Nimda To Strike Again

Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.

Learn Internet Security Or Get Off The Web!

[BIGJIMSLATE]

I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.

(Plain-text link):
http://www.wired.com/news/business/0,1367,47037, 00 .html

Fight back

Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!

If you follow good practice...

[drinkypoo]

Then you're not vulnerable to either.

Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.

If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.

Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.

Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.

And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.

Re:SysAdmins....wake up

[Roofus]

Heh, I work with a guy who isn't the brightest at times. He's been setting up a 2000 Server that's been hit twice with nimda in the last week. He reinstalled the server from scratch after each infection. His response?

"I put the computer on the network to install Norton, and it keeps getting infected before I can get the updates"

Ok, TWO THINGS:

1) If your going to install IIS, do not plug it into the network you've shut down IIS. Then go download the updates.

2) Norton isn't going to stop you from getting infected, it will only warn you about it during a routine check. If you want your machine to stay healthy, PATCH YOUR GODDAMN SYSTEM.

Seriously, Microsoft has a little utily called HFNetChk that will scan any local or remote system and will tell you what patches need to be applied. This includes system, IIS, and SQL Server, and IE.

Not all updates are listed on the little automatic update website.

Sigh...

Re:Not Me

[ptomblin]

but if you have a sysadmin on staff, it's not costing anything real

Maybe this isn't the case where you work, but where I work people use the computers to get useful work done rather than just to provide employement for a sysadmin. If a virus or worm causes down time, or the DDoS-equivalent of all those scans causes people to be unable to reach the internet to do their jobs, then everybody in the company sits there twiddling their thumbs doing nothing. That costs money. So do lost orders because people attempting to reach your web site get a defacement message and probably a copy of the worm instead of your orders page.

Don't want the attacks clogging up your logs?

[rayvd]

If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:

SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
SetEnvIf Request_URI "^/scripts" attacks # For nimda
SetEnvIf Request_URI "^/c/winnt" attacks # ... ditto all the way down
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks

CustomLog /var/log/access_log combined env=!attacks
CustomLog /var/log/attack_log combined env=attacks

This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.

Nimda is a tough worm to keep out of a network!

[Nonesuch]

Nimda is complicated beast.

Unlike 'Code Red', Nimda does not spread by pushing the worm binary in the HTTP request. The worm uses HTTP to find a vulnerable IIS server, then causes the IIS server to make a TFTP request out to the attacking host to retrieve the ~64K binary.

Most normal 'secure firewall' products aren't tuned to block outbound requests from the protected servers to internet hosts. Mine are, but that only gave me about 72 hours of lead time before it came in another way...

Even when firewalls block the IIS scanning, Nimda spreads by email, file shares, and by putting a copy of 'README.EXE' in the root of the IIS server and adding Javascript to all web pages on the server, pushing the worm at users of the infected web site server.

My firewalls block _all_ UDP packets, but my network still got hit hard, and probably incurred more like $60K in 'paper losses' -- lost productivity, bandwidth, overtime, etc.

We haven't found 'patient zero', but we have two good suspects, in both cases a user with a laptop that did not have updated anti-virus software and that got infected from one of these routes:

1. User took the laptop home and connected to an infected network/file shares.
2. User accessed 'hotmail' or a similar site and downloaded an attachment.
3. User visited an infected web site (probably at home) and ran README.EXE when prompted.

The common thread here is user error.

The best firewall is no protection against malicious, or just plain ignorant, users. Blame also falls on local admins for failing to push virus signature updates and keep up with system patches.

I've only ever seen around a dozen inside hosts from which the work was actively scanning HTTP, but the worm traffic from those dozen machines alone was enough to severely degrade WAN and firewall performance.

Re:Windows Update?!

[Meorah]

Ehh. You can't judge a book by its cover. "Windows Update" will not supply hot-fixes for security updates. These are combined with all the other new features, bug fixes, and security fixes in a SERVICE PACK. You can definitely get all your service packs from Windows Update, but you'll have to wait for them to actually come out. This is obviously unacceptable, which is why MS started releasing separate hot-fixes for any security flaws that simply had to be implemented immediately, and couldn't wait on any service packs.

You might also want to read the directions for the tool you are using before jumping to conclusions about what the "WARNING" means. Read the security bulletin, and try to figure out why they made it stand out from all the other patches.

So, in summary... MS used to release Service Packs for fixes/updates/additions/bloat/etc. Although this is adequate for non-life-threatening issues, it has quickly become inadequate for security. MS releases a free tool to be used AS A SUPPLEMENT to Windows Update, which will allow you to apply each new security hot-fix as they release them, instead of being forced to wait on the next Service Pack.

"CRITICAL UPDATES" are where Service Packs are placed. Those 8 hot-fixes are part of SP3, but you can download them now since they relate to security making your system vulnerable to certain viruses and trojans.

With the increasing awareness of security, I'm surprised that you assumed anything, when you could have taken 10-15 minutes on MS's site to find out how clueless you were.

Re:SysAdmins....wake up

[Judg3]

Agreed, HFNetchk essentially looks for Registry keys that state which patches are installed. If you use it, always use the '-z' switch, which tells it to not look for the registry entries. This makes it take a little longer, because it searches for actual files, but it's ALOT more accurate.
Also, eEye has a neat little NIMDA Scanner which will do up to a Class B net looking for exploitable machines. Sometimes finding a machine that COULD be infected is harder then finding the actual infected ones.
URLScan is nice, but you really need to know what your doing to run it, as it's easy to mess up a webserver thats running fine.
But the most important thing to do is to get on those security lists, NTBugtraq, MS security lists, etc. As well as hitting the big security related sites out there before your morning cup of coffee to make sure nothing new has come up.

It's all basically common sense, but every now and then you need a nice reminder.