samba - Sep 2000 - Need help - Trying to capture a possible windows/SMB worm

Andrew,

I would like to request soem assistance from you, for a worthwhile
public-spirited project.

Recently, in my firewall logs for my FreeBSd system here, I have
picked up what I believe to be unmistakable signs of some sort of
Windows/SMB worm that has been trying to get into my (close) port 139
from many different IP addresses within my same /16 IP address block.

After doing a bit of web searching, I found out that I may not have
been the first person to notice such a thing.  Please take a look at:

     http://www.egroups.com/message/cable/6708

This fellow also reported getting quite a few connection attempts to
his port 139 from various IP addresses within the same /16 IP address
block as his own IP address.  (Note that I am on an entirely different
network than he is, and yet I am seeing the same thing... lots of
attempted port 139 connects from various addresses with the same /16
as where *my* machine lives.)

Anyway, there are other things that have convinced me that what that
fellow and I are seeing is some sort of a Windows/SMB worm that infects
systems and then goes poking around, sequentially, at other IP addresses
within the same /16, looking for yet more machines that it can infect.
I won't tell you what these other things are at the moment.  I'll just
tell you that I _do_ have some additional evidence that this is what is
in fact happening, and that a LOT of different machines within my local
/16 seem to be infected, and seem to be trying to infect my machine here.
(They won't succeed, of course, because I have FreeBSD and I have the
IP firewalling stuff configured, and I am heavily filtering all packets
both in and out of here.)

Anyway, the bottom line is that I have been seeing a lot of port 139
connection attempts for many days in a row now, and what I would like
to do now is attempt to see what those other hosts would actually try to
do to a potentially vulnerable Windows machine if given half a chance.
And if possible, I would like to actually _capture_ a copy of the worm
that I now suspect is running rampant around the net.

This is where you come in.

I have just downloaded and installed the Samba package for FreeBSD (4.1)
and I'm ready to bring it up... with full logging of course... so that I
can try to see _exactly_ what these other systems... which I believed are
infected with some unknown agent... will try to do if I open up port 139
(and maybe 137 also).

Basically, I just want to know if you will help me to setup an smb.conf
file that will insure that I can log all activities of these other systems
(when they connect to my system) _and_ one that will not put at risk
anything of value that is currently stored on my disk.

I own this box, and I have root, so setting up new/fake accounts is no
problem, if that will help any.

So what do you say?  Will you help me in my efforts to try to trap and
identify whatever this thing is that is infecting these other systems?

If so, please give me all the guidance you can.  I setup Samba only once
in the past, and I think that that was 5 years ago or so.  I don't remember
any of it anymore, and anyway, its probably all different now.  But I'm
a competent UNIX sysadmin, so you should be able to just give me some
terse instructions and I should be able to follow them.

Thanks in advance, assuming that you are willing to help.

Ron Guilmette
Roseville, California


P.S.  Ideally, I would like to get a log of _every_ command and every
response that comes in or out of both smbd and nmbd.  And of course,
I'd like to make whatever is on the other end of the line believe that
it is looking at a vulnerable Windows system.  I suspect that this
means that I'd like to make at least a few directories writable, in
part in the hopes that this worm thing that I suspect exists will try
to transfer a copy of itself onto my disk.  If I could capture a copy
of it, that would be great.  Then I could alert all of the proper
authorities and give out copies of the thing to all anti-virus writers.

P.P.S.  I started reagrding the current smb.conf man page already, and
looking at the sample smb.conf file.  God there are a lot of options!

At 04:45 AM 9/30/00 -0700, Ronald F. Guilmette wrote:
>I would like to request soem assistance from you, for a worthwhile
>public-spirited project.
Count me in :)
>Recently, in my firewall logs for my FreeBSd system here, I have
>picked up what I believe to be unmistakable signs of some sort of
>Windows/SMB worm that has been trying to get into my (close) port 139
>from many different IP addresses within my same /16 IP address block.
Check your conditions carefully, if these are nonexistent machines then
it's certainly malicious (ip-spoofing generally is) and could be a worm, or
could be someone probing for Windows clients that have NetBIOS (as per
default) enabled on the TCP/IP protocol instance they use to connect to the
'net. If, on the other hand, these machines actually exist then it is a
great deal more likely that they're just insecure Windows clients which
think that the whole Internet is their LAN and are making regular requests
to see if your system would like to give them a NetBIOS name to show in
their "network neighborhood". A good heuristic for telling the
difference
is that in the former case (worm, cracker) you are only likely to see a
single connect attempt from any given address, whereas with broken clients
they will tend to keep sending packets around every few hours (i.e. you
would have strings of connect attempts from any given address that last
until the broken Windows box is turned off). If you have the latter then
probably the best bet is to lookup who owns those IPs and send them
messages to the general effect of "you're stupid, your box is wide
open,
you're annoying my firewall, and your mother dresses you funny".
>This fellow also reported getting quite a few connection attempts to
>his port 139 from various IP addresses within the same /16 IP address
>block as his own IP address.  (Note that I am on an entirely different
>network than he is, and yet I am seeing the same thing... lots of
>attempted port 139 connects from various addresses with the same /16
>as where *my* machine lives.)
Yes, I've seen a lot of that on my cable modem ever since my ISP decided to
allow peer-to-peer communications (I had complained about that because I
couldn't ICQ or DCC stuff to people on my subnet). In contrast the firewall
I built earlier this summer for an ISP with a dedicated t1 line, and a
class c subnet all to itself has (I just checked) received a total of 2
(count 'em, "two") NetBIOS connect attempts, both of them from a
Windows
laptop that someone brought along and plugged in to the intranet. This
implies that these connection attempts are (as one would expect with broken
Windows clients making broadcast requests) confined to the subnet on which
the source box is operating. This is no way for a worm to spread.
>Anyway, there are other things that have convinced me that what that
>fellow and I are seeing is some sort of a Windows/SMB worm that infects
>systems and then goes poking around, sequentially, at other IP addresses
>within the same /16, looking for yet more machines that it can infect.
This is possible, but how does it travel from one subnet to another?
>I won't tell you what these other things are at the moment.  I'll
just
>tell you that I _do_ have some additional evidence that this is what is
>in fact happening, and that a LOT of different machines within my local
>/16 seem to be infected, and seem to be trying to infect my machine here.
It's possible, I suppose, nothing I've said rules out the possibility of
a
worm. What other evidence have you got?
>(They won't succeed, of course, because I have FreeBSD and I have the
>IP firewalling stuff configured, and I am heavily filtering all packets
>both in and out of here.)
Ah, an optimist :) Familiar with the story of the great Internet Worm in
the 80's?
> what I would like
>to do now is attempt to see what those other hosts would actually try to
>do to a potentially vulnerable Windows machine if given half a chance.
It's worth a try.
>And if possible, I would like to actually _capture_ a copy of the worm
>that I now suspect is running rampant around the net.
Since such a worm would almost certainly have to be specific to problems in
one particular Windows SMB/NetBIOS implementation (probably the one used by
Win9x) it is really very unlikely that it could "infect" Samba or any
other
UNIX-based SMB implementation. 
>I have just downloaded and installed the Samba package for FreeBSD (4.1)
>and I'm ready to bring it up... with full logging of course... so that I
>can try to see _exactly_ what these other systems... which I believed are
>infected with some unknown agent... will try to do if I open up port 139
>(and maybe 137 also).
>
>Basically, I just want to know if you will help me to setup an smb.conf
>file that will insure that I can log all activities of these other systems
>(when they connect to my system) _and_ one that will not put at risk
>anything of value that is currently stored on my disk.
Well, what I would do is run it in a dedicated & isolated virtual machine
which is chroot'ed into a loopback-mounted filesystem and runs without root
privileges, and have Samba compiled for full debugging output and
configured for full logging. The only real hangup I can see you running
into is whether FreeBSD will let a non-root user listen on ports below 1024.
Having said that, a well designed worm would probably connect, exchange
NetBIOS naming info, notice that it didn't recognize the SMB implementation
that it was talking to as a "vulnerable" one, and disconnect. On the
other
hand, there are a remarkable number of (IMHO) fairly badly written worms &
viruses for Windows.
> so you should be able to just give me some
>terse instructions and I should be able to follow them.
See above :)
>Thanks in advance, assuming that you are willing to help.
>
>P.P.S.  I started reagrding the current smb.conf man page already, and
>looking at the sample smb.conf file.  God there are a lot of options!
Yes, it's starting to suffer from a bit of feeping creaturism isn't it.
. .
On the other hand I suspect that MOST of the options are used by at least
somebody. You can safely ignore almost all of them, just make sure your
Samba install is setup to work using broadcast name resolution and uses a
realistic OS level and such. It would also be worth starting out by just
running a few basic queries with smbclient to see what the machines are.
If you start Samba and zip-all happens you might also consider the following:
- Get an old IDE drive nobody needs and install Win98 on it, get it setup
to use your 'net connection directly (not firewalled) but don't actually
plug it in.
- Make an image/copy file of the partition you installed onto (Partition
Magic or HDCOPY or various other programs will do this).
- Leave the system plugged into your 'net connection and turned on and with
NetBIOS client and server bits turned on for a day or so.
- Take it offline, mount both the image file and the actual filesystem
under FreeBSD (or Linux or whatever) and look for suspicious changes that
were made on the in-service filesystem (especially look for binaries with
different checksums).
--

cthread.  cthread_fork().  Fork, thread, fork!

> Recently, in my firewall logs for my FreeBSd system here, I have
> picked up what I believe to be unmistakable signs of some sort of
> Windows/SMB worm that has been trying to get into my (close) port 139
> from many different IP addresses within my same /16 IP address block.
Such worms exist.
This is an example of one of them:
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
and worm explore.zip does the same thing
http://www.symantec.com/ns-search/sarc/avcenter/graphics/worm.explore.zip.ht
ml?NS-search-set=/39d65/aaa04uJ5xd65b81&NS-doc-offset=7&

Are you trying to discover this worm? Or curious to see what its doing.
The w22.hllw worm also probes port 7597 so maybe you could look for that as
well and then you would know what worm you have.
I'm also sure that if you search for other network share based worms then
you will find them, I can think of another few at least. - Loveletter
searched across the network for shares named 'c' i think. no maybe that
was
something else, but still they exist.
Most likely however, they are windows machine broadcasting to find the
browse list.
On old win95 machines, as soon as you click entire network it would chuck
broadcasts out every interface :( I'm sure other machine would do it esp if
the internet int was their only interface.

Hope that helps,

Dave