LAS VEGAS — An implementation flaw in an ancient Windows networking service lets attackers remotely seize control of the internet connections on every Windows PC made in the past 20 years, security researcher Yang Yu said at the Black Hat security conference here today (Aug. 4).
Yu, director of Chinese tech giant Tencent's research lab, explained that the flaw rested in the NetBIOS service and how it connected to the internet. To exploit the flaw, he said he had created proof-of-concept malware, which he dubbed BadTunnel.
"With BadTunnel, you can hijack the network traffic of every version of Windows going back to Window 95," Yu said.
Microsoft pushed out a patch for the flaw in June, but unpatched machines, including all machines running Windows XP and earlier, are still vulnerable to Yu's malware.
NetBIOS is a software interface providing local network connections that dates back to 1983. With Windows 95, Microsoft extended NetBIOS's abilities to let it connect to the internet by using the internet's standard TCP/IP protocols.
"How ancient is NetBIOS?" Yu asked. "Study the work on it, and you'll see the name 'Cult of Dead Cow' pop up," referring to a legendary hacker crew active in the 1980s.
NetBIOS has its own naming system, which assigns names to every device on a local network. Called the NetBIOS Name Service, or NBNS, the service is similar to the Domain Name System (DNS) used by the internet, but is far less secure.
DNS' security rests in randomness, Yu explained. An attacker trying to intercept DNS traffic would be unable to guess a DNS network transaction ID or the Windows networking ports to which DNS commands would go.
But, Yu said, NBNS is not random at all. Instead, both incoming and outgoing traffic travels over port 137, and transaction IDs are incremented — 56 will follow 55, and so on. That was fine when NetBIOS was used strictly for local networks, as all machines on the network were assumed to be trustworthy. But it's not safe when connecting to the internet.
Furthermore, Yu explained, on all versions of Windows, NetBIOS will use port 137 as a fallback if NetBIOS' normal ports 139 and 445 are inaccessible. By blocking those ports, an attacker can force a connecting machine to route all NetBIOS traffic to port 137 — and abuse the non-random naming protocol to try to seize control of the connecting machine's network traffic by reconfiguring its internet connections.
How would the attacker do that? Like many background internet protocols, Yu said, NBNS data packets are in the unreliable, unchecked UDP format rather than the reliable and checked TCP format -- which means it's easier to sneak in malicious data. That's exactly what Yu's BadTunnel malware does.
In a demonstration, showed how two computers running Windows XP — called "Alice" and "Bob" using classic networking examples — connected. Alice tried to connect to a specific IP address on Bob's machine, but Bob blocked ports 139 and 445.
Alice's machine fell back to port 137, which Bob's machine accepted — but Bob's machine harbored the BadTunnel malware, which abused NetBIOS' flaw to redirect Alice's internet connections to accept Bob's machine as the DNS server.
That means that after the deployment of the BadTunnel malware, Bob's machine now essentially controlled Alice's internet traffic. It could send her to malicious websites without her knowledge, such as by redirecting her Facebook login page to a fake Facebook page that captured her Facebook username and password.
"This gives you Big Brother power," Yu said.
To defend against BadTunnel, Yu said that users of Windows Vista and later should simply install Microsoft's June 2016 patches. But users of Windows XP and earlier will need to disable NetBIOS over TCP/IP, and that firewalls used by Windows XP machines should be set to block port 137.