Simply visiting an infected Web page infects Internet users. One aspect of Nimda's versatility is its ability to modify Web sites to carry files that can spread via downloads.

Unlike Code Red, the worm can infiltrate a corporate network and create a user account with unlimited access to files and e-mail. Nimda can corrupt servers and email systems, and has forced many companies around the world to shut down systems entirely.

• Corrupted files and access to sensitive data - the readme.exe file executes a program that opens up the computer�s hard drive for outside access
• Illegal access to backend systems via the internet - Opens up your internal files to other hackers via the Internet
• Once it gains control, it scans web servers for other known vulnerabilities and attacks those servers
• Spreads by emailing itself to everyone in the user�s address book thus overloading the network
• Forces companies to shutdown networks including all web servers to stop the spread

Nimda has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers.

When Nimda strikes a web server, the following will appear in your IIS log file:

GET /scripts/root.exe?/c+dir
GET /MSADC/root.exe?/c+dir
GET /c/winnt/system32/cmd.exe?/c+dir
GET /d/winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
GET /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..
\xc1\x1c../..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir
GET /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir
GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir


AppShield

Nimda opens any and all files on your hard drive including internal directories and root files (root.exe) exposing all your mission critical information. This is recognized by AppShield as forceful browsing or a backdoor/debug vulnerability and therefore unauthorized behavior. AppShield will block this behavior from occurring and therefore prevent any manipulation of the business logic on your hard drive as a result of this attack.

Similarly, Nimda also tries to execute commands via the web server (Stealth Commanding), and AppShield will stop this malicious behavior as well before your server corrupts others in the line of fire. AppShield automatically blocks all attacks against unpatched IIS systems. AppShield blocks requests for pages that were not requested by a valid authorized web page.

Therefore any request for the following pages would be disallowed as none of these are valid pages that would be called directly by another web page.

get_mem_bin vti_bin owssvr.dll Root.exe CMD.EXE ../ (Unicode)
Getadmin.dll Default.IDA /Msoffice/ cltreq.asp

Finally, AppShield blocks all requests containing non-safe characters. For instance, all high-bit Unicode characters are by default non-safe.

AppScan

The worm is injected through the use of known IIS vulnerabilities. AppScan can scan for those vulnerabilities and provide the detailed application risk assessment required to alert users to the severity of their application vulnerability with a link to the patch or coding technique required to avoid further destruction

Contacts:

Izhar Bar-Gad
Sanctum, Inc.
Phone: (408) 352-2000
EMail: [email protected]

Additional Information:

• CERT® Advisory CA-2001-26 Nimda Worm
• Incidents.org—NIMDA Worm/Virus Report — Preliminary