Hackers After Patched WINS Servers

UPDATED: According to the Internet Storm Center (ISC) at the SANS Institute, hackers are
trying to exploit an already patched Microsoft WINS Server vulnerability.

Microsoft patched
the WINS Server Vulnerability in its
MS04-45 security bulletin on Dec. 14.
According to the bulletin, the Name Validation Vulnerability could allow an attacker to exploit the
vulnerability by constructing a malicious network packet that could
potentially allow remote code execution on an affected system.

However, the ISC and others are still recording hacker probes attempting to discover unpatched systems.

The ISC noted on its site that it had seen a “marked increase” since
Dec. 31 in port scans directed at WINS services (usually port 42
on tcp). The Research and Education Networking Information Sharing and
Analysis Center (REN-ISAC) at Indiana University has also reported an
increase in port 42 scanning since Dec. 31, with traffic exceeding
5000 packets every 15 minutes on Jan 1.

“So, if you have not patched your WINS servers in your respective
companies or campuses, beware,” ISC handler Scott Fendley wrote in a post.
“Patching these systems is now overdue. Additionally, WINS services
probably should not cross your border router. So please block these ports
and keep the rif-raf out in case your local Windows Server Admins have not
patched for this over the holidays.”

A Microsoft spokesperson confirmed that the company is aware of the situation,
though it downplayed the potential threat.

“One thing in particular is that WINS Servers are not meant to be Internet-facing, so any attack against WINS Server would be pretty limited,” the
spokesperson explained. “However, we’re still really
encouraging people to apply the update.”

WINS is a network infrastructure that is
often used by enterprises for name registration and name resolution.
The WINS Server Vulnerability was
first detected
at the beginning of December. Before the
patch was issued Microsoft recommended that network administrators
block TCP and UDP ports 42 at the firewall or to remove WINS outright if
it wasn’t needed.

Latest Articles

Follow Us On Social Media

Explore More