Recent worms punish bad passwords

Easily guessable passwords are contributing to the spread of worms and viruses, which use a limited lexicon to exploit bad passwords.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
A spike in Internet traffic caused by a worm over the weekend can be largely blamed on bad passwords and poor security practices, security experts said on Monday.

The Deloder worm, which spreads by communicating with Windows computers that have file sharing enabled, may have spread to perhaps as many as 10,000 systems using a list of 86 passwords to break into computers running Microsoft Windows NT, 2000 and XP. While not an epidemic, the attack did highlight that people frequently choose easily guessable passwords to guard their computers' security.

"Whether it is a worm or human being that is trying to break into any machine, English words are easy passwords to crack," said Steve Trilling, senior director of research for security software maker Symantec.

Bad passwords are a major chink in the Internet armor surrounding company networks and home computers--one that worms and viruses will frequently exploit.

The recent LovGate worm--which appeared on the Internet two weeks ago--uses a list of 16 passwords as a secondary way to infect computers. The current Deloder worm, also called W32.HLLW.Deloder by Symantec and W32/Deloder.worm by Network Associates, uses its longer list as the primary attack on Internet-connected computers.

It's not surprising that worm writers have started using the technique. By some estimates, a third of computer passwords can be found by systematically trying every word in a smallish dictionary. Limited attacks, such as those using a small dictionary of words that could be bundled up in worm code, have fewer successes but are much faster.

The Deloder worm shows the speed of such attacks. The worm caused a spike in traffic on Saturday and Sunday, but after the weekend had begun to level off, said Johannes Ullrich, chief technology officer for the Internet Storm Center, a service that tracks attacks.

On Saturday, the Internet Storm Center detected Server Message Block (SMB) requests from almost 15,000 sources. The SMB protocol is used by Microsoft for file sharing and is normally used within corporate networks, not on the Internet. For the most part, the service averages about 4,000 such requests. The ISC had increased its threat assessment to a "yellow," or medium rating, over the weekend because of the worm's spread, but decreased the grade to "green" by the end of day Monday.

Ullrich stressed that bad passwords aren't the only culprit; PC users shouldn't have file sharing turned on, either.

"A strong password would slow the worm down," he said. "But in reality, the best thing to do is to block file sharing. There is no good reason to use this protocol over the Internet."

The Deloder worm uses Windows file sharing to spread, sending attack data to potential victims using port 445. Ports are software addresses that applications use to communicate with other programs running on other computers. The Windows operating system uses port 445 to send data to other computers with whom files are being shared.

On computers that it compromises, the worm will install two programs that allow an attacker to issue commands to the victim computer over the Internet.