Windows Server WINS attacks originating in China

Attacks on the WINS service vulnerability in Windows Server are coming from China, but so far are not widespread, according to the Internet Storm Centre.

Share

Attacks on the WINS service vulnerability in Windows Server are coming from China, but so far are not widespread, according to the Internet Storm Centre.

The ISC, which is run by the SANS Institute, says they have only been able to collect limited information on the attacks, but confirmed that they are coming from IP addresses inside China.
The WINS service vulnerability was revealed last week when Microsoft issued patch MS09-039 as part of its regular Patch Tuesday release cycle

The vulnerability was rated as "critical".

Bojan Zdrnja, [stet] who is the current Handler on duty at the ISC, said in an email response that the ISC has received "several confirmations that the attacks appear to be real, and targeted against WINS servers that have not been patched with the MS09-039 patch."

He said ISC data shows that there is scanning going on, but so far there is no evidence of a widespread attack.

MS09-039 was issued on Aug. 11 when ISC was reporting roughly zero targets per day in association with Port 42 activity, which is used for WINS replication. By Aug. 13 that number had spiked to around 30,000, and by Aug. 16 the number was 70,000.

The WINS service vulnerability affects Windows NT, 2000 and 2003 servers. The most vulnerable of those platforms is Windows Server 2000 with Service Pack 4 installed. Microsoft says that server version has a high likelihood of being hit with "consistent exploit code." The two other versions, Microsoft said, have the likelihood of seeing "inconsistent exploit code."

WINS is a central mapping of host names to network addresses and lets users find computers on a network.

The MS09-039 patch closes a WINS vulnerability that could allow remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a Windows replications packet sent to TCP Port 42.

Data collected by the ISC shows that over the past few days Internet activity associated with Port 42 has risen dramatically.

Eric Schultze, CTO for Shavlik Technologies, said last week that the WINS issue "is an unauthenticated server-side attack - the bad guy simply points and shoots some packets at the WINS server and they can execute code of their choice on that server." He noted, however, that the attack is most likely to come from inside a user’s network because the necessary port – Port 42 – to execute the attack is usually blocked at the Internet firewall.

Regardless, his recommendation was to "patch this right away on your WINS servers."