Sonicwall Signatures

Category: NETBIOS

NetBIOS Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent intrusions implemented internally on the network. The NetBIOS name is somewhat misleading -- this is a largely defunct Application Programming Interface that was used to implement communication using the System Message Block (SMB) protocol, among others, for communication between networked computers and components. Since Windows 2000, networked computers have been able to communicate using the SMB protocol without using NetBIOS to implement it. The NetBIOS name is thus a holdover from old vulnerabilities that existed in Windows 95 and 98 networked machines. Nonetheless, the described vulnerabilities are very similar and deal with ways that atteckers attempt to exploit vulnerabilities in the handling of networking requests. The exploits detected by this category are not only utilized manually; many have become critical components in network worms that propagate mainly by copying themselves across internal networks without users' knowledge. Successful attacks in this category can cause servers and workstations to crash, and in some instances give attackers control over the compromised system.

Networks using SMB are organized in a client-server format, with a server providing access to network resources when clients send it requests. These servers provide a number of services, from print services to access to network shares, or shared versions of the hard drives on the network. A user's ability to access resources is restricted by that user's privileges, with the owner of the Administrator account having access to all resources on the network. Attackers attack a number of points in this structure to compromise a network.

The simplest type of attack is a Network Share Enumeration attack where an attacker gains access to network shares simply by requesting that the server enumerate them. With proper security policies, i.e. robust password protection for network shares or well-defined privileges, these attacks are rarely successful. Unfortunately, proper security policies are implemented less often than they should be. These attacks can give attackers access to sensitive files contained on the network and allow them to upload malicious files on to network computers that can compromise them if run. Several worms use network share enumeration as a major vector for spreading across networks.

Network Share Enumeration attacks are often combined with Privilege Elevation attacks to achieve maximum effictiveness. Privilege Elevation attacks involve an attacker trying to hijack an account that has administrative privileges so that they can access all resources on a network. Often, this just involves cracking the administrator password which is often less robust than it could be. Many worms gain administrator privileges on networks by using a "dictionary" attack, or by attempting to log in using a list of weak, commonly used passwords. As worms become more advanced and begin to use compromised network computers as grids working on brute-force cracking of administrator passwords, the success of this type attack will become more common and the risk that attackers will be able to gain control of entire networks will rise.

The other type of attack recognized by this category deals with attempts to exploit vulnerabilities in networking software, not in security policies. Many networking components contain unchecked buffers that can allow attackers to cause client or server machines to malfunction by sending them a carefully crafted request. The requests can cause a buffer overflow that can give attackers control over compromised machines or cause them to crasy. Attackers and worms commonly use these attacks to open backdoors and download malicious software on to both clients and servers, or cause SMB servers to crash, shutting down basic services like network printing or accessing network drives.

SonicWALL NetBIOS signatures are classified from low- to high-priority based on the probability of success and the likely damage caused by the corresponding attack. When enabled for prevention, these signatures can block attempts to transfer malicious files across network shares or attempts to send malformed requests to client and server machines. When configured for detection these signatures can alert administrators to suspicious activity like repeated attempts at administrator login which can indicate a brute force attack in progress. It should be noted, however, that the above attacks can be largely prevented by sound security policies and frequent patching of network systems. SonicWALL signatures should be used in conjunction with these good networking practices to ensure maximum network security.