Fixes for worm
----- Forwarded by Victoria L Evans/OR/USB on 09/18/2001 02:52 PM -----
wharrod@truse
cure.com To: wharrod@private
cc:
09/18/2001 Subject: TruSecure ALERT- TSA 01-024a UPDATE - W32.nimda.a.mm
11:38 AM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TruSecure ALERT- TSA 01-024a UPDATE - W32.nimda.a.mm
Date: September 18, 2001
Time: 1400 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: Moderate per machine, aggregate cost may be high
At this time, the only known payload is significant replication and
infection. Some internal Denial of Service is likely for large
infections.
SUMMARY:
NIMDA Update TruSecure Alert 01-024a (updates 01-023 of today)
Nimda has four main mechanisms of attack:
1) Web server to web server from IIS 4 or IIS 5 (using multiple
common and old exploits - TS practices, essential configurations work
here - MS-01-044 IIS roll up patch should be sufficient) and Security
roll up package for NT or Service pack II for W2K at the OS level
should be sufficient.
2) Email to desktops through an attachment called README.EXE
(blocking *.exe and *.DLL and others per TS practices should work,
AV products will start working shortly).
3) Web Browsing of infected web sites from windows desktop or server
machines (most sites probably need to disable the web proxy and deny
browsing until other mitigations can be put in place, see below).
4) By shares across internal networks.(once an internal machine is
infected, it is possible/common for the infection to spread to shared
drives/machines via network shares only. (Isolate peer to peer
networks from production nets, consider disabling segments of your
internal net proactively --
We currently recommend:
A) Stopping browsing unless you have "Cuartango exploit" patches
(MS-01-020) are installed on browsing desktops (unlikely at most
sites) and TS alert 01-008. Do so by disabling your proxy server,
and by advising users not to circumvent the web proxy by other
(dial-up) means.
B) Filtering attachments at the mail server aggressively (especially
.EXE and .DLL)
C) Disabling poorly patched or un-hardened web servers from the
perimeter
D) Look for internal development servers which might have IIS
installed by default on either NT or 2000 machines.-these will become
a significant vector for internal attack - they should have IIS and
Mms Operating System patches as above before resuming operations.
E) Re-direct TFTP (see below) on any infected machines.
F) Set all desktop browser security settings to high (turns off java
scripting)
and turn off active scripting.
IF INFECTED RECOVERY Procedures:
Disconnect infected machines from the network:
On infected machines use TFTP Redirection as follows:
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
#tftp 69/udp
thereby disabling the TFTP client.
Delete ADMIN.DLL from the scripts directory
Delete README.EXE, especially if received in e-mail.
Delete LINK.EXE in system directory
Harden machine with MS 01-44 which is a cumulative patch which should
address all patchable vulnerabilities. NT 4 boxes should have SRP
security roll-up patch and w2k boxes should have service pack 2.
(SP2).
Outlook express is part of the infection vector for browsing users.
Infected web pages have a java JavaScript to Appended to the end of
html, htm, asp pages which executes EML file on the client which
sends email, which is automatically executed by default
configurations of windows with Outlook Express installed (OE is
installed by default on essentially all windows desktop and other
operating systems whether in use or not). Therefore users who Browse
any of the thousands of infected sites/ web pages with windows 32 bit
machines will become infected, and will propagate the worm internally
at most networks. This is because Readme.exe within the EML file is
listed as x-wav file and executes automatically in preview pane in
outlook express. Most windows machines will have OE associates with
the EML file type.
Netscape, as a browser is probably not protective as long as Outlook
express is installed (no need to be running or configured) on the
desktop.
Another mitigation is to delete Outlook Express from desktops (remove
the exe by deleting msimn.exe. This is the program invoked to launch
the .eml file, which is contained on infected web server pages.
Numerous *.eml files are part of the attack including:
Sample.eml
Readme.eml
*.eml
DISCLAIMER:
Copyright 2001 TruSecure Corporation. All rights reserved. This
Alert is the property of the TruSecure Corporation. It may not be
redistributed except within your own company or organization. This
Alert is being provided for informational purposes only and is
provided AS IS." The TruSecure Corporation makes no warranties of
any kind, express or implied, including, but not limited to
warranties of merchantability, fitness for a particular purpose,
non-infringement, and warranties arising out of any course of dealing
or course of conduct.
Impenetrable security is unattainable in real world environments; the
TruSecure Corporation cannot and does not guarantee protection
against breaches of security.
IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY
KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE
THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE
ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE
TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1
iQA/AwUBO6eVqUNkp5EGviu0EQLBdQCdFethVmUmzH/YNQsad7GxDhOtg4AAoLu1
I/2c9RlY+nDwI1TWR6B1CMsL
=A4Yg
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:04 PDT