Researcher Yang Yu, director of Xuanwu Lab of Tencent in Beijing, recently discovered that a decades-old means of communication could be tweaked within the parameters of the protocol to hijack the targeted system. The attack relies on the means by which Windows resolves host names within uniform naming convention (UNC) or Uniform Resource Identifier (URI) syntax.

The bug, dubbed BadTunnel, affects all versions of Microsoft Windows. IBM Managed Security Services (MSS) has not observed a notable increase in event count associated with this threat, but we will continue to watch for signs of attempted exploitation in the weeks to come.

A Little Background on BadTunnel

NetBIOS was created in 1983 as a protocol for two computers to communicate over a network. Microsoft later implemented NetBIOS as the basis for its Windows-to-Windows PC communication. In 1987, support for NetBIOS over TCP/IP was developed, which encapsulated the NetBIOS packets inside TCP and UDP packets.

UNC was the initial manner of specifying access to a remote object, such as a Windows share or a file on a remote system. The syntax was of the form \\ComputerName\SharedFolder\SomeFile.ext.

For example, if a user wanted to open a file (SomeFile.ext) on a local file server (LocalServer) in a share called PublicDocuments, it could be opened in an application using the name \\LocalServer\PublicDocuments\SomeFile.ext.

URI syntax became popular in the ’90s with the advent of the World Wide Web. Everyone these days has seen examples of URI syntax, but might not have realized it: For instance, a URI is http://www.securityintelligence.com. The full URI syntax is:

protocol://[UserID:[email protected][:OptionalPort]]/PathArguments[?QueryString][#SubSection]

To access the above document using URI syntax, the user would open smb://LocalServer/PublicDocuments/SomeFile.ext, where smb stands for Server Message Block, a protocol used to share access for objects such as files, directories and printers between systems on a network.

NetBIOS has its own name resolution service — the NetBIOS Name Service (NBNS) — to identify system names within the NetBIOS arena that might not be entered in a DNS environment. When opening a UNC or URI, the host name (in this case, LocalServer) is sent to the NBNS for resolution.

A Hypothetical — Yet Very Possible — Attack

Let’s look at how an innocent victim named Carol could be attacked by a cybercriminal named Ted.

Ted would need to get Carol to open a malicious UNC or URI. This could be done in a number of ways — via a malicious webpage Carol visited, a specially crafted document, an unsolicited email or even from a USB drive. The UNC or URI has Ted’s system listed in the host name portion. As long as port 137/UDP is open between victim and attacker, Carol is at risk. Ted and Carol could be on the same corporate network or in the same coffee shop using the same wireless network.

Ted’s system has ports 139 (NetBIOS Session Service) and 445 (Microsoft Directory Services) disabled on his system, but has port 137 (NetBIOS Name Service) open. His system is listening on the UDP port. Port 137 is used to query the network for the IP address of a given host name.

If Carol’s system is trying to look up the local Web Proxy Auto-Discovery (WPAD) server to obtain a web proxy configuration file, Carol’s system will send out a NetBIOS name service query over port 137/UDP. The application listening on that port on Ted’s system would then reply back that his IP address is that host in a specially crafted NBNS response. Carol’s system will add the resolved address for Ted’s system to its NBT (NetBIOS over TCP/IP) cache. Ted’s system is now Carol’s web proxy, and all of her web-based traffic will flow through Ted’s system.

Since it is the Windows operating system executing the NetBIOS name resolution, any applications running on Windows that allow file names to be in a UNC or URI format, such as web browsers, Microsoft Office products and some third-party applications, may be used as the attack vector.

Patch, Patch, Patch

Microsoft has patched this issue in its June release. We strongly suggest applying this update as soon as possible. We also encourage contacting your MSS provider to determine available signature coverage.

Yang Yu will be presenting his findings in a talk titled “BadTunnel: How Do I Get Big Brother Power?” at Black Hat USA 2016. If you have an interest in NetBIOS and are attending Black Hat, you may wish to attend his session.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

How to Report Scam Calls and Phishing Attacks

With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…