more data ---------- Forwarded message ---------- Date: Tue, 18 Sep 2001 14:34:06 -0700 From: "Kohlenberg, Toby" <toby.kohlenberg@private> To: "'toby@private'" <toby@private> Subject: FW: Nimda Worm Alert -----Original Message----- From: Jensenne Roculan [mailto:jroculan@private] Sent: Tuesday, September 18, 2001 11:09 AM To: incidents@private Cc: forensics@private; focus-ids@private Subject: Nimda Worm Alert The PDF version of this alert will be posted on ARIS analyzer and predictor shortly (http://aris.securityfocus.com, https://aris.securityfocus.com/predictor) Incident Analysis Alert Version 1 September 18, 2001, 18:00 UDT Executive Summary ----------------- A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept Virus, Code Rainbow) began to proliferate the morning of September 18, 2001 on an extremely large scale. It utilizes multiple IIS vulnerabilities to propagate via the web, and Outlook and Outlook Express vulnerabilities to distribute itself through email. It spreads through three different means; as an email attachment, a web defacement download, and by directly targeting machines by exploiting known IIS vulnerabilities such as the ones exploited by Code Red and Code Blue. There has been one report thus far of an Apache Server crashing due to Nimda terminating httpd processes. No further corroboration has been made that this worm may have in the inadvertent affect of creating a denial of service condition on Apache Servers. Multiple sources have confirmed that this worm consumes a large amount of bandwidth and impaired performance on web servers is a result. It should be noted that this worm began to proliferate almost exactly a week since the terrorist activities began to take place in the United States. Currently, anti-virus software does not detect this worm due to the recent nature of its proliferation. The Nimda Worm exploits the following vulnerabilities: Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability http://www.securityfocus.com/bid/1565 Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability http://www.securityfocus.com/bid/1806 Microsoft IE MIME Header Attachment Execution Vulnerability http://www.securityfocus.com/bid/2524 Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability http://www.securityfocus.com/bid/2708 Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability http://www.securityfocus.com/bid/2880 Action Items ------------ Apply the appropriate patches listed in the 'Patches' section below. In addition, any IIS servers still vulnerable to the Unicode hole, or that have the root.exe backdoor present should be taken off-line until they can be rebuilt. Associated Vulnerability: Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability Microsoft IE MIME Header Attachment Execution Vulnerability Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability Associated Bugtraq ID: 1565, 1806, 2524, 2708, 2880 Urgency: High Ease of Exploit: Automatic Associated Operating Systems: Microsoft Windows NT 4.0, Windows 2000 Technical Overview ------------------ This worm takes advantage of two vulnerabilities, and one backdoor. The worm spreads via e-mail and the web. For the e-mail vector, it arrives in the user's inbox as a message with a variable subject line. In the e-mail, there is an attachment named readme.exe. This worm formats the e-mail in such a way as to take advantage of a hole in older versions of Internet Explorer. Outlook mail clients use the Internet Explorer libraries to display HTML e-mail, so by extension Outlook and Outlook Express are vulnerable as well, if Internet Explorer is vulnerable. The hole allows the readme.exe program to execute automatically as soon as the e-mail is previewed or read. Once it has infected a new victim, it mails copies of itself to other potential victims, and begins scanning for vulnerable IIS Web servers. When scanning for vulnerable IIS servers, it uses both the Unicode hole as well as trying the root.exe backdoor left by Code Red II. Once it finds a vulnerable IIS server, it installs itself in such a way that visitors to the now-infected web site will be sent a copy of a .eml file, which is a copy of the e-mail that gets sent. If the victim is using Internet Explorer as their browser, and they are vulnerable to the hole, they will execute the readme.exe attachment in the same way as if they had viewed an infected e-mail message. Corroboration ------------- Multiple Anti-Virus vendors have released an alert on this worm: McAfee http://vil.nai.com/vil/virusSummary.asp?virus_k=99209 Sophos http://www.sophos.com/virusinfo/analyses/w32nimdaa.html Symantec http://www.symantec.com/avcenter/venc/data/w32.nimda.a@private Patches ------- IIS Lockdown Tool http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio ns/security/tools/locktool.asp Microsoft Security Bulletin MS01-020 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-020.asp Microsoft Security Bulletin MS01-026 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-026.asp Microsoft Security Bulletin MS01-033 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp Microsoft Security Bulletin MS00-057 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-057.asp Microsoft Security Bulletin MS00-078 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/ms00-078.asp Attack Data ----------- Examination of the source of the worm reveals the following attack strings used to exploit IIS Web servers. '/scripts/..%255c..' '/_vti_bin/..%255c../..%255c../..%255c..' '/_mem_bin/..%255c../..%255c../..%255c..' '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%' '/scripts/..%c1%1c..' '/scripts/..%c0%2f..' '/scripts/..%c0%af..' '/scripts/..%c1%9c..' '/scripts/..%%35%63..' '/scripts/..%%35c..' '/scripts/..%25%35%63..' '/scripts/..%252f..' To those strings are added /winnt/system32/cmd.exe?/c+dir Other attacks include: '/scripts/root.exe?/c+dir' '/MSADC/root.exe?/c+dir' Jensenne Roculan SecurityFocus - http://www.securityfocus.com ARIS - http://aris.securityfocus.com (403) 213-3939 ext. 229
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:25:06 PDT