Description: IraqiWorm (aka Iraq_oil.exe )
Created: 2002-12-16
Modified: 2002-12-16
Collaborators:
Lawrence Baldwin,
- Philip Sloss,
Steve Friedl
On December 14, 2002 at 11:00 UTC the myNetWatchman system identified a worm-like surge in port scanning activity targeting TCP port 445. This port is associated with Microsoft's networking protocol (Server Message Block - SMB) when used with Windows 2000 and XP systems.
After analysis of several compromised hosts, we identified a new worm which sometimes uses the following file name:
Directory of C:\winnt\system32
12/13/2002 21:43 16,896 iraq_oil.exe
1 File(s) 16,896 bytes
In other cases the worm uses random filenames and infects directories other
than \winnt\system32. (e.g. lidf.exe, wiyvmu.exe, etc..)
Propagation:
The worm propagates by generating a psuedo-random IP address and exploiting hosts which have the following weak security configuration:
Windows 2000 and XP systems enable un-authenticated users to connect to a special system share known as IPC$, as follows:
C:/> net use //w.x.y.z/IPC$ "" /u:"" (where "w.x.y.z" is any IP address)
Note: Windows NT systems can be vulnerable to Null Session attack but are not susceptible to this worm as Windows NT Null Sessions can only be established using TCP port 139 which this worm isn't attempting.
By default, Null Sessions enable an unauthenticated user to get a list of valid user accounts AND the groups that those users belong to. Access to such information greatly simplifies a brute force password attack against those user accounts.
Using a tool called Enum, you can get an idea of what the IraqiWorm code is able to ascertain:
Enumerate User accounts:C:/> enum -U -d w.x.y.z server: w.x.y.z setting up session... success. getting user list (pass 1, index 0)... success, got 12. Administrator () attributes: cljbsy attributes: djaxotlr (yo~~) attributes: dopeboys attributes: easysun attributes: gateway4u attributes: Guest () attributes: disabled no_passwd IUSR_MUSICSERVER () attributes: no_passwd IWAM_MUSICSERVER () attributes: no_passwd kalia () attributes: NetShowServices (Windows Media ) attributes: TsInternetUser () attributes: no_passwd cleaning up... success.Enumerate Groups and Membership:C:/> enum -G -d w.x.y.z getting machine list (pass 1, index 0)... success, got 0. Group: Administrators MUSICSERVER\Administrator MUSICSERVER\easysun MUSICSERVER\cljbsy MUSICSERVER\kalia MUSICSERVER\dopeboys [snip]Once the worm has a list of valid user accounts, it attempts a very basic brute force password dictionary attack against all valid accounts, using the following passwords:
[null] server !@#$%^&* !@#$%^& !@#$%^ !@#$% asdfgh asdf !@#$ 654321 123456 1234 123 111 root adminIf the worm finds a valid user account/password combination, it then performs the following actions:
Prevention:
The best prevention against a Null Session attacks is to NOT expose Microsoft Networking services to the Internet at all by placing systems behind a properly configured firewall.
In lieu of a firewall, you can either disable Null Sessions or prevent enumeration of user accounts and/or groups as described here:
Disabling Null Sessions
The worms only objective (from what we can tell) is to propagate. We have not
been able to identify any DDoS or command/control capabilities through either
packet analysis of infected hosts or disassembly of binaries.
See: Infection Packet TraceAdvanced Analysis:
See: reverse engineered worm in C++
See: More details of Steve Friedl's analysis