Need help - Trying to capture a possible windows/SMB worm

[Chris Watt]

At 04:45 AM 9/30/00 -0700, Ronald F. Guilmette wrote:

>I would like to request soem assistance from you, for a worthwhile
>public-spirited project.

Count me in :)

>Recently, in my firewall logs for my FreeBSd system here, I have
>picked up what I believe to be unmistakable signs of some sort of
>Windows/SMB worm that has been trying to get into my (close) port 139
>from many different IP addresses within my same /16 IP address block.

Check your conditions carefully, if these are nonexistent machines then
it's certainly malicious (ip-spoofing generally is) and could be a worm, or
could be someone probing for Windows clients that have NetBIOS (as per
default) enabled on the TCP/IP protocol instance they use to connect to the
'net. If, on the other hand, these machines actually exist then it is a
great deal more likely that they're just insecure Windows clients which
think that the whole Internet is their LAN and are making regular requests
to see if your system would like to give them a NetBIOS name to show in
their "network neighborhood". A good heuristic for telling the difference
is that in the former case (worm, cracker) you are only likely to see a
single connect attempt from any given address, whereas with broken clients
they will tend to keep sending packets around every few hours (i.e. you
would have strings of connect attempts from any given address that last
until the broken Windows box is turned off). If you have the latter then
probably the best bet is to lookup who owns those IPs and send them
messages to the general effect of "you're stupid, your box is wide open,
you're annoying my firewall, and your mother dresses you funny".

>This fellow also reported getting quite a few connection attempts to
>his port 139 from various IP addresses within the same /16 IP address
>block as his own IP address.  (Note that I am on an entirely different
>network than he is, and yet I am seeing the same thing... lots of
>attempted port 139 connects from various addresses with the same /16
>as where *my* machine lives.)

Yes, I've seen a lot of that on my cable modem ever since my ISP decided to
allow peer-to-peer communications (I had complained about that because I
couldn't ICQ or DCC stuff to people on my subnet). In contrast the firewall
I built earlier this summer for an ISP with a dedicated t1 line, and a
class c subnet all to itself has (I just checked) received a total of 2
(count 'em, "two") NetBIOS connect attempts, both of them from a Windows
laptop that someone brought along and plugged in to the intranet. This
implies that these connection attempts are (as one would expect with broken
Windows clients making broadcast requests) confined to the subnet on which
the source box is operating. This is no way for a worm to spread.

>Anyway, there are other things that have convinced me that what that
>fellow and I are seeing is some sort of a Windows/SMB worm that infects
>systems and then goes poking around, sequentially, at other IP addresses
>within the same /16, looking for yet more machines that it can infect.

This is possible, but how does it travel from one subnet to another?

>I won't tell you what these other things are at the moment.  I'll just
>tell you that I _do_ have some additional evidence that this is what is
>in fact happening, and that a LOT of different machines within my local
>/16 seem to be infected, and seem to be trying to infect my machine here.

It's possible, I suppose, nothing I've said rules out the possibility of a
worm. What other evidence have you got?

>(They won't succeed, of course, because I have FreeBSD and I have the
>IP firewalling stuff configured, and I am heavily filtering all packets
>both in and out of here.)

Ah, an optimist :) Familiar with the story of the great Internet Worm in
the 80's?

> what I would like
>to do now is attempt to see what those other hosts would actually try to
>do to a potentially vulnerable Windows machine if given half a chance.

It's worth a try.

>And if possible, I would like to actually _capture_ a copy of the worm
>that I now suspect is running rampant around the net.

Since such a worm would almost certainly have to be specific to problems in
one particular Windows SMB/NetBIOS implementation (probably the one used by
Win9x) it is really very unlikely that it could "infect" Samba or any other
UNIX-based SMB implementation. 

>I have just downloaded and installed the Samba package for FreeBSD (4.1)
>and I'm ready to bring it up... with full logging of course... so that I
>can try to see _exactly_ what these other systems... which I believed are
>infected with some unknown agent... will try to do if I open up port 139
>(and maybe 137 also).
>
>Basically, I just want to know if you will help me to setup an smb.conf
>file that will insure that I can log all activities of these other systems
>(when they connect to my system) _and_ one that will not put at risk
>anything of value that is currently stored on my disk.

Well, what I would do is run it in a dedicated & isolated virtual machine
which is chroot'ed into a loopback-mounted filesystem and runs without root
privileges, and have Samba compiled for full debugging output and
configured for full logging. The only real hangup I can see you running
into is whether FreeBSD will let a non-root user listen on ports below 1024.
Having said that, a well designed worm would probably connect, exchange
NetBIOS naming info, notice that it didn't recognize the SMB implementation
that it was talking to as a "vulnerable" one, and disconnect. On the other
hand, there are a remarkable number of (IMHO) fairly badly written worms &
viruses for Windows.

> so you should be able to just give me some
>terse instructions and I should be able to follow them.

See above :)

>Thanks in advance, assuming that you are willing to help.
>
>P.P.S.  I started reagrding the current smb.conf man page already, and
>looking at the sample smb.conf file.  God there are a lot of options!

Yes, it's starting to suffer from a bit of feeping creaturism isn't it. . .
On the other hand I suspect that MOST of the options are used by at least
somebody. You can safely ignore almost all of them, just make sure your
Samba install is setup to work using broadcast name resolution and uses a
realistic OS level and such. It would also be worth starting out by just
running a few basic queries with smbclient to see what the machines are.
If you start Samba and zip-all happens you might also consider the following:
- Get an old IDE drive nobody needs and install Win98 on it, get it setup
to use your 'net connection directly (not firewalled) but don't actually
plug it in.
- Make an image/copy file of the partition you installed onto (Partition
Magic or HDCOPY or various other programs will do this).
- Leave the system plugged into your 'net connection and turned on and with
NetBIOS client and server bits turned on for a day or so.
- Take it offline, mount both the image file and the actual filesystem
under FreeBSD (or Linux or whatever) and look for suspicious changes that
were made on the in-service filesystem (especially look for binaries with
different checksums).
--

cthread.  cthread_fork().  Fork, thread, fork!