Hackers After Patched WINS Servers

by Sean Michael Kerner

UPDATED: They're looking for holes in the already patched vulnerability.

UPDATED: According to the Internet Storm Center (ISC) at the SANS Institute, hackers are trying to exploit an already patched Microsoft WINS Server vulnerability.

Microsoft patched the WINS Server Vulnerability in its MS04-45 security bulletin on Dec. 14. According to the bulletin, the Name Validation Vulnerability could allow an attacker to exploit the vulnerability by constructing a malicious network packet that could potentially allow remote code execution on an affected system.

However, the ISC and others are still recording hacker probes attempting to discover unpatched systems.

The ISC noted on its site that it had seen a "marked increase" since Dec. 31 in port scans directed at WINS services (usually port 42 on tcp). The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) at Indiana University has also reported an increase in port 42 scanning since Dec. 31, with traffic exceeding 5000 packets every 15 minutes on Jan 1.

"So, if you have not patched your WINS servers in your respective companies or campuses, beware," ISC handler Scott Fendley wrote in a post. "Patching these systems is now overdue. Additionally, WINS services probably should not cross your border router. So please block these ports and keep the rif-raf out in case your local Windows Server Admins have not patched for this over the holidays."

A Microsoft spokesperson confirmed that the company is aware of the situation, though it downplayed the potential threat.

"One thing in particular is that WINS Servers are not meant to be Internet-facing, so any attack against WINS Server would be pretty limited," the spokesperson explained. "However, we're still really encouraging people to apply the update."

WINS is a network infrastructure that is often used by enterprises for name registration and name resolution. The WINS Server Vulnerability was first detected at the beginning of December. Before the patch was issued Microsoft recommended that network administrators block TCP and UDP ports 42 at the firewall or to remove WINS outright if it wasn't needed.

This article was originally published on Wednesday Jan 5th 2005