Slashdot Mirror
Nimda To Strike Again
Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.
I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.
, 00 .html
(Plain-text link):
http://www.wired.com/news/business/0,1367,47037
Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!
I saw a sudden dropoff in Nimda infection attempts a while ago.
It's quite obvious if you look at the graph I have here.
One moment, the nimda hit count is heading straight up, the next, a sharp bend to the right as the rate of new hits drops to almost nothing...
To put it mildly, YES! While it's true that Microsoft products are no less secure than those of other vendors, Microsoft's position as market leader makes them a prime target for hackers, virus writers, and other internet terrorists. You really have no business running a web server until you learn something about security. You can start by reading up on Nimdahere.
If you have a problem with my views, REPLY, don't moderate!
Then you're not vulnerable to either.
Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.
If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.
Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.
Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.
And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
While it's true that Microsoft products are no less secure than those of other vendors...
You're Trolling, right? It's been over 3 years since the last remote root exploit in Apache, and IIS has had several this year!
If you're not Trolling and you actually believe what you just said, you'd better do some research.
Sorry to be nitpicky-Stockades aren't much of a punishment, really just a jail. I think you mean stocks or a pillory.
Take a look here: Stocks and Pillories
Heh, I work with a guy who isn't the brightest at times. He's been setting up a 2000 Server that's been hit twice with nimda in the last week. He reinstalled the server from scratch after each infection. His response?
"I put the computer on the network to install Norton, and it keeps getting infected before I can get the updates"
Ok, TWO THINGS:
1) If your going to install IIS, do not plug it into the network you've shut down IIS. Then go download the updates.
2) Norton isn't going to stop you from getting infected, it will only warn you about it during a routine check. If you want your machine to stay healthy, PATCH YOUR GODDAMN SYSTEM.
Seriously, Microsoft has a little utily called HFNetChk that will scan any local or remote system and will tell you what patches need to be applied. This includes system, IIS, and SQL Server, and IE.
Not all updates are listed on the little automatic update website.
Sigh...
Because there are a million people that don't even know they're running a webserver.
When you log attempts on port 80 from infected boxes go and have a look with a browser.
The majority will show the default "this site is under construction" page, the rest show the Code Red defacement page.
Turn off (IIS/PWS) before you hook the machine up to the net.
Now reinstall and try again.;-)
It is VIRUSES.
(I am yelling you fucking filter!)
The sad truth is that patches to protect yourself from these worms were released well ahead of the worms themselves. Getting hit by it is irresponsible, but Microsoft's current patching procedures are such a mishmash that getting the right information ahead of time is a total bitch.
Those who are forced by circumstance to be responsible for administering IIS and other microsoft software should look at St. Bernard Software's UpdateExpert. It's a little pricey, but it doesn't cost nearly as much as even one full day of nimda / CodeRed / etc. infection.
It simply keeps a list of all patches released on the Microsoft support site, and lets you roll them out to machines on your network without the users knowing about it. It's saved my bacon a few times now.
Even Jesus hates listening to Creed.
but if you have a sysadmin on staff, it's not costing anything real
Maybe this isn't the case where you work, but where I work people use the computers to get useful work done rather than just to provide employement for a sysadmin. If a virus or worm causes down time, or the DDoS-equivalent of all those scans causes people to be unable to reach the internet to do their jobs, then everybody in the company sits there twiddling their thumbs doing nothing. That costs money. So do lost orders because people attempting to reach your web site get a defacement message and probably a copy of the worm instead of your orders page.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
"Not meaning to flame you, I've missed my share of security bulletins too. I'm just honestly interested in where that figure comes from. I understand if you don't want to mention specifics due to corporate interest, but even a rough breakdown would be enlightening."
:-(, but a rough breakdown goes like this:
Well, I'm a bit busy at the moment
We are in the middle of an ERP implementation. I (who serve as the IS Director, IT Manager, business analyst, and project manager) am six weeks behind on some critical tasks. Fixing the worm took 5 days of my time (about 100 hours - but I won't charge for the lost sleep). I had to bring in several temps to key data that couldn't be pulled from our reports server, bring in our networking consultant on short notice from out of town, pay overtime to the other members of my staff to assist in the cleanup, buy two additional machines to use as recovery servers. We missed several customer shipments because part of the shipment processing system was down, for which we will probably have to pay penalties. We had to pay our EDI vendor to fax us transactions that should have EDI'd in, and Customer Service and Accounting people overtime to key them in manually. We may be charged penalties for not to the customer for not completing the EDI transactions. And so on.
There are real dollars involved when business processes fail. Normally I am not the most even-tempered person in the world, but this time, every time I started to get angry I thought to myself: "and how do they sysadmins on Wall Street feel?", making my problems not seem as critical. But it was a very ugly week.
sPh
I have been monitoring my logs, and most of the hits I get are from Cable/DSL users. I bet a lot of these people are unaware that they are even running IIS, let alone that they need to install a security patch.
I have not used W2k much (set up a test server at work, and reboot it now and then when it fails mysteriously), so I guess by default there is no automatic "Your Software needs updating" dialog that pesters you. If MS had their SW configured to do a weekly check and let users know that updates were available it would help. I know that Mac OS 9 and Mac OS X do this and it is useful for making sure systems stay current, and I wrote a few scripts that run as cron job on my Debian box at home that do apt-get update weekly, and mail me if there is a security update.
Maybe something like this is already there in W2K (though if it is it sould be surprising), and I just have never seen it, I apologize if I speak from ignorance, but if there is not, then MS needs to get on the ball. Their software is causing a lot of problems, and they need to be more active in making sure that their boxes get updated.
Hyperbole is the worst thing ever.
Well, I suggest that we go farther. We already block harmful and suspect viruses at our perimeter and throughout the enterprise. Why not instruct our routers, firewalls, and proxies to block any packets that indicate the content is coming from IIS - and block any M$ Internet Explorer broswer? Just drop the packets?
OK. I'm speaking toungue in cheek, but I could actually make a justifiable argument that such use has PROVEN twice in a month that those tools are demonstrated security risks and should be defined as dangerous activity.
If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:
... ditto all the way down
/var/log/access_log combined env=!attacks
/var/log/attack_log combined env=attacks
SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
SetEnvIf Request_URI "^/scripts" attacks # For nimda
SetEnvIf Request_URI "^/c/winnt" attacks #
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks
CustomLog
CustomLog
This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.
I am contracted to a mid-size steel and auto-parts company. They have contracted out the most complicated IT tasks. From my company, there are 5 consultants that had to drop every task to battle Nimda. We bill at $75 per hour. We put in a total of about 30 hours a piece on Nimda last week. 30 x 5 = 150 hours. 150 x 75 = $11,250 in pure wages. We have about 100 sales people that couldn't do their jobs for a good 6 hours. I happend to know the average salesperson at the company sales about $5,000 in steel and parts a day. So lets say a low number of $2,000 per person was lost that day. 100 x 2,000 = 200,000. I think that number speaks for itself. Just in case my numbers are inflated (they aren't) lets remove 1/2 of that. 100,000 is still one heck of a chunk of change. That figure is just for our main office. We have 10 smaller satellite offices. Was it our fault? Maybe. Is it our fault that Windows is the defacto OS in the company? Absolutely not. I am one of the biggest pushers of Linux. I probably send the IT manager 3 links a week on Linux. The problem is that those in charge don't know squat about security. In fact, the IT manager is an accountant and she wouldn't know a router from a washing machine and if you mention a CSU/DSU she would probably mention what a great school it is. Bottom line is that Techies from Macrosalt built an OS that isn't worth crap. They have sales people that couldn't grasp recursion trying to tell IT managers who wouldn't know a VPN appliance from a toaster what a great product Windows is. Until the managers start listening to those in the trenches, this cycle won't end soon. Just my 2 cents worth.
Apparently that's what M$ is working on right now...a system to "push" updates directly to .NET Server. They are also working on ways of applying the patches without the endless reboots between patches. Considering that companies have been doing this for years (Symantec "Live Update" anyone?) it's absolutely STOOPID that M$ hasn't done this before.
2.IIS admins are typically inexperienced and unknowledgable about security and thus never get around to installing a patch even though it was released almost a year ago.
And as someone who has been through eight (count 'em!) Microsoft Official Courseware MCSE courses, including their "Designing Secure Windows 2000 Networks" course, I can tell you from experience they don't teach you SHIT about security. You NEVER get tested on how to lock down IIS against exploits. Firewalls get short shrift in favor of endless prattle about VPNs. MICROS~1 needs to talk about security from point zero on in their MOCs. There is no excuse.
3.IIS patches need to be on the Windows Update [microsoft.com] website.
Actually they are, if memory serves me right. However, when Code Red v.1 was at its apex, Windows Update itself got hosed by the worm. Hilarious. I laughed my ass off.
Be careful how much you rely on hfnetchk. It only verifies that a patch is installed but doesn't actually tell you if it is valid. If you are using NT there isn't an easy way to know the patches are valid (there is a utility out for Windows2000 that will check this).
We had an NT 4 IIS server that hfnetchk gave a clean bill of health and it was actually vulnerable to Nimda because one of the older unicode patches was somehow undone and no longer working.
Microsoft also released the URLScan utility that filters incoming requests for unicode, dots in the path, backslahes, etc. and blocks them before IIS can be affected.
This is much more pro-active since it might actually have a chance of blocking a future exploit simply because the requested URL is unusual and triggers the filters. It also can protect a server from some common attacks even if IIS is not fully patched.
-G
Praise "Bob"
I guess that would include me. I *intentionally* set up an IIS honeypot of sorts, collecting and running Code Red, Sircam, and Nimda, to show Microsoft that the biggest threat comes not from corporate servers, but from at-home enthusiasts who only partially know what they are doing.
Firewall? "What's that?" Security patches? "Too paranoid to use 'em." DoS/slashdot effect? "Aw, shucks - I'll just reimage my webserver. Hyuck, hyuck."
By perpetuating the spread of these tidbits of code, I hope to make at least a few companies wake up and realize that IIS is not a viable solution. For every one of me doing what I'm doing, there are hundreds of unwitting newbies doing the same thing, unknowingly. Yes, that includes PWS.
Psychotic? Vengeful? You'd be, too, if you spent hundreds of dollars for an MCSE(SD) and MCDBA, only to wake up one morning with a Mandrake distro in one hand and realize it was all for naught.
Okay, I'm ranting, but it's only natural to feel a burning desire to destroy the cult you just escaped from.
Skevin
"Twice half-assed makes an ass whole." --Solomon K. Chang
Strange, I could have sworn nimda only used a selection of old, well known exploits, the patches having been available for anywhere between 1 and 6 months...
That is what everyone says. However, I have a hard time believing it because I have seen it hit systems with those patches on it.
I even saw it hit an XP system with a read-nly share (NTFS Permissions denied write access) and IE6 (which is not supposed to be vulnerable. IIS was not involved in either case, nor, surprisingly was Outlook, at least not directly...
LedgerSMB: Open source Accounting/ERP
Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.
Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...
Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.
My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.
We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:
The common thread here is user error.
The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.
I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.
I do not deploy Linux. Ever.
Ehh. You can't judge a book by its cover. "Windows Update" will not supply hot-fixes for security updates. These are combined with all the other new features, bug fixes, and security fixes in a SERVICE PACK. You can definitely get all your service packs from Windows Update, but you'll have to wait for them to actually come out. This is obviously unacceptable, which is why MS started releasing separate hot-fixes for any security flaws that simply had to be implemented immediately, and couldn't wait on any service packs.
You might also want to read the directions for the tool you are using before jumping to conclusions about what the "WARNING" means. Read the security bulletin, and try to figure out why they made it stand out from all the other patches.
So, in summary... MS used to release Service Packs for fixes/updates/additions/bloat/etc. Although this is adequate for non-life-threatening issues, it has quickly become inadequate for security. MS releases a free tool to be used AS A SUPPLEMENT to Windows Update, which will allow you to apply each new security hot-fix as they release them, instead of being forced to wait on the next Service Pack.
"CRITICAL UPDATES" are where Service Packs are placed. Those 8 hot-fixes are part of SP3, but you can download them now since they relate to security making your system vulnerable to certain viruses and trojans.
With the increasing awareness of security, I'm surprised that you assumed anything, when you could have taken 10-15 minutes on MS's site to find out how clueless you were.
Protector of Capitalist views,
Meorah
Isn't this what the concept "Total Cost of
Ownership" is for ?
It totals *all* the costs you make (and the losses
you incur) by using this software.
Toon Moene.
http://www.microsoft.com/downloads/release.asp?rel easeid=31154
Enjoy!
liB
Agreed, HFNetchk essentially looks for Registry keys that state which patches are installed. If you use it, always use the '-z' switch, which tells it to not look for the registry entries. This makes it take a little longer, because it searches for actual files, but it's ALOT more accurate.
Also, eEye has a neat little NIMDA Scanner which will do up to a Class B net looking for exploitable machines. Sometimes finding a machine that COULD be infected is harder then finding the actual infected ones.
URLScan is nice, but you really need to know what your doing to run it, as it's easy to mess up a webserver thats running fine.
But the most important thing to do is to get on those security lists, NTBugtraq, MS security lists, etc. As well as hitting the big security related sites out there before your morning cup of coffee to make sure nothing new has come up.
It's all basically common sense, but every now and then you need a nice reminder.
Looking for hardware (Currently need: Large Etch-a-Sketch) Have one? See my journal!
Alot of companies have spent large amounts of money on IIS based websites that cant just be moved over to an Apache or other webserver. I think there has been too much hype about IIS being insecure, perhaps companies should just stop leaving the responsobilities of webserver security to clueless admin's with microsoft certs.
y )
With a few easy steps, you can setup an IIS server so that it wont be vulnerable to a large number of new vulnerabilities and worms taking advantage of these vulnerabilities.
- Take the time to do a custom install of the option pack, and remove what you wont need (transaction server, frontpage extensions etc.)
- Setup the webroot on another drive (not C:), and make the filesystem NTFS.
- Remove all sample directories
- Remove all associations to default ISAPI objects (webhits.dll, ism.dll) from the management console
- Apply the latest service pack
- Apply all the latest hot fixes since the latest Service Pack (only those that apply to your server).(http://www.microsoft.com/technet/securit
- Monitor Microsoft alerts and security mailing lists for latest bugs
- Turn off verbose error output from the server, and have a customer error (404) page, a custom 404 page still returns a 200 OK response and confuses alot of scanners
- Install an IDS (snort has been ported to win32, http://www.snort.org)
All this shouldnt take too long, and will give you a much better chance of surviving a worm outbreak.
If you are talking about mail viruses, and if your workstations are picking up their mail from your linux server. Then you can install a mail scanning package on the server that scans all incoming and outgoing mail for viruses and can generically block certain file extensions (.vbs etc.)
Amavis (http://www.amavis.org/) works with most major virus scanning software and mail servers (sendmail, Qmail, postfix etc.) and i find that it works well.