New (More) Annoying Microsoft Worm Hits Net

A new worm seems to be running rampant Unlike Code Red, it attempts to hit boxes with many different exploits (including what looks like an attempt to exploit boxes still rooted by Code Red). It looks like each IP tries 16 attempts on its neighbors. There is also a new mail worm mailing WAV files or something with bits of what appears to be the registry... it may or may not be related. Got any words on this? Shut down those windows boxes and stop opening attachments. And make that 21. Got another one while writing this story. All my hits are coming from 208.n.n.n (where I am) I'm sure it'll keep moving to nearby boxes. Update: 09/18 16:40 GMT by J : It now has a name: "Nimda." More info here, here, and here.

Here are examples of the requests it's sending:

GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../ ..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir

While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)

Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!

Is this just the old Unicode exploit?

[MeowMeow+Jones]

Or is it something new?

Looks like an exploit that's been around for a while (way before CR)

Re:Is this just the old Unicode exploit?

[anacron]

It's more terrorist activity. Check this out:

http://www.nipc.gov/warnings/advisories/2001/01- 02 1.htm

Re:Outlook Express 6.0 can prevent spread

[Dog+and+Pony]

Yeah. If you turn that on, it will warn you that .txt files or .gif files are potentially viral, while letting through .doc and other formats that are "known" (lmao) to be safe - or rather, MS formats.

Actually, it is such a stupid check, it almost makes things worse instead.

Info FromRuss at BugTraq

-----BEGIN PGP SIGNED MESSAGE-----

There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.

It appears that the attacks can come both from email and from the network.

A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)

The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the /scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.

One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.

Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the /scripts directory), please forward me a copy of that .dll ASAP.

Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;

edit %systemroot/system32/drivers/etc/services.

change the line;

tftp 69/udp

to;

tftp 0/udp

thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.

More information as it arises.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVMM DU ChVqn6yReQXqEH
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVYJ Uu pDHB1Yy1DY/po6
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQja mK I2eqd4TdE0yfIO
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----

Damn it!

[Reality+Master+101]

Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.

The HTTP port doesn't bug me as much as they have also blocked my mail port.

Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?

Coordinated DDOS?

[dschuetz]

If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?

The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.

Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...

Re:Why do stacks grow downwards?

[strags]

Sadly, I don't think it would help. I thought about this for a moment, and came up with the following... someone please feel free to correct me if I'm mistaken.

Most buffer overflows are due to code such as:

void BadFunction(void)
{
char badBuf[100];
strcpy(badBuf,longString);
...

So, your stack looks like:

--> increasing memory address
[badBuf 100 bytes][ebp][return addr]

Standard overflow attacks involve scribbling on the return addr.

Now, let's suppose your stack goes the other way... once the code enters the strcpy function, we'll have:

--> increasing memory address
[return addr][ebp][badBuf][retaddr#2][ebp#2]...

Where retaddr#2 and ebp#2 are the return address from strcpy back into BadFunction, and the corresponding stack frame ptr respectively.

Notice that we can now overflow badBuf to scribble on retaddr#2. Thus, when strcpy returns, we can still jump to arbitrary locations. Slightly different approach, same effect.

Again - this *seems* like it would work, but if anyone can see a flaw, please correct me.

Got a copy of readme.eml from an infected box

[Scoria]

It's sitting at http://www.initialized.org/virus/readme.eml if anyone wants to take a peak at it...

*DO NOT OPEN IT IN INTERNET EXPLORER.*

Someone was testing this out way before September

[TrentC]

I was digging thru my logs when I found this entry (note the date)...

207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af. .%c0%af..%c0%af..%c0%af/winnt/system32/
cmd.exe?/c%20dir HTTP/1.0" 404 329

So it looks like someone was giving this one a dry run several months ago...

Jay (=