Slashdot Mirror
New (More) Annoying Microsoft Worm Hits Net
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
I'm seeing massive numbers of timed out requests on my sytems this morning. It started at exactly 9:06 eastern time.
I checked one of the IPs and it said 'Fuck USA Government, Fuck PoisonBOx' and opened a second window with what looked like a MIME buffer overflow attempt. I run Opera on Linux so it didn't effect me. It looks like we may be getting hit in a shotgun approach. My systems are in the 207.227 range and 208.
Brian
Remember Lexington Green!
Why won't someone port these to linux? Microsoft Operating Systems seem to have a monopoly in this field. For now, if you read this in a *nix, just portscan your netmask and a few others and try a few old wu-ftp exploits.
"You have new mail, you open it. Your server begins port scanning every box on the internet. Do the server's mind? Of course not, they have nothing better to do." - New Microsoft Ad?
Chaos, Mayhem, and Destruction: Not
Here is how it is done:
Tools>Options>Security>check "Do not allow attchments to be saved or opened that could potentially be a virus"
Evidence from compromised boxes elsewhere on campus seems to indicate that this bug will create a ton of *.eml files on the computer and they are all about 78k. Wehaven't received an .eml file in hand yet, to view the contents. A variety of .eml files are created, including "desktop.eml",
"readme.eml", etc.
A compromised system will attach a readme.eml file to the bottom of all web pages served. This is because there is currently a bug out for IE5 that will auto execute any given .eml file.
Need a UNIX/Linux/network guru in the Boulde
When the dir command succeeds (or rather, when the worm believes it has succeeded), the next request has a tftp command embedded in it which attempts to install a file called Admin.dll. Following that, there is a request for the dll itself, which presumably kick starts the worm.
I'll take a look at Admin.dll later today.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
it originally started in just the 63.174 for me. Now it is hitting me from all over the place. It is really nasty b/c of the number of requests that each machine sends out.
I was surfing some porn sites this morning and they seemed horribly affected (none of the images would load and they were slow as hell).
ugh. Just when you thought it was safe to disable "assholes_log".
If you try to access a vulnerable server it attempts to send you a 'readme.eml' file with a
From NTBugTraq
w32.nimda.amm
Just wait till some crappy band steals your nic.
-----BEGIN PGP SIGNED MESSAGE-----
/scripts and /msadc directory, as well as an attempt to use the /c and /d virtual roots to get to CMD.EXE). Further, it attempts to exploit numerous other known IIS vulnerabilities.
/scripts directory), please forward me a copy of that .dll ASAP.
M DU ChVqn6yReQXqEH
J Uu pDHB1Yy1DY/po6
a mK I2eqd4TdE0yfIO
There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the network.
A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the
One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVM
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVY
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQj
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
That's it! i'm sick of all these worms trying to get cmd.exe when i'm running linux! I'm gonna collect their IPs and flood them with requests for /etc/passwd!!!! If you want to contribute IPs or bandwidth, join the Passwd Flood Network (PFN)!! :)
They that quote Benjamin Franklin on liberty and safety deserve neither.
The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.
A short summary:
The Nimda worm is now known to propogate four ways:
(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.
(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.
(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.
(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.
See: www.incidents.org/react/nimda.php for the full details.
- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.
---------
There is no try at jedinite.com
Anyone know if something like this exists for Apache? A tool like this, if widespread, could effectively contain future buffer-overrun type attacks.
No, Thursday's out. How about never - is never good for you?