Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Self-propagating malicious code, Lioten.A, IraqiWorm, CIFS Worm

Attack ID: CPAI-2002-16
Publish Date:
Category: Self-propagating malicious code, CIFS Worm
Vulnerable Systems: Windows 2000/XP/.NET systems
Source:

Cert IN-2002-06
myNetWatchman Alert: IraqiWorm
Trend Micro
Description: This worm or its mutations (Lioten.A, also known as W32.HLLW.Lioten, W32/Lioten.worm or IraqiWorm) is using a null session connection vulnerability in order to connect to a Windows based system using a network share. This malicious code exploits weak or null passwords in order to propagate.
Severity:
  This specific worm is not harmful. It can cause denial of service in several cases or used as a basis to launch other attacks.

Security administrators should note that the source code is available, and this can be used by other worms for more destructive attacks.
Details:

This worm scans for 445/tcp. When it finds a potential victim (listening on this port), it establishes a null session and retrieves a list of user accounts on the victim system. (A null session connection is made through the IPC$ share). For each account it finds, it then attempts to match a number of trivial passwords. On success, it copies itself to the victim system.

The CERT/CC received reports that indicate that attackers are monitoring for systems infected with W32/Lioten and further exploiting them via other tools for use in distributed denial-of-service (DDoS) attacks. Systems infected by W32/Lioten scan for 445/tcp. By watching for this scanning activity, attackers are able to easily identify targets with weak passwords and can subsequently compromise those systems for use in other attacks. Additionally, as with other self-propagating malicious code, W32/Lioten may cause denial-of-service conditions in networks where multiple systems are affected.
Attack Detection: Using the SmartView Tracker, identify IPC$ shares access through CIFS resources.
Solution: Until a patch is installed on each and every Windows system, one should use FireWall-1 CIFS resource to control access to Windows 2000/XP/.NET systems for authenticated users only. In this case, CIFS protection should be configured for the microsoft-ds service (port 445/TCP).

The following rule should be configured in order to verify that disk shares (including IPC$) can not be accessed by unauthenticated users

  • Source: external networks
  • Destination: Windows 2000/XP/.NET systems
  • IF-VIA: Any
  • Service: Microsoft-ds with a resource
  • Action: Client Auth
    • Properties:
      • Source: intersect with user database
      • Apply Rule Only if Desktop Configuration Options are Verified: NOT checked
      • Require Sign On: Standard
      • Sign On Method: single Sign On
      • Successful Authentication Tracking: Log
    • Limits:
      • authorization time out: Indefinite number of Sessions Allowed: Infinite
  • CIFS resource definition: Manage -> Resources -> New -> CIFS
  • Name: Auth_connections
  • Comment: Allow access to legitimate shares only
  • Color: User Defined
  • Allowed Disk\Print Shares -> Add:
    • Server Name: your Windows 2000/XP/.NET servers
    • Share Name: your legitimate (NOT IPC$) shares
  • Log Access violations: Checked

Remarks:

  1. It is highly recommended to add a similar resource and rule for nbsession (port 139/TCP) which is used by Windows 9x and NT systems.
  2. Please refer to the User Authority guide for more information regarding User Authority Single Sign On configuration.
Industry Reference:
Additional Information: SANS Top 20: Anonymous Logon -- Null Sessions