New (More) Annoying Microsoft Worm Hits Net 1163
Here are examples of the requests it's sending:
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../
..%c1%1c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
While writing this story I was hit a total of 4 times, 16 GET attempts per attack. In only 4 minutes. Also of interest, My desktop has now been hit about 500 times today, all from 208.x.x.x IPs. This might be really bad. I still haven't read anything about this anywhere else, so you heard it here first ;)
Update Web servers compromised by this worm apparently attach a "readme.eml" to all web pages served... and due to a bug in IE5, it will automatically execute the file! Yay Internet Explorer!
Is this just the old Unicode exploit? (Score:4, Interesting)
Looks like an exploit that's been around for a while (way before CR)
Worm roll-up? (Score:2, Interesting)
My money's on the Code Red worm being retrofit yet again to try and execute a few more tired old exploits. Which is to say hopefully Hotmail and Windows Update won't get rooted again.
Haven't heard anything about it on Bugtraq yet; haven't checked Incidents (securityfocus.com isn't chugging along so speedily).
It'll be interesting to see how many boxes this roots out in the light of increased press coverage of Code Red and MS's spate of security-minded tools out there. Or: how good do people feel about that leaky dam now that they've stuck their thumb in the hole labelled "Code Red"?
Re:Bleah...my firewall logs all of this... (Score:2, Interesting)
Re:Outlook Express 6.0 can prevent spread (Score:4, Interesting)
Actually, it is such a stupid check, it almost makes things worse instead.
Info FromRuss at BugTraq (Score:5, Interesting)
There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These "infected" machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS.
It appears that the attacks can come both from email and from the network.
A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of "audio/x-wav" together with some html parts. There appears to be no text in this message when it is displayed by Outlook when in Auto-Preview mode (always a good indication there's something not quite right with an email.)
The network attacks against IIS boxes are a wide variety of attacks. Amongst them appear to be several attacks that assume the machine is compromised by Code Red II (looking for ROOT.EXE in the
One thing to note is the attempt to execute TFTP.EXE to download a file called ADMIN.DLL from (presumably) some previously compromised box.
Anyone who discovers a compromised machine (a machine with ADMIN.DLL in the
Also, look for TFTP traffic (UDP69). As a safeguard, consider doing the following;
edit %systemroot/system32/drivers/etc/services.
change the line;
tftp 69/udp
to;
tftp 0/udp
thereby disabling the TFTP client. W2K has TFTP.EXE protected by Windows File Protection so can't be removed.
More information as it arises.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBO6dmcRBh2Kw/l7p5AQHJCgQA1JHwqF5RjJX+QVM
Tm8Ujms5+6ia0tcT1qmZWJV48eHYNzV3+AyyO6Gn8ds/NVY
iycY2qnARDJP6KNmHI0bAdBUBtsnVo5P9itElIoqKbAorQj
hSW7yN2lhJc=
=YAwc
-----END PGP SIGNATURE-----
Damn it! (Score:4, Interesting)
Just when I was hoping my cable company would unblock my HTTP port (which they said was "temporary"). Unfortunately, this will give them more fuel to make it permanent.
The HTTP port doesn't bug me as much as they have also blocked my mail port.
Question for sendmail experts out there, related to this: I'm currently using another system to tunnel my mail to my box on my cable modem. It works great, but a side effect is that it looks like all mail is coming from "localhost", which defeats the anti-Spam measures. Of course, it didn't take long for the cockroaches to find my mail server and use it for relaying. I've been fighting it by blocking specific subnets, but it's an annoying battle. Any suggestions?
much worse for me than CodeRed (Score:2, Interesting)
Yow.
Coordinated DDOS? (Score:3, Interesting)
The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks [nipc.gov] on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story...
Re:Bleah...my firewall logs all of this... (Score:2, Interesting)
There was probably a setting to disable such, but IE didn't install with that set to default, so most people are going to get hit.
Interesting Strings in readme.eml (Score:2, Interesting)
mime stuff
mapi stuff
winzip
http stuff
richtext dll stuff
hidden shares stuff
webserver sploits
net use stuff
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
internet traffic report (Score:2, Interesting)
Re:Why do stacks grow downwards? (Score:3, Interesting)
Most buffer overflows are due to code such as:
void BadFunction(void)
{
char badBuf[100];
strcpy(badBuf,longString);
So, your stack looks like:
--> increasing memory address
[badBuf 100 bytes][ebp][return addr]
Standard overflow attacks involve scribbling on the return addr.
Now, let's suppose your stack goes the other way... once the code enters the strcpy function, we'll have:
--> increasing memory address
[return addr][ebp][badBuf][retaddr#2][ebp#2]...
Where retaddr#2 and ebp#2 are the return address from strcpy back into BadFunction, and the corresponding stack frame ptr respectively.
Notice that we can now overflow badBuf to scribble on retaddr#2. Thus, when strcpy returns, we can still jump to arbitrary locations. Slightly different approach, same effect.
Again - this *seems* like it would work, but if anyone can see a flaw, please correct me.
Re:Is this just the old Unicode exploit? (Score:3, Interesting)
http://www.nipc.gov/warnings/advisories/2001/01
So what will ISP's do? (Score:2, Interesting)
Don't know about everyone else but if this keeps up (with this virus and the 100 just around the door) we won't see many ISP's allowing web servers to run at all, ever.
(As a subnote, my bosses cable modem company, NTL, specifically forbid running a server on your own machines - although, as yet, they don't activily police it)
Hackback? (Score:2, Interesting)
Before someone gets all uppity about the morality of hackbacks, we're talking harmless start default browser and get pointed at a page telling you how to fix it. This was extraordinarllily effective at getting people patched when code red went about: 5000 hits on day 1 to the patch page, 72 on day 2, and it stayed relatively static after that.
Re:unmap your EML file association (Score:2, Interesting)
if there is a <script&> tag in the message, ie seems to still execute it. Here is a test eml file.
---8<---
From me@you.org
Subject: test message
From: the devil <devil@evil.org>
To: you <you@yourcomputer.org>
Content-Type: text/html
<body>
<script>
window.open('http://www.microsoft.com');
</script>
This is a test eml file. tell me if you see it as plain text.
</body>
---8<---
Re:Info FromRuss at BugTraq (Score:2, Interesting)
Re:Yep - I'm being hit too. (Score:1, Interesting)
Got a copy of readme.eml from an infected box (Score:4, Interesting)
*DO NOT OPEN IT IN INTERNET EXPLORER.*
code red and now this and @Home does nothing (Score:1, Interesting)
Someone was testing this out way before September (Score:3, Interesting)
207.##.###.# - - [02/Apr/2001:03:15:00 -0700] "GET
cmd.exe?/c%20dir HTTP/1.0" 404 329
So it looks like someone was giving this one a dry run several months ago...
Jay (=