More information about a possible recent worm attack on servers running Windows NT4 suggests the problem could be more severe than first thought. Several security experts have confirmed a worm is circulating that is capable of attacking systems running Windows NT4. The same worm can also attack other versions of Windows, but while Microsoft has published a free patch for the currently supported versions of Windows, it has not released a free patch to firms using Windows NT4. 

Some observers talk down the risk to NT4 systems by arguing that very few firms still use Windows NT4. However, it seems there are still a significant number of NT4 systems in use today, and some of those are used for Internet facing applications, such as web servers.

For example, Netlink is an Internet solutions vendor with a web site that runs on Windows NT4. A Netlink spokesman said, "We still use NT4 and provide NT4 support to customers, but each server has its own firewall blocking what isn't covered by patches. We also work with Windows 2000, but we don't use any of the activation/deactivation enabled versions of Windows because we believe that you can't allow a vendor that much control over your business systems."

A researcher at Netlink contacted security researchers on the Full Disclosure mailing list about a possible worm attack against NT4 servers last Wednesday [30 Aug]. The researcher, called Geo, cited a report by the Sans Internet Storm Center indicating a spike in port scans on TCP port 139 as evidence of increased hacker activity that could be related to a known flaw in Windows NT4. In an exclusive interview with IT Week, Geo said that although the Sans data is not tied specifically to NT4, there is still cause for concern. Geo said, "The Sans data includes all versions of all operating systems, but the spike started at about the same time that we started getting calls about NT4 systems being infected so it's pretty clearly NT4 systems or at least an NT4 capable version of the worm that's causing the spike". 

Other Full Disclosure members confirmed there is a worm capable of attacking servers running Windows NT4, Windows 2000 and Windows Server 2003. However, Geo said most Windows 2000 and Windows Server 2003 systems are now patched against this flaw, but few of the NT4 systems are patched as Microsoft charges high support fees for NT4 systems because Microsoft considers NT4 systems to be past the end of their supportable life. However, Geo said Microsoft none-the-less sells support and patches for NT4 to firms that are willing to pay.

The worm appears to attack the Netbios subsystem present in Windows servers. However, Geo said disabling Netbios does not protect servers from the worm. "We've found that unbinding Netbios in NT4 will not protect you, you need a firewall to prevent exposure to the worm."

31 Aug 2006