ru.nethack

 
 - RU.NETHACK -------------------------------------------------------------------
 From : Anton Alabushev                      2:465/162.34   19 Sep 2010  13:39:00
 To : All
 Subject : Nimda ...
 -------------------------------------------------------------------------------- 
 

              Hello All!
 --------------------------------{
 
 Incident Analysis Alert
 Version 1
 September 18, 2001, 18:00 UDT
 
 Executive Summary
 -----------------
 
 A new worm named W32/Nimda-A (known aliases are Nimda, Minda, Concept
 Virus, Code Rainbow) began to proliferate the morning of September 18,
 2001 on an extremely large scale.  It utilizes multiple IIS
 vulnerabilities to propagate via the web, and Outlook and Outlook Express
 vulnerabilities to distribute itself through email.  It spreads through
 three different means; as an email attachment, a web defacement download,
 and by directly targeting machines by exploiting known IIS vulnerabilities
 such as the ones exploited by Code Red and Code Blue.  There has been one
 report thus far of an Apache Server crashing due to Nimda terminating
 httpd processes.  No further corroboration has been made that this worm
 may have in the inadvertent affect of creating a denial of service
 condition on Apache Servers.  Multiple sources have confirmed that this
 worm consumes a large amount of bandwidth and impaired performance on web
 servers is a result.  It should be noted that this worm began to
 proliferate almost exactly a week since the terrorist activities began to
 take place in the United States.
 
 Currently, anti-virus software does not detect this worm due to the recent
 nature of its proliferation.
 
 The Nimda Worm exploits the following vulnerabilities:
 
 Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
 http://www.securityfocus.com/bid/1565
 
 Microsoft IIS/PWS Escaped Characters Decoding Command Execution
 Vulnerability
 http://www.securityfocus.com/bid/1806
 
 Microsoft IE MIME Header Attachment Execution Vulnerability
 http://www.securityfocus.com/bid/2524
 
 Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
 http://www.securityfocus.com/bid/2708
 
 Microsoft Index Server and Indexing Service ISAPI Extension Buffer
 Overflow Vulnerability
 http://www.securityfocus.com/bid/2880
 
 Action Items
 ------------
 Apply the appropriate patches listed in the 'Patches' section below.  In
 addition, any IIS servers still vulnerable to the Unicode hole, or that
 have the root.exe backdoor present should be taken off-line until they can
 be rebuilt.
 
 Associated Vulnerability:
 Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability
 Microsoft IIS/PWS Escaped Characters Decoding Command Execution
 Vulnerability
 Microsoft IE MIME Header Attachment Execution Vulnerability
 Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
 Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow
 Vulnerability
 
 Associated Bugtraq ID:  1565, 1806, 2524, 2708, 2880
 
 Urgency:        High
 
 Ease of Exploit:        Automatic
 
 Associated Operating Systems:   Microsoft Windows NT 4.0, Windows 2000
 
 Technical Overview
 ------------------
 This worm takes advantage of two vulnerabilities, and one backdoor.  The
 worm spreads via e-mail and the web.  For the e-mail vector, it arrives in
 the user's inbox as a message with a variable subject line.  In the
 e-mail, there is an attachment named readme.exe.  This worm formats the
 e-mail in such a way as to take advantage of a hole in older versions of
 Internet Explorer.  Outlook mail clients use the Internet Explorer
 libraries to display HTML e-mail, so by extension Outlook and Outlook
 Express are vulnerable as well, if Internet Explorer is vulnerable.  The
 hole allows the readme.exe program to execute automatically as soon as the
 e-mail is previewed or read.
 
 Once it has infected a new victim, it mails copies of itself to other
 potential victims, and begins scanning for vulnerable IIS Web servers.
 When scanning for vulnerable IIS servers, it uses both the Unicode hole as
 well as trying the root.exe backdoor left by Code Red II.  Once it finds a
 vulnerable IIS server, it installs itself in such a way that visitors to
 the now-infected web site will be sent a copy of a .eml file, which is a
 copy of the e-mail that gets sent.  If the victim is using Internet
 Explorer as their browser, and they are vulnerable to the hole, they will
 execute the readme.exe attachment in the same way as if they had viewed an
 infected e-mail message.
 
 Corroboration
 -------------
 Multiple Anti-Virus vendors have released an alert on this worm:
 
 McAfee
 http://vil.nai.com/vil/virusSummary.asp?virus_k=99209
 
 Sophos
 http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
 Symantec
 http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
 
 Patches
 -------
 IIS Lockdown Tool
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/
 ecurity/tools/locktool.asp
 
 Microsoft Security Bulletin MS01-020
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
 etin/MS01-020.asp
 
 Microsoft Security Bulletin MS01-026
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
 etin/MS01-026.asp
 
 Microsoft Security Bulletin MS01-033
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
 etin/MS01-033.asp
 
 Microsoft Security Bulletin MS00-057
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
 etin/ms00-057.asp
 
 Microsoft Security Bulletin MS00-078
 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bul
 etin/ms00-078.asp
 
 Attack Data
 -----------
 Examination of the source of the worm reveals the following attack strings
 used to exploit IIS Web servers.
 
 '/scripts/..%255c..'
 '/_vti_bin/..%255c../..%255c../..%255c..'
 '/_mem_bin/..%255c../..%255c../..%255c..'
 '/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%'
 '/scripts/..%c1%1c..'
 '/scripts/..%c0%2f..'
 '/scripts/..%c0%af..'
 '/scripts/..%c1%9c..'
 '/scripts/..%%35%63..'
 '/scripts/..%%35c..'
 '/scripts/..%25%35%63..'
 '/scripts/..%252f..'
 
 To those strings are added /winnt/system32/cmd.exe?/c+dir
 
 Other attacks include:
 
 '/scripts/root.exe?/c+dir'
 '/MSADC/root.exe?/c+dir'
 
 --------------------------------------}
 
       С уважением, Антон.
 
                   e-mail: snifer@tcc-online.com  icq: 2517334
 ---
  * Origin: Утро добрым не бывает ... (2:465/162.34)
 
 

Вернуться к списку тем, сортированных по: возрастание даты  уменьшение даты  тема  автор 

Тема:    Автор:    Дата:    Nimda ...   Anton Alabushev   19 Sep 2010 13:39:00   Nimda ...   Alexandr Oskolkov   19 Sep 2001 19:17:06