MoMusings

Many people [except us anoraks] believe that most malware spreads only via e-mail as attachments and embedded scripts in HTML based e-mail, however this has not been a true reflection of the [malware] problem for some time now.

Yes, e-mail is one of the primary infection vectors, however over the last two years, network shares (Windows shares) and peer to peer file sharing (via programs such as KaZaA, WinMX, Gnucleus, eDonkey and the many other file sharing programs) have also become a common route for malware to spread and infect new systems.

Share Me!
A network share simply refers to a folder (directory) on a hard drive that is shared out in such a manner to allow files within that folder to be accessed by other computers [and users] on the network. Some network shares are created by users in order to share files on their computers with friends or colleagues. Other shares may be created by the operating system itself (such as C$, Admin$ or IPC$), and may even be hidden (as indicated by a $ suffix in the share name [as used by Windows]).

In many ways the use of Windows shares is seen by many malware authors as the easiest and most stealthy way to infect new systems, as it doesn’t usually rely on user assistance to install the malware via the user running any code, and it is all done by the malware itself covertly through system and network calls.

The ease of remote installation of such network-crawling worms using Windows shares to gain access to infect a new system is greatly eased by open shares (a Windows share without a password), default administration and other password protected shares that use weak or easily guessed passwords, or even worse use the user id as the password, e.g. User id: DB2ADMIN Password: DB2ADMIN.

Not only are shares used to compromise systems, but also to offer infected files to network and P2P network users, these are usually named as cracks, full applications, screen savers or porn files; so as to attract as wide an audience of victims as possible.

Once installed these share-crawling worms may also load themselves, create registry keys to ensure that they are started automatically when Windows runs, and then start to scan the network looking for more unsecured [or weakly secured] hosts to turn into new typhoid Marys.

Building in Poor Security
The problem is exacerbated by the fact that many default installations of Windows 2000 and XP don’t allow you to set/reset the administrator password until after the operating system has been installed.

Many companies use a static build snapshots, if you are using this method you may be facing a different problem.

Why? Well unless you have set a ’strong’ password on the original system you imaged, you may have well given away the keys to your kingdom!

Furthermore, if you have the same default administrator password on all systems, then you will have a major problem when a brute force attack is successful on just one of your systems, the others are effectively also ‘owned’ by the malware. Game, set and match to the malware author.

IM Out to Get You!
Over the last few years IM (Instant Messaging) worms have appeared, now we have over 1600 of them, many are targeted at MSN Messenger, others use ICQ, AOL or Yahoo instead. However, to date all of these IM worms rely on user action to spread [such as clicking on a link]. Once a new IM worm is created that is automatic [requires no human interaction, other than being signed-in to the affected IM] then we could see millions of users infected in less than a minute…..sobering thought huh?

It makes the spread of Slammer, which infected 90 percent of all active infectable hosts on the internet in under 15 minutes seem positively snail like!