics of computer administration and/or resort to someone like you, Mr. Pogson, for administration and supervision.

  14. kolter.online says:

    defective by design

  15. Ray says:

    Best possible solution: disable the “Administrator” account.

  16. M$ knows what payloads are brought in and removes them. I doubt that is a “perfect” fix but it should be able to hold the fort while people fix their damned passwords.

  17. Linux Apostate says:

    How can it be fixed? It’s not a software vulnerability. If you log in to mrpogson.com and set the root password to “1234”, then you’re in exactly the same situation.

    In fact you may well have noticed attempts to connect to your server by SSH, involving very similar dictionary attacks. Turn up the log level on OpenSSH and watch them in /var/log – you’ll get a few every day. What’s going on here? The Linux equivalent of Morto – no threat unless you have a silly root password and password authentication is enabled.

    The threat of SSH worms was so serious at one point that the OpenSSH developers actually started encrypting known_hosts files to avoid providing worms with an easy target list.

  18. It took days for M$ to come up with a fix.

  19. Contrarian says:

    “This is a lame worm …”

    I use the RDP feature a lot. Remote Desktop allows me to connect my netbook or laptop to my home workstation when I am traveling or just using the portable device in another part of my home. I know a couple of things about RDT.

    First, it requires Windows Pro or Ultimate since it doesn’t come with Home versions. That eliminates the problem for 90% of the users, I would guess. Second, it does not come activated by default, you have to go through a process of selecting the feature and activating it on any specific machine. My feeling is that the clods of the world are not likely to just fall into a trap here, they have to exercise some rational thoughts and should have some understanding of what they are about, just as they might know the implications of SSH use.

    If they are concerned about their privacy and security, they will likely apply a password whose secrecy is commensurate with what they consider to be their exposure.

    The fuss raised by the anti-MS crowd is just another example of their silly puffery wherein they claim the edge in technical sophistication over the “masses”. “Windopes” and “sheeple” are their common vernacular for Windows customers as they shake their heads over why we continue to choose Windows and ignore their welcome advice.

  20. JairJy says:

    This is a lame worm with a lame dictionary attack than can be easily blocked with a free antivirus like Microsoft Security Essentials.

  21. I would rather say that M$ and Wintel exploit the ignorance of the masses. The masses are not stupid but given powerful hardware and something that purports to be an operating system ignorant people become stupidly dangerous, installing malware thoughtlessly etc. Power does corrupt even in IT. People should realize that weak passwords are trivial to break using powerful hardware. That they don’t is stupid. That surpasses ignorance because they know what they can do once the password is entered. The same people who wisely lock doors leave a networked OS open to the Internet.

  22. Will says:

    I know that test that correlated which browser was used with IQ was totally fake, but from my own experience, I’d have no trouble believing that that’s exactly how a real test would turn out.

  23. twitter says:

    “Of course, human stupidity is in great supply as is that other OS…”

    The two, in fact, are highly correlated.

Leave a Reply