Attacks on Microsoft WINS Service hole raise alarms

No machines are comprised yet, security experts say

Internet security monitoring groups are warning Microsoft Windows users about new Internet attacks aimed at Windows NT, Windows 2000 and Windows Server 2003 machines running WINS (Windows Internet Naming Service).

The attacks targets a WINS vulnerability that was reported and patched by Microsoft in December. The SANS Institute's Internet Storm Center, however, reports a marked increase in probes for machines running WINS in recent days, after computer code to exploit the vulnerability was posted on the K-Otik Security Web site on Dec. 31.

The code allows remote attackers to exploit Windows 2000 servers on which the WINS service has been enabled, according to a posting on the K-Otik site. Malicious hackers are probably using the exploit to plant Trojan horse programs or other remote control programs on vulnerable systems, according to Johannes Ullrich, chief technology officer at the Internet Storm Center.

According to the Microsoft bulletin, Windows NT Server 4.0 and Windows Server 2003 also carry the WINS vulnerability. (See: http://www.microsoft.com/technet/security/bulletin/ms04-045.mspx.) WINS is a Microsoft technology that matches IP (Internet Protocol) addresses to a computer's NetBIOS (Network Basic Input/Output System) name, in much the same way as DNS (domain name system) matches Internet domains to IP addresses.

The Center recorded WINS scans from a small number of Internet hosts since the exploit code appeared on the K-Otik Web page, but doesn't have a record of a machine being compromised, Ullrich said.

An increase in scans for machines listening for traffic on TCP (Transmission Control Protocol) port 42, which is used by WINS, was also noted by the The Research and Education Networking Information Sharing and Analysis Center (ISAC), starting on Dec. 31 and continuing through Tuesday. (See: http://www.ren-isac.net/monitoring/port-costa.cgi?tcp_dst_42_packets.)

WINS is enabled by default in Windows NT machines, but is disabled on systems running Windows 2000 and Windows 2003, which might account for the lack of successful infections, Ullrich said.

Organizations that have not already applied the Microsoft WINS patch should do so immediately. Alternatively, organizations should consider deactivating WINS, which is legacy technology that has since been replaced by Microsoft's Active Directory.

"A disabled service is always the safest," Ullrich said.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies