Nimda To Strike Again

Seabass55 writes: "Researchers say Nimda is set to propagate again after rechecking Nimda's code. God help all the MS boxes ... again." Looks like the owners of unpatched IIS machines have until 9 p.m. GMT (1 a.m. ET) to get ready. I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants. Update: 09/27 22:45 GMT by T : Temporal confusion -- that's 5:00 GMT, sorry :) Update: 09/28 00:14 GMT by T : Carnage4Life contributes this link to a command-line tool from Microsoft to list patches already installed or still needed, if you think your Windows machine may be vulnerable.

Patch your damn servers!

[jiheison]

I'd like to see a nice double stockade for the writers of Sircam and Nimda, and maybe some fireants.

Maybe just corn syrup and regular ants for the admins who still haven't patched their servers.

Learn Internet Security Or Get Off The Web!

[BIGJIMSLATE]

I believe this Wired article applies in this case (as many machines are still left unpatched), as well as an idea of what some ISP's are considering/doing if their subscribers don't have a clue.

(Plain-text link):
http://www.wired.com/news/business/0,1367,47037, 00 .html

sircam may me feel warm today though...

[edrugtrader]

a video game i wrote 10 years ago in Qbasic was just emailed to me today via sircam...

that means that someone actually had it on their computer, and that made me feel all fuzzy.

god bless sircam, and its glorious resurrection and distribution of great software titles.

Re:sircam may me feel warm today though...

[BIGJIMSLATE]

I had a similar case, but it involved some porn. Now naturally I'd be happy about that under normal circumstances, but not if it's my freaking SISTER!

EWW.....

Re:sircam may me feel warm today though...

[ocie]

Yeah, it's good to see that push technology is finally coming to the net :)

Re:sircam may me feel warm today though...

[geekoid]

isn't that the wierdest feeling?
I went to a someone house to find out why there PC was running slow, they had a program I wrote 8 years ago, and they were still using it! I did ask him why he never sent the author the shareware money(10.00). he said "I'm sure he made so much money he won't miss my 10 bucks".
then I told him it was me, and NO ONE sent me ANY money. boy did we laugh. Of course he still hasn't paid me my 10 bucks...rat bastard.

Fight back

Check out my script! If you're running Apache, it'll monitor the logfile and send mail to the Administrator of the infected server!

Math?

[sharkey]

9pm GMT -04:00 (EDT) is 5pm EDT.
9pm GMT -05:00 (EST) is 4pm EST.

However, the time mentioned in the article is 1am ET. Hazard a guess that it is really EDT they are citing, making 5am GMT zero hour. It will be 12:00am (Midnight) EST.

Nimda cost me Microsoft.

[standards]

My organization was hit hard by Nimda. Our poor Windows Administration staff ran around like crazy cleaning, patching, and upgrading hundreds of machines.

Is this a Microsoft problem? You bet.

Microsoft OSs do not have a complete, common set of system administration tools built in. This results in haphazard machine administration.

Microsoft and other companies sell useful administration tools, but these are high priced tools that only do a piece of the job. And since they aren't included with the OS, very few sysadmins have expertise with them.

So Microsoft, get on the ball. If you want to sell an OS, it should be ready for the enterprise.... including enterprise administration.

In the meantime, we're porting our apps from IIS to Apache. Yay!

Re:Nimda cost me Microsoft.

[bad-badtz-maru]

Our organization didn't do squat because we spent five minutes researching commonly accepted practices for securing IIS and NT boxes before we ever put our first box on the net. We do the same for every piece of hardware and software, exploits are not an MS-exclusive thing. The simple act of unmapping unused extensions in IIS has saved us countless hours (or days) of agony on many occasions. I suspect your organization may not contain the level of security-conciousness necessary to properly maintain systems connected to the internet since such security-awareness would have included remedial research into the securest method of presenting a piece of hardware or software to the internet. In other words, if your organization knew what they were doing, the issue you experienced would not have occurred. It's not an apache/IIS issue, it's a poor administration issue that will plague your organization, unless corrected, regardless of what OS and web server software they choose to deploy.

Hope this helps,
maru
www.mp3.com/pixal

Dangerous Viruses??

[dragons_flight]

Whatever happened to all the "3v1|_ h4x0r5"(TM)??

We seen a number of highly infectious viruses in the last year (Sircam, Code Red, Nimda, etc), but none of these were actually very destructive. Sure they are a pain to get rid of, and may spread a little information around, eat up bandwidth, or compel you to reformat just to be sure, but they aren't flattening people's systems.

Whatever happened to the anarchists out to destroy the system? Now admittedly I don't want to encourage people to be more destructive, but it seems almost trivial to think of ways that viruses and worms could easily be made more destructive. For instance, upon infection, delete everything in the "My Documents" folder. Or, change default web page to a share of the whole computer. Or even wait a couple days and then wipe the person's hard drive.

I haven't been vulnerable to anything to come along lately, and I'm glad, but I'm also glad to note that the truly skilled black hats out there seem to have moderated how much damage they actually intend to do. I wonder if they are scared what the law might do to them if their attack truly was evil.

If you follow good practice...

[drinkypoo]

Then you're not vulnerable to either.

Good practice in this case means keeping your systems updated to the latest patches, not having open shares at all, and updating software to the latest version. It also includes not using software known to be not only a security risk, but basically an open door to "hackers". Note the quotes, please. They indicate sarcasm.

If you have patched Win2k to SP2, are running IE6 final, and do not use outlook, you have protected yourself from every vector these worms, except for the "Web Folder Traversal" issue. That's a minor quick fix, though it shouldn't have been necessary.

Why am I willing to specify not using outlook and not specifying not using IIS? Because it became abundantly clear that outlook was unsafe well over a year ago, whereas IIS could have been terms "more or less okay" until recently. Also, you just can't walk away from NT/IIS webservers and jump on the *[iu]x bandwagon right away, because there's all that ASP code lying around.

Until M$ rewrites outlook, outlook express, and IIS from the ground up, you should immediately (or as close to immediately as you can get) stop using them. Given that IIS sucks anyway, you might as well stop using it permanently. I understand the allure of outlook, and the interoperation between it and exchange, but consider a web-based scheduling/collaboration system. Exchange is pretty lousy anyway, for a whole bunch of reasons I won't bother going into here.

And finally, this is not anti-microsoft FUD, this is all based on reality. I'm not against microsoft on the desktop, or microsoft servers to serve microsoft clients. But we've seen time and time again how running microsoft windows of any flavor as a web server platform incurs a much higher cost than unix, because unix just doesn't tend to break as often -- Or be compromised. While this is not an OS-level bug, you really only have one choice as far as performance and support goes for a webserver on windows, and it's not a very good choice.

Re:If you follow good practice...

[Spy+Hunter]

WARNING to IE6 users or people without Outlook installed: You are not invulnerable! A virus file on your system can still easily be excecuted. I recently got infected, and it was the dumbest thing ever. Some time ago I had to reinstall Windows (gdi.exe was corrupted!?!), so I backed my files up to my friend's computer over the network. To get them back I made an open share on my computer (should have had a password) and sent them over. When I was done I noticed that some *.eml files had been inserted into my open share. "Hey, that's the virus I read about on Slashdot," I thought. So I went to delete it. I simply selected the file to delete it (I didn't run it) but Explorer, in its infinite stupidity, ran the file in the preview pane! Simply by the act of selecting the file I had run it inadvertently! This on a system running IE6 without Outlook installed!

Fortunately I was able to boot into Linux and delete all those .eml files, then download a virus remover from McAfee or someplace. But let this be a warning: Before deleting a .eml file, TURN FILE PREVIEWS OFF!

I am so sick of this

[ellem]

I administer Notes, NT, Win9x and a Linux box, plus firewalls yadda, yadda.

I work in a Corporate Travel Agency in NYC, they just decimated my entire staff and I have me and one other guy who has been relegated to inputting ticket refunds.

I DON'T HAVE TIME FOR THIS! My lone IIS server has been patched since the first day. Lotus Notes doesn't care about these dumb ass viruses (virii) and my Norton's are all up to date.

My USERS got this crap from infected web pages!

We're losing a machine a day in the field b/c these bozos can't figure out how to click on a button called VIRUS_FIX on the corporate intranet.

I am ready to frigging quit and become an English Teacher fuck the money! If the whole MS world can be brought to its knees everytime some kid in Sweden has the day off then we're all fucked.

CIOs who continue to use Outlook/IIS deserve whatever happens to them. (We HAD to use IIS for a 3rd party software app.) Micorsoft SHOULD ABSOLUTELY BE PAYING IT'S CUSTOMERS BACK FOR THIS! HOW DARE THEY GET READY TO RELEASE YET ANOTHER VIRUS RUNTIME OS.

It is seriously time for the MCSE farms to be shut down and for corporate America to move to another OS. Fuck the users; guess what they don't know all that much about the OS they are on switching them now will have no lasting impact.

Re:Not Me

[sphealey]

"Legislation shows that people have a hard time differentiating what's a serious offence and what isn't"

Despite the fact that I thought we were patched and secured, the Nimda worm hit our servers. Oops - missed one of those MS security bulletins. My bad.

The cost in real dollars (not "gartner dollars" or "TCO dollars) to clean it up was around $25,000. For one small manufacturing company.

If a naughty kid threw a rock through our window and did $100 of damage, the police would yell at him and call his parents to pick him up. If he threw a bottle of gasoline through the window and did $25k of damage, he would be prosecuted for a felony.

So exactly how is this Nimda bomb not a "serious offense"?

sPh

Re:SysAdmins....wake up

[Roofus]

Heh, I work with a guy who isn't the brightest at times. He's been setting up a 2000 Server that's been hit twice with nimda in the last week. He reinstalled the server from scratch after each infection. His response?

"I put the computer on the network to install Norton, and it keeps getting infected before I can get the updates"

Ok, TWO THINGS:

1) If your going to install IIS, do not plug it into the network you've shut down IIS. Then go download the updates.

2) Norton isn't going to stop you from getting infected, it will only warn you about it during a routine check. If you want your machine to stay healthy, PATCH YOUR GODDAMN SYSTEM.

Seriously, Microsoft has a little utily called HFNetChk that will scan any local or remote system and will tell you what patches need to be applied. This includes system, IIS, and SQL Server, and IE.

Not all updates are listed on the little automatic update website.

Sigh...

Read between Gartner's lines

[alienmole]

Did you read the Gartner report carefully? It said "enterprises hit by both Code Red and Nimda" should investigate alternatives. This implies that enterprises not hit by both worms don't need to switch.

If a company wasn't hit by both, presumably their security policies and procedures are either already up to scratch, or capable of being improved sufficiently. But if a company was hit by both, their procedures are probably beyond repair, and they'd be better off with a server that's more secure by default.

So I think Gartner was absolutely correct. Not only that, but people who didn't pick up that subtlety from the Gartner report are also more likely to need to switch servers, so the report works either way! :P

Don't want the attacks clogging up your logs?

[rayvd]

If you run Apache and hate looking at the hundreds of annoying attacks by the Code Red and Nimda worms, try adding these to your httpd.conf:

SetEnvIf Request_URI "^/default.ida" attacks # For Code Red
SetEnvIf Request_URI "^/scripts" attacks # For nimda
SetEnvIf Request_URI "^/c/winnt" attacks # ... ditto all the way down
SetEnvIf Request_URI "^/_mem_bin" attacks
SetEnvIf Request_URI "^/_vti_bin" attacks
SetEnvIf Request_URI "^/MSADC" attacks
SetEnvIf Request_URI "^/msadc" attacks
SetEnvIf Request_URI "^/d/winnt" attacks

CustomLog /var/log/access_log combined env=!attacks
CustomLog /var/log/attack_log combined env=attacks

This will dump all the "attacks" into a file called attack_log and leave your normal logfile clutter free.

Here's how I'm getting them patched

[DrSkwid]

I've gone through my logs and found quite a few

What I do is go connect to the offending box via smb

Usually they have a printer attached to it so I print out a page of A4 with :
"YOU ARE INFECTED WITH NIMDA, SORT IT OUT
here's how : http://www.antivirus.com"

on it in 72 point text

it's working so far

if they don't have a printer then they usually have an open share that's world writable so I leave text files called

you are infected with nimda.txt

and put the url inside them

that's closed a couple too

(I also found a keygen I'd been looking for so that was a bonus)

I'm not sure if nimda resets the passwords but which might not lead to a surprise of how far you can go with

un : adminsitrator
pw :

have fun

Re:Not Me

[Rogerborg]

• If you're an NT admin, you have to stay on top of *EVERY* patch. You don't patch, your company loses money because of your negligence. If you don't patch, you deserve to lose your job

You apply SP6 to NT4 the day it comes out. Your company's Lotus Notes system falls on its arse. You lose your job.

Admins have a hard enough job keeping a known, stable system running without applying day-0 patches every time Microsoft figure they're screwed up again. Applying patches immediately and automatically isn't a black and white issue, and all your sound and fury won't make it so.