TruSecure ALERT- TSA 01-024a UPDATE - W32.nimda.a.mm

From: victoria.evans@private
Date: Tue Sep 18 2001 - 14:52:56 PDT

  • Next message: Kuo, Jimmy: "RE: Minda / Nimda worm"

    Fixes for worm
    ----- Forwarded by Victoria L Evans/OR/USB on 09/18/2001 02:52 PM -----
                                                                                                               
                        wharrod@truse                                                                          
                        cure.com             To:     wharrod@private                                     
                                             cc:                                                               
                        09/18/2001           Subject:     TruSecure ALERT- TSA 01-024a UPDATE - W32.nimda.a.mm 
                        11:38 AM                                                                               
                                                                                                               
                                                                                                               
    
    
    
    
    
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    TruSecure ALERT- TSA 01-024a UPDATE - W32.nimda.a.mm
    
    Date: September 18, 2001
    Time:  1400 EDT
    
    RISK INDICES:
    
    Initial Assessment: RED HOT
    
    Threat: VERY HIGH, (rapidly increasing)
    
    Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
    5.0, and internal networks.
    
    Cost: Moderate per machine, aggregate cost may be high
    At this time, the only known payload is significant replication and
    infection.  Some internal Denial of Service is likely for large
    infections.
    
    SUMMARY:
    
    NIMDA Update TruSecure Alert 01-024a (updates 01-023 of today)
    
    Nimda has four main mechanisms of attack:
    1)   Web server to web server from IIS 4 or IIS 5 (using multiple
    common and old exploits - TS practices, essential configurations work
    here - MS-01-044 IIS roll up patch should be sufficient) and Security
    roll up package for NT or Service pack II for W2K at the OS level
    should be sufficient.
    
    2)   Email to desktops through an attachment called README.EXE
    (blocking *.exe  and *.DLL and others per TS practices should work,
    AV products will start working shortly).
    
    3)   Web Browsing of infected web sites from windows desktop or server
    machines (most sites probably need to disable the web proxy and deny
    browsing until other mitigations can be put in place, see below).
    
    4)   By shares across internal networks.(once an internal machine is
    infected, it is possible/common for the infection to spread to shared
    drives/machines via network shares only.  (Isolate peer to peer
    networks from production nets, consider disabling segments of your
    internal net proactively --
    
    We currently recommend:
    A)   Stopping browsing unless you have "Cuartango exploit" patches
    (MS-01-020) are installed on browsing desktops (unlikely at most
    sites) and TS alert 01-008.  Do so by disabling your proxy server,
    and by advising users not to circumvent the web proxy by other
    (dial-up) means.
    B)   Filtering attachments at the mail server aggressively (especially
    .EXE and .DLL)
    C)   Disabling poorly patched or un-hardened web servers from the
    perimeter
    D)   Look for internal development servers which might have IIS
    installed by default on either NT or 2000 machines.-these will become
    a significant vector for internal attack - they should have IIS and
    Mms Operating System patches as above before resuming operations.
    E)   Re-direct TFTP (see below) on any infected machines.
    F)   Set all desktop browser security settings to high (turns off java
    scripting)
         and turn off active scripting.
    
    IF INFECTED RECOVERY Procedures:
    
    Disconnect infected machines from the network:
    
    On infected machines use TFTP Redirection as follows:
    
    edit %systemroot/system32/drivers/etc/services.
    
    change the line;
    
    tftp 69/udp
    
    to;
    
    #tftp 69/udp
    
    thereby disabling the TFTP client.
    
    
    Delete ADMIN.DLL from the scripts directory
    Delete README.EXE, especially if received in e-mail.
    Delete LINK.EXE in system directory
    
    Harden machine with MS 01-44 which is a cumulative patch which should
    address all patchable vulnerabilities.  NT 4 boxes should have SRP
    security roll-up patch and w2k boxes should have service pack 2.
    (SP2).
    
    
    Outlook express is part of the infection vector for browsing users.
    Infected web pages have a java JavaScript to Appended to the end of
    html, htm, asp pages which executes EML file on the client which
    sends email, which is automatically executed by default
    configurations of windows with Outlook Express installed (OE is
    installed by default on essentially all windows desktop and other
    operating systems whether in use or not).  Therefore users who Browse
    any of the thousands of infected sites/ web pages with windows 32 bit
    machines will become infected, and will propagate the worm internally
    at most networks.  This is because Readme.exe within the EML file is
    listed as x-wav file and executes automatically in preview pane in
    outlook express.  Most windows machines will have OE associates with
    the EML file type.
    
    Netscape, as a browser is probably not protective as long as Outlook
    express is installed (no need to be running or configured) on the
    desktop.
    
    Another mitigation is to delete Outlook Express from desktops (remove
    the exe by deleting msimn.exe.  This is the program invoked to launch
    the .eml file, which is contained on infected web server pages.
    
    Numerous *.eml files are part of the attack including:
    Sample.eml
    Readme.eml
    *.eml
    
    DISCLAIMER:
    Copyright 2001 TruSecure Corporation.  All rights reserved.  This
    Alert is the property of the TruSecure Corporation.  It may not be
    redistributed except within your own company or organization.  This
    Alert is being provided for informational purposes only and is
    provided AS IS."  The TruSecure Corporation makes no warranties of
    any kind, express or implied, including, but not limited to
    warranties of merchantability, fitness for a particular purpose,
    non-infringement, and warranties arising out of any course of dealing
    or course of conduct.
    
    Impenetrable security is unattainable in real world environments; the
    TruSecure Corporation cannot and does not guarantee protection
    against breaches of security.
    
    IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS
    INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY
    KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE
    THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE
    ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE
    TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
    DAMAGES.
    
    
    
    
    
    
    
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.1
    
    iQA/AwUBO6eVqUNkp5EGviu0EQLBdQCdFethVmUmzH/YNQsad7GxDhOtg4AAoLu1
    I/2c9RlY+nDwI1TWR6B1CMsL
    =A4Yg
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:04 PDT