[ale] CodeRed attacks, here we go again.
SAngell at nan.net
SAngell at nan.net
Wed Sep 19 07:40:01 EDT 2001
Yes, we all know that now. However; when I first posted this e-mail, around 9:00
yesterday morning. It had not been given a name and it IS using the same
signatures inherent to CodeRed. Not to mention that the trojan back door that it
is trying to exploit is a product of the CodeRed II attacks of a month ago.
I like the note below that "There has been one
report thus far of an Apache Server crashing due to Nimda terminating
httpd processes. No further corroboration has been made that this worm
may have in the inadvertent affect of creating a denial of service
condition on Apache Servers. "
I have seen reports of several thousand hits in a 24 hour period and I myself am
way above 2000 attempted attacks across my 5 web servers. That alone is enough
to crash ANY server. Not to mention the bandwidth lost. Also in case not
everyone has noticed. Every unpatched system is really attacking twice. I show
two hits per each IP address in my logs, one for /scripts/root.exe then a
separate attack for /MSDAC/root.exe
An additional note/question to all ale'rs. I have not used Snort as of yet but
am planning to implement it soon on my internal lan so I am curious. Does Snort
have the ability to be reactive to these types of attacks? I am using ISS for my
intrusion detection and had set a user defined event when the alert went out for
CodeRed II, last month I think, that would look for http requests searching for
/scripts/root.exe and /MSADC/root.exe. (One or the other will be the first line
of code in the hit) Any request would result in a event being written to the
log, an e-mail being sent to myself and a socket reset on the connection which
results in the termination of the session. This DOES cut down on the bandwidth
issue but it is still evident. The big plus is that, even if I had missed a
patch, the system could not be compromised. This is also the reason I was able
to see the problem so quickly as I received an e-mail from my IDS within seconds
of the first hit.
I also had events set up to look for the default.ida signature and react in a
similar manner. I still patched all IIS servers but the key was that no attacks
ever got through.
Just curious,
\_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
\_ Steve Angell, MCSE, CCNA _/
\_ MIS Operations Manager _/
\_ TSYS Total Debt Management _/
\_ Norcross, GA _/
\_ Phone 770-409-5570 _/
\_ Fax 770-416-1752 _/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
|--------+------------------------>
| | "Kevin |
| | Krumwiede" |
| | <krum at oco.net>|
| | |
| | 09/19/01 12:53|
| | AM |
| | |
|--------+------------------------>
>--------------------------------------------------------|
| |
| To: SAngell |
| cc: |
| Subject: RE: [ale] CodeRed attacks, here we go|
| again. |
>--------------------------------------------------------|
It's not Code Red, it's Nimda.
-----------------------------------------
From: Jensenne Roculan [jroculan at securityfocus.com]
To: ale at ale.org
Sent: Tuesday, September 18, 2001 2:09 PM
To: incidents at securityfocus.com
Cc: forensics at securityfocus.com; focus-ids at securityfocus.com
Subject: Nimda Worm Alert
The PDF version of this alert will be posted on ARIS analyzer and
predictor shortly (http://aris.securityfocus.com,
https://aris.securityfocus.com/predictor)
Incident Analysis Alert
Version 1
September 18, 2001, 18:00 UDT
Executive Summary
-----------------
A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
Virus, Code Rainbow) began to proliferate the morning of September 18,
2001 on an extremely large scale. It utilizes multiple IIS
vulnerabilities to propagate via the web, and Outlook and Outlook Express
vulnerabilities to distribute itself through email. It spreads through
three different means; as an email attachment, a web defacement download,
and by directly targeting machines by exploiting known IIS vulnerabilities
such as the ones exploited by Code Red and Code Blue. There has been one
report thus far of an Apache Server crashing due to Nimda terminating
httpd processes. No further corroboration has been made that this worm
may have in the inadvertent affect of creating a denial of service
condition on Apache Servers. Multiple sources have confirmed that this
worm consumes a large amount of bandwidth and impaired performance on web
servers is a result. It should be noted that this worm began to
proliferate almost exactly a week since the terrorist activities began to
take place in the United States.
Currently, anti-virus software does not detect this worm due to the recent
nature of its proliferation.
The Nimda Worm exploits the following vulnerabilities:
Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
http://www.securityfocus.com/bid/1565
Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
http://www.securityfocus.com/bid/1806
Microsoft IE MIME Header Attachment Execution Vulnerability
http://www.securityfocus.com/bid/2524
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
http://www.securityfocus.com/bid/2708
Microsoft Index Server and Indexing Service ISAPI Extension Buffer
Overflow Vulnerability
http://www.securityfocus.com/bid/2880
Action Items
------------
Apply the appropriate patches listed in the 'Patches' section below. In
addition, any IIS servers still vulnerable to the Unicode hole, or that
have the root.exe backdoor present should be taken off-line until they can
be rebuilt.
Associated Vulnerability:
Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
Microsoft IIS/PWS Escaped Characters Decoding Command Execution
Vulnerability
Microsoft IE MIME Header Attachment Execution Vulnerability
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow
Vulnerability
Associated Bugtraq ID: 1565, 1806, 2524, 2708, 2880
Urgency: High
Ease of Exploit: Automatic
Associated Operating Systems: Microsoft Windows NT 4.0, Windows 2000
Technical Overview
------------------
This worm takes advantage of two vulnerabilities, and one backdoor. The
worm spreads via e-mail and the web. For the e-mail vector, it arrives in
the user's inbox as a message with a variable subject line. In the
e-mail, there is an attachment named readme.exe. This worm formats the
e-mail in such a way as to take advantage of a hole in older versions of
Internet Explorer. Outlook mail clients use the Internet Explorer
libraries to display HTML e-mail, so by extension Outlook and Outlook
Express are vulnerable as well, if Internet Explorer is vulnerable. The
hole allows the readme.exe program to execute automatically as soon as the
e-mail is previewed or read.
Once it has infected a new victim, it mails copies of itself to other
potential victims, and begins scanning for vulnerable IIS Web servers.
When scanning for vulnerable IIS servers, it uses both the Unicode hole as
well as trying the root.exe backdoor left by Code Red II. Once it finds a
vulnerable IIS server, it installs itself in such a way that visitors to
the now-infected web site will be sent a copy of a .eml file, which is a
copy of the e-mail that gets sent. If the victim is using Internet
Explorer as their browser, and they are vulnerable to the hole, they will
execute the readme.exe attachment in the same way as if they had viewed an
infected e-mail message.
Corroboration
-------------
Multiple Anti-Virus vendors have released an alert on this worm:
McAfee
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
Sophos
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Patches
-------
IIS Lockdown Tool
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio
ns/security/tools/locktool.asp
Microsoft Security Bulletin MS01-020
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-020.asp
Microsoft Security Bulletin MS01-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-026.asp
Microsoft Security Bulletin MS01-033
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp
Microsoft Security Bulletin MS00-057
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-057.asp
Microsoft Security Bulletin MS00-078
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/ms00-078.asp
Attack Data
-----------
Examination of the source of the worm reveals the following attack strings
used to exploit IIS Web servers.
'/scripts/..%255c..'
'/_vti_bin/..%255c../..%255c../..%255c..'
'/_mem_bin/..%255c../..%255c../..%255c..'
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
'/scripts/..%c1%1c..'
'/scripts/..%c0%2f..'
'/scripts/..%c0%af..'
'/scripts/..%c1%9c..'
'/scripts/..%%35%63..'
'/scripts/..%%35c..'
'/scripts/..%25%35%63..'
'/scripts/..%252f..'
To those strings are added /winnt/system32/cmd.exe?/c+dir
Other attacks include:
'/scripts/root.exe?/c+dir'
'/MSADC/root.exe?/c+dir'
Jensenne Roculan
SecurityFocus - http://www.securityfocus.com
ARIS - http://aris.securityfocus.com
(403) 213-3939 ext. 229
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list