WinNuke lives on, and it's coming to a system near you

by James Michael Stewart | Oct 02, 2002 7:00:00 AM

Tags: James Michael Stewart

Takeaway: In 1997, the first version of WinNuke launched denial of service attacks against Windows 95 and Windows NT. A new version is now targeting Windows NT, 2000, and XP. Here's what you need to know to stop WinNuke in its tracks.

WinNuke began as a nasty little program that launched a denial of service (DoS) attack against Windows 95 and NT systems. The immediate result of a WinNuke attack was the disruption and disablement of network communications. A reboot was required to restore the system, and a patch was necessary to prevent the attack in the future.

The original WinNuke connected to port 139 and sent junk data to that port. This form of an out-of-bounds DoS attack exploited a programming flaw in Windows networking, which ultimately caused the system to crash. The first WinNuke exploitation program appeared on the Internet in June 1997, and within a few weeks, Microsoft released a patch that corrected the problem. The correction to the networking system was included in future versions of Windows, and the WinNuke attack was relegated to a footnote in history.

Or so we thought. A reincarnated version of WinNuke has surfaced recently, and it can affect Windows NT, 2000, XP, and even .NET. The new version of WinNuke connects to port 139 and/or port 445. Port 139 is one of the ports used by NetBIOS; port 445 is used by Active Directory. A malformed Server Message Block (SMB) packet is sent to one of these ports, and after a few seconds, the system comes crashing down.

Fortunately, Microsoft has quickly responded to this resurrected threat and issued a new patch for it. Details about the vulnerability and the patch are available from the MS02-045 security bulletin. Patches are available for Windows NT, 2000, and XP.

The patch for this vulnerability is not included in Service Pack 3 for Windows 2000 or in Service Pack 1 for Windows XP. Likewise, the latest Service Pack for Windows NT, namely 6a, doesn't include the patch. Therefore, you'll have to download and install the hot fix as a separate item after you've applied the latest service pack. Also, a .NET patch is not available (at least not yet). Hopefully, Microsoft will incorporate this correction into the OS before it is released to manufacturing rather than releasing a hot fix for it.

If your Windows system is connected to the Internet, you need to deploy a safeguard. That safeguard can be the hot fix offered through MS02-045, or you can use a firewall to block ports 135-139 and 445 from being accessed over your Internet connection link. In fact, there’s no reason to allow NetBIOS and Active Directory traffic to traverse your Internet connection anyway. If you want to be extra safe, implement both safeguards.

You should properly guard all possible pathways into and out of your IT infrastructure by securing access controls, content filters, and safeguards. Otherwise, tomorrow a new version of another attack tool, similar to WinNuke, could be the intrusion that brings your network to a standstill.

Print/View all Posts Comments on this article

Patch Included in XP-SP1? rick_riordan@... | 10/08/02

Insane if you don't block 139 inbound by georgeou | 10/08/02

Disable Netbios completely if you can ppage@... | 04/15/03

Port 139 should be blocked anyway!! Paul Broadwith, Blue Ivy Ltd | 10/21/02