Citing the failure of users to apply recommended security measures, Microsoft is blaming a sudden surge in attacks on the use of blank administrator passwords. Though this problem has been widely reported to affect Windows 2000 systems, experts say that the problem is far more prevalent.

"All Microsoft OSes are susceptible to having shares with no passwords, thereby allowing someone to place code on those machines," says Russ Cooper, editor of NTBugtraq and surgeon general of TruSecure. (TruSecure publishes Security Wire Digest.)

Microsoft's Knowledge Base article attributes the attacks to poor password management. "Analysis to date indicates that the attackers appear to have gained entry to the systems by using weak or blank administrator passwords," Microsoft says. Files left in the wake of successful attacks include Backdoor.IRC.Flood, which installs a remote use IRC client; Gg.bat, which attempts to connect to other servers as an administrator; and Seced.bat, which modifies the security policy.

Security experts recommend setting router ACL/FW rules to allowing only specific ports, rather than blocking them. If configured to block, port 445/TCP should be added to the list. Microsoft recommends eliminating weak or blank passwords and disabling guest accounts, as well as keeping current with all security patches.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691

http://www.microsoft.com/technet/security/prodtech/windows/windows2000/staysecure/default.asp

(back to top)