Internet Security - honeynet.org.pk -

the Honeynet Project, lead by Lance Spitzner, it had successfully tracked a malicious Pakistani hacker group that was trying to knock off as many Internet systems as it could (see "'Honey pot' network can gather evidence for catching and prosecuting hackers.") Fresh off their success in monitoring the group and handing over the evidence to federal authorities, the Honeynet team took a deeper look at the traffic they were capturing and found something worth investigating further.

During just one month of monitoring, the Honeynet team's "honey pot," which poses as a real network to attract hackers, had been scanned by hundreds of unique IP addresses looking for two particular ports: UDP (User Datagram Protocol) port 137, used by the NetBIOS Naming Service, and TCP port 139, the tried-and-true NetBIOS Session Service. This should not surprise loyal Security Watch students, who know that these ports, which are the Achilles' heels of Windows 9x/ME computers, turn users into "easy @Home and DSL victims." Knowing the proliferation of Windows 9x systems on the Internet and admitting more than idle curiosity about hackers targeting Windows systems (the Honeynet Project has been a mostly non-Microsoft entity until recently), the
team decided to build a default Windows 98 system with the entire C: drive shared to the world -- hoping the "black-hat" bad guys would come. And come they did.

Let the party begin

Within 24 hours, an attacker from Canada began probing the Windows 98 honey pot. Once he determined sharing was open on the system, he then searched for a well-known worm Symantec calls the W32.HLLW.Bymer Worm, which is sometimes called the Win32.Bymer Worm. Unlike many popular Internet worms, this worm's sole purpose is to take advantage of free CPU cycles on a victim's computer to help crack Distributed.net's
RC5-64 challenge. This voluntary challenge attempts to use existing technology in a distributed fashion to download a small portion of the 64-bit key space and crack it. This is the only malicious worm we know that is designed to assist in this effort.

The Win32.Bymer Worm is a self-replicating worm that finds vulnerable Windows shares and copies to them Distributed.net's cracking configuration and executable files (dnetc.ini and dnetc.exe) and then the worm itself (msi216.exe or msi211.exe). But executing a worm on a remote Windows 9x system is not as trivial as with Windows NT. You
can't simply tell the operating system to execute the new uploaded file. Attackers typically have two techniques in their arsenal: They send a self-executing attachment in a forged e-mail to the user or they modify the user's win.ini file to force the worm to load once the
system reboots. This attacker chose the simpler choice, modifying win.ini.