Just got this e-mail from a friend. I looked at our server logs and we are getting HAMMERED. I work for a university and it spread around the campus in > hour.
Original E-Mails:
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
Another E-Mail from my friend:
...Appears that if it gets a 404 back from its intial unicode scans, it just
keeps looking elsewhere. If the server responds with anything other than a
404 (such as a 403 IP Rejected, in this case...) It attempts to get the
server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes,
it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then
activates the account
2. Use the anonymous
3. Makes sure c$ is shared
4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might
be able to use this for a quick and dirty IDS Sig***>
5. Looks like admin.dll ends up in "c", "d" and "e".
6. creates a file named readme.exe which is actually a wav file (weird?)
More info when I get it...
Original E-Mails:
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
Another E-Mail from my friend:
...Appears that if it gets a 404 back from its intial unicode scans, it just
keeps looking elsewhere. If the server responds with anything other than a
404 (such as a 403 IP Rejected, in this case...) It attempts to get the
server to tftp a file named "admin.dll" from the scanning system.
I pulled the admin.dll from an infected box and to my non-programming eyes,
it appears to do at least the following (in no order):
1. Adds the guest account to the local Administrators group and then
activates the account
2. Use the anonymous
3. Makes sure c$ is shared
4. Tries to mail a bunch of files. HELO it uses is aabbcc. <*** Might
be able to use this for a quick and dirty IDS Sig***>
5. Looks like admin.dll ends up in "c", "d" and "e".
6. creates a file named readme.exe which is actually a wav file (weird?)
More info when I get it...
