Feeds

Iraqi Oil worm spreads over the Net

Weak passwords pave the way

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

A Windows network worm which spreads through shared folders is spreading across Internet this week.

Unusually, the Lioten (or Iraqi Oil) worm doesn't spread via email, according to an analysis of the worm by AV specialists F-Secure.

Instead, Lioten scans the Internet on port 445 for Windows 2000 machines which have shared folders and weak or null passwords. Once a suitable vulnerable machine is found, the worm retrieves a list of user accounts (something blocked by default on Win XP but not Win2K) and tries to guess passwords. If the worm successfully logs onto a machine, it will copy itself over as an EXE file (usually named iraq_oil.exe) and executes it.

Then the process begins all over again.

Security clearing house CERT reports indications that attackers are monitoring for systems infected with Lioten and further exploiting them via other tools for use in distributed denial-of-service (DDoS) attacks. Lioten's scanning activity also poses a problem through wasted bandwidth.

The spread of the worm can be blocked by using ingress and egress filtering blocking connections to and from port 445/tcp on company firewalls.

Also the spread of Lioten once again emphasises the need to use strong (not easily guessed) passwords. To give a flavour of the general risk from trivially guessed passwords its worth listing those Lioten attempts to use:

[NULL]
server
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
asdfgh
asdf
!@#$
654321
123456
1234
123
111
root
admin

If you are using any of these passwords (or any password which doesn't include a combination of letters and numbers) you're at risk - and not just from this Iraqi Oil worm. ®

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.