More information about a possible recent worm attack on
servers running Windows NT4 suggests the problem could be more severe than
first thought. Several security experts have confirmed a worm is
circulating that is capable of attacking systems running Windows NT4. The same
worm can also attack other versions of Windows, but while Microsoft has
published a free patch for the currently supported versions of Windows, it has
not released a free patch to firms using Windows NT4.
Some observers talk down the risk to NT4 systems by arguing that very few firms still use Windows NT4. However, it seems there are still a significant number of NT4 systems in use today, and some of those are used for Internet facing applications, such as web servers.
For example, Netlink is an Internet solutions vendor with a web site that runs on Windows NT4. A Netlink spokesman said, "We still use NT4 and provide NT4 support to customers, but each server has its own firewall blocking what isn't covered by patches. We also work with Windows 2000, but we don't use any of the activation/deactivation enabled versions of Windows because we believe that you can't allow a vendor that much control over your business systems."
A researcher at Netlink contacted security researchers on
the Full Disclosure mailing list about a possible worm attack against NT4
servers last Wednesday [30 Aug]. The researcher, called Geo, cited a report by
the Sans Internet Storm Center indicating a spike in port scans on TCP port 139
as evidence of increased hacker activity that could be related to a known flaw
in Windows NT4. In an exclusive interview with IT Week, Geo said that although
the Sans data is not tied specifically to NT4, there is still cause for
concern. Geo said, "The Sans data includes all versions of all operating
systems, but the spike started at about the same time that we started getting
calls about NT4 systems being infected so it's pretty clearly NT4 systems or at
least an NT4 capable version of the worm that's causing the spike".
Other Full Disclosure members confirmed there is a worm capable of attacking servers running Windows NT4, Windows 2000 and Windows Server 2003. However, Geo said most Windows 2000 and Windows Server 2003 systems are now patched against this flaw, but few of the NT4 systems are patched as Microsoft charges high support fees for NT4 systems because Microsoft considers NT4 systems to be past the end of their supportable life. However, Geo said Microsoft none-the-less sells support and patches for NT4 to firms that are willing to pay.
The worm appears to attack the Netbios subsystem present in Windows servers. However, Geo said disabling Netbios does not protect servers from the worm. "We've found that unbinding Netbios in NT4 will not protect you, you need a firewall to prevent exposure to the worm."
ARM plans 7nm 'Deimos' for 2019 and 5nm and 7nm 'Hercules' for 2020
AI, VR and working on the morning commute - it's all to come
Development could pave the way for the next generation of rechargeable batteries
And Apple IS working on virtual reality headset