We have an article by Michelle Delio here: http://www.wired.com/news/technology/0,1282,46944,00.html ********** From: "Magdalena Donea" <maggyat_private> To: <declanat_private> Subject: RE: Voracious, nasty new "Code Red" worm may be spreading quickly Date: Tue, 18 Sep 2001 15:57:16 -0400 In-Reply-To: <5.0.2.1.0.20010918114801.01ff1040at_private> Declan, The best description of namda I've seen so far is here: http://www.infoworld.com/articles/hn/xml/01/09/18/010918hnworm.xml?0918alert Yes, only Windows systems are affected, but this time this includes Windows desktops, servers, etc., whether running IIS or not (unlike Code Red). Viewing a page from an infected IIS server may be enough to infect a desktop system, because of the applet the virus launches. The "swiss army knife" analogy in the article above is really good. Of course, regardless of O/S brand you use, the collateral damage is still high, in terms of the high level of traffic this thing is producing. Among all our client servers, the earliest instance of a hit came at 6:10am EDT today from Belgium: XXXX.uunet.be - - [18/Sep/2001:06:10:53 -0400] "GET /scripts/..%c1%1c../winnt/system32/cmd. exe?/c+dir%20c:\ HTTP/1.0" 404 2550 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" ... thought I'd pass it on, hope it's useful. --Maggy _________________________ KIA.NET Technical Support helpat_private _________________________ ********** To: declanat_private Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly From: pb@e-scribe.com (Paul Bissex) Date: Tue, 18 Sep 2001 16:19:18 -0400 A few URLs on this worm ("Nimda"): http://www.newsbytes.com/news/01/170225.html http://www.sarc.com/avcenter/venc/data/w32.nimda.aat_private http://slashdot.org/articles/01/09/18/151203.shtml Newsbytes calls it "Code Rainbow," but I don't see anybody else using that name. Apparently the 16 holes it attempts to exploit are all well-known, and anybody with a properly patched IIS should be fine. (However, I Am Not A Security Expert.) best pb ********** Date: Tue, 18 Sep 2001 15:54:10 -0400 From: Ken Deutsch <deutschat_private> To: declanat_private Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly Declan McCullagh wrote: >[BTW I'm seeing similar attempts on Politech's website. Remember, folks, >Code Red and its progeny only infect Windows systems. --Declan] Declan - While it only "infects" Windows systems, unlike code red this one is having an impact on other systems. Rather then a couple of accesses to a site - the speed of accesses to servers is much greater. We run web servers on Sun with Apache and have had over 50 sites being attacked since 9:06 am with tens of thousands of hits looking for files that only exist on unpatched NT servers. I concur with the message below that the accesses come at a ferocious rate. - Ken ********** From: "Glen L. Roberts" <glrat_private> To: <declanat_private> Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly Date: Tue, 18 Sep 2001 15:55:21 -0400 So far, I've seen 15,000+ hits in my apache logs files for accesses to .exe files (no normal traffic would request a .exe file)... that is definitely much heavier traffic than code red had. ********** Date: Tue, 18 Sep 2001 20:53:12 +0100 To: declanat_private From: John Sullivan <listsat_private> Subject: Re: FC: Voracious, nasty new "Code Red" worm may be spreading quickly At 04:48 PM 18/09/2001, you wrote: >[BTW I'm seeing similar attempts on Politech's website. Remember, folks, >Code Red and its progeny only infect Windows systems. --Declan] >Here's a snippet from the Apache error log; this appears to constitute >the signature of this worm: > >A.B.C.D - - [18/Sep/2001:11:30:11 -0400] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 270 >So far, all hits have come in groups of 16 and appear to be directed at >exploiting a vulnerability that's presumably found on Windows systems >running IIS. They also *seem* to be largely localized, that is, the >IP addresses of the incoming probes are related to the IP addresses of >the systems being targeted. Declan, Looking at this log except, what the new worm is attempting to do is contact the backdoor left by CodeRed II. This, of course, doesn't imply that the same author wrote both viruses - it was a fairly well publicised backdoor after all - but it's interesting (from an academic point of view) that this virus takes a leg-up from a previous infection. This does, for course, mean that this virus not only only affects Windows systems as you said, but also only affects Windows systems previous infected by CodeRed II. ********** From: "Glen L. Roberts" <glrat_private> To: <declanat_private> References: <5.0.2.1.0.20010918114801.01ff1040at_private> Subject: Re: Voracious, nasty new "Code Red" worm may be spreading quickly Date: Tue, 18 Sep 2001 16:03:39 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal You don't suppose it's smart enough to follow a redirect, ie: in .htaccess redirect /scripts http://www.microsoft.com redirect /c http://www.microsoft.com redirect /d http://www.microsoft.com redirect /MSACD http://www.microsoft.com redirect /msacd http://www.microsoft.com ********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. Declan McCullagh's photographs are at http://www.mccullagh.org/ To subscribe to Politech: http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 14:08:22 PDT