WinNuke

I. Background

You are on IRC one night and you encounter this dude. The two of you start to bicker like a couple of schoolgirls. The other dude said that he is gonna burn you so you challenge him to bring it on! All of the sudden, your super K-rad Windows95 box crashes leaving you with the blue screen of death. "What the hell?!" comes spewing forth from your blistered lips. So what just happened to your computer? Did your box crash because of that other lamer? How did he cause that blue screen? While it is common to get a blue screen, the timing was just too perfect. Welcome to the crappy world of WinNuke ladies and gents!!

II. What is WinNuke and how does it work?

The blue screen that you saw is the calling card for a now infamous DoS (Denial of Service) attack called WinNuke. Only effecting Win95, it works by sending a packet with "Out of Band" data to port 139 of the target host. First off, port 139 is the NetIOS port (see rfc1700 for port assignments) and does not accept packets unless the flag OOB is set in the incoming packet. The OOB stands for Out Of Band. When your machine accepts this packet, it causes your computer to crash and leaves you with nothing more than a blue screen (if you have used Windows before, you have likely seen this blue screen many of times before). Because the program accepting the packets doesn't know how to appropriately handle Out Of Band data, it does what any good Microsoft program does. It crashes.

III. Some WinNuke Programs

WinNuke is pretty much dated now and other DoS attacks are far more popular, but WinNuke was the first DoS used by the masses to crash each other. Because of that, it has long been the foundation for similiar attacks that utilize a single packet to crash a remote machine. Other programs/attacks like ______________________ utilize the same tactic as WinNuke. A specially crafted packet that the remote system can't understand or deal with and it is all over. What started out as an undeveloped command line utility designed to exploit the weakness, blossomed into dozens of utilities that perform the same function. Later versions of the WinNuke program were designed to send the packet to thousands of machines at once. After the wide spread abuse it received, ISPs and law enforcement started to take the attack more seriously. Shortly after WinNuke gained popularity, Microsoft supplied a patch to 'fix' the problem. The original WinNuke utility sent the word bewm as part of the payload of an OOB WinNuke packet. Microsoft in all their cleverness did not address the problem. The patch simply filtered all packets with "bewm" and ignored them. As you may have guessed, it was a matter of hours before WinNuke2 came out which randomized the payload of the packet. Microsoft eventually figured this out and issued a real patch. In subsequent months, the WinNuke attack has been ported to almost every language, imbedded into IRC scripts, and given a wide range of functionality.

IV. How to Prevent this Attack

There are two general ways to stop WinNuke attacks. I recommend you take both steps because of obvious benefits.

#1. If you are running an older version of Windows, install the Microsoft patch (and information) found here.

#2. Run an external utility such as NukeNabber. Not only will this program protect you from WinNuke, it will also monitor several other ports looking for several other known Denial of Service attacks. On top of protecting you from these packets, it will log the IP Address of the person attempting to hit you. This can be used to notify the ISP of the attacker if needed. Despite this attack being somewhat outdate, knowledge of how it works and how to protect yourself is important. It acts as a foundation for several other attacks.

Written by:

Alaric (alaric@attrition.org)
Edited by: Jericho & Mcintyre
HTMLized by: Mcintyre

(c) copyright 1999 Alaric