Solved

How do viruses spread by open network shares on Windows machines?

Posted on 2009-04-12
5
736 Views
Last Modified: 2013-11-22
I have been reading about the conflicker virus, and wonder about the reference of it infecting distant machines through open network shares. I cannot find a way for a virus to invoke a remote execution to infect a distant machine. Because of Microsoft's "helpful" behavior, I can see how a virus may trick a user into executing it, but I don't see how it can execute itself.  I have Googled and read many discussions, but never found out a specific answer to my question.

The share I am talking about is a data share; the entire drive is NOT shared ,and the OS directories (including OS extensions by installed programs) are not shared.  Clearly, if I share the entire drive, or the OS or Program directory,  an OS or program DLL or EXE can be replaced, and eventually executed by normal calls from the OS.

Possibly the problem is the terms used, spread and infection are being used interchangeably.  In my mind, spreading means the virus payload is being placed on a device, such as a removable storage or shared network directory, but is not active. Infected to me means the virus is active. If a virus just spreads, a good and up-to-date pre-execution virus scanner will block infection.

What concerns me is the implication that a virus can push itself from one machine to another and infect that machine without overt user action on the targeted machine, i.e., not just place a copy of the payload in the shared directory, but actually remotely cause the activation of that payload.

Any insight into this mechanism of infection would be appreciated.

0
Comment
Question by:pluskey
  • 2
  • 2
5 Comments
 
LVL 15

Expert Comment

by:xmachine
ID: 24125580
Hi,

Some viruses or worms are being programmed to spread through networks by exploiting X vulnerability in the system. So, once the exploit is successfully executed remotely, the virus's payload will be transfered to the infected machine and get unpacked and decrypted in memory.

Windows admin shares (ADMIN$, C$, IPC$, D$..etc) are used to access and penetrate systems remotely, a virus only needs to infect one system running using a domain privileged account (ex. Domain Administrator) to able to access all systems in the network. That's why we encourage users to be wise when they want to use such powerful privilege.

You need to use shared folders permissions, and auditing to protect against infections. Read-only permission will prevent writing inside these folders (ex. Autorun.inf) or modifying any executable files.

A Symantec Certified Specialist @ your service
0
 

Author Comment

by:pluskey
ID: 24129188
Xmachine, thank you for your reply,but I am still confused by the situation.

If I understand you correctly, a networked windows machine with an open share can have a remote execution forced upon it using this X vulnerability.  Can you describe, or give reference to, this vulnerability?  

I Googled  X vulnerability, and only found referenced dated later than 2006 in unpatched windows XP systems, so I didn't find help there. I have found references to Active-X vulnerabilities, not X vulnerability.

I also have been disabling autorun since before XP, because having that enabled seemed to me asking for trouble.  Is that part of the security hole being referenced?

Once again,thank you for your reply.
0
 
LVL 15

Accepted Solution

by:
xmachine earned 125 total points
ID: 24129890
Sorry, there is no Windows vulnerability called X, I used it for the example only. There are a lot of vulnerabilities that would fit here.

For example,

http://www.securityfocus.com/bid/31874
0
 

Author Comment

by:pluskey
ID: 24130319
Thank you for the information and education.  I was completely unaware that Microsoft OS can be exploited by completely remote means, as opposed by trickery of an unsuspecting user.  If I understand your reference, the exploit employs access through a specific TCP port which is used for some Microsift-centric operation to induce remote code operation without any user intervention.  

While I understood the buffer overflow type exploits, I did not know legal command driven exploits existed.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As more computers now shipped with 64-bit version of Windows, more users are now using this Operating System.  So it's important to be aware how some 32-bit diagnostic tool works on these systems, so we know what to expect when analyzing the logs an…
UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now