Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
Download as PPTX, PDF0 likes62 views
The document presents an extensive overview of the Nimda worm, detailing its introduction, propagation methods, exploitation, detection, eradication, protection measures, and recommendations for network admins. Nimda, which infected Windows IIS servers and Internet Explorer in September 2001, leverages vulnerabilities in outdated Microsoft applications, allowing for serious system compromises. The conclusion emphasizes the importance of system integrity and proactive measures against potential infections.
![Signs of Infection
4
1. root.exe file
2. string like: [/c+tftp percent 20- I percent
20x.x.x.x percent 20GET percent 20Admin.dll
percent 20d:Admin.dll] inside the IIS logs
3. Admin.dll file inside any root folders
4. .nws / .eml files in multiple directories](https://image.slidesharecdn.com/nimdaworm-221115092811-8dd72652/85/Analysis-on-NIMDA-Worm-in-Windows-Exploitation-Detection-Propagation-18-320.jpg)
![8
References
1. C. M. University, “resources.sei.cmu.edu,” 12 2001. [Online].
Available:
https://resources.sei.cmu.edu/library/assetview.cfm?assetID=49
6190
2. cve.mitre.org, “CVE,” [Online]. Available:
http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0884
3. cve.mitre.org, “CVE,” [Online]. Available:
http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0333
4. cve.mitre.org, “CVE,” [Online]. Available:
http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0154
5. cve.mitre.org, “CVE,” [Online]. Available:
http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0854
6. R. Lemos, “ZDNET,” 19 09 2001. [Online]. Available:
https://www.zdnet.com/article/helpand-howto-nimda/](https://image.slidesharecdn.com/nimdaworm-221115092811-8dd72652/85/Analysis-on-NIMDA-Worm-in-Windows-Exploitation-Detection-Propagation-30-320.jpg)
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
- 2. Hello! I am Gayan Weerarathna Lets get started with todays presentation… 😉😉 2
- 3. CONTENT 1). Introduction 2). Propagations 3). Exploitation 4). Detection 5). Eradication 6). Protection 7). Recommendations 8). References 3
- 4. Weekly Roadmap 4 1 3 5 6 4 2 Introduction Exploitation Protection Propagations Detection Conclusion
- 5. 5
- 7. What is NIMDA ? 1 NIMDA which is the backword spelling of word “ADMIN” It is a malicious file infection computer warm that got infected to Windows IIS servers and Internet Explorer and made them weak Occurred in 18th of September 2001
- 8. What is NIMDA ? 1 1. Uses commands that trick the targeted program into granting access 2. Worst case scenario – reformatting of affected disks + program reinstallation 3. Mainly takes advantage of • out-of-date MS applications on networked computers • servers with vulnerable Internet Information Service (IIS) • PCs running vulnerable Internet Explorer (IE)
- 10. 1. User may have read, write, connect, delete, and execute privileges on any file system 2. It depends on configuration established by the sys admin 3. A share with no password = successful infection 4. Makes multiple MIME-encoded duplicates 10 1) Windows Shares
- 11. 1. First, check for previous infections of "Code Red II" worm 2. Second, check for Microsoft exploits that Nimda uses. 3. User infection 11 2) Web
- 12. Use MAPI service to collect email addresses from infected machines Then send emails with attachment called “readme.exe” Any vulnerable IE user can be infected by that attachment Email Propagation characteristics: ◇ Variable mail subject ◇ Closely 57344 (bytes) size attachment 12 3) Email
- 13. 3 Exploitation
- 14. 3
- 15. What can Attacker Do after Compromising Your System? 3 1. Passwords can be stolen or changed 2. Placing keystroke-logging software in your device 3. Reconfiguration of Firewall rules 4. Sending harmful content using victim`s e-mail address
- 16. CVEs related to Nimda 3 1. "Web Server Folder Traversal" vulnerability (CVE- -2000-0884) 2. "Directory Traversal" vulnerability (CVE-- 2001- 0333) 3. "MIME Attachment Execution" (CVE- 2001— 0154) 4. "Office 2000 dll Execution“ (CVE--2000- 0854)
- 17. 4 Detection
- 18. Signs of Infection 4 1. root.exe file 2. string like: [/c+tftp percent 20- I percent 20x.x.x.x percent 20GET percent 20Admin.dll percent 20d:Admin.dll] inside the IIS logs 3. Admin.dll file inside any root folders 4. .nws / .eml files in multiple directories
- 19. Signatures 4 web server logs contain the following signatures
- 20. 5 Eradication
- 21. 5 1. All the identifies systems were entirely rebuilt or fixed 2. Some infected servers kept sending infection techniques to others 3. Systems were rebuilt using an Windows NT 4.0 SP3 image which seems to be much reliable in this case 4. Immediately after the infection all the necessary systems were quarantined.
- 22. 6 Protection
- 23. 6 1. Awareness 2. Scale up your network should be parallel with its security also 3. On both servers and workstations, virus identification software all should be kept up to date 4. Implement a mission critical backup process 5. Approved and trusted virus protection for all the platforms and OS 6. Make it a habit for everyone to follow security best practices
- 24. 6 Operating Systems Microsoft Windows 95 Microsoft Windows ME Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 workstation Protocols HTTP ARP SMTP TFTP SMB TCP/IP Key Aspect Involved
- 25. 6 Applications Internet Explorer Windows Explorer Outlook Services Microsoft IIS 4.0 MAPI Microsoft IIS 5.0 Net BIOS Key Aspect Involved
- 27. For Network Admins 7 Ingress filtering • Must be used to prevent externally started inbound connection(s) to unauthorized services at the boundary. • Only device that need the allow inbound connections are, severs. • Port 80/TCP >> can stop copies of NIMDA • Filtering ports 69/UDP >> can stop the worm from being downloaded to IIS using TFTP
- 28. For Network Admins 7 Egress filtering • Outbound connections towards the Internet are required by machines offering public services • Port 69/UDP >> can restrict certain components of the worm's spread
- 29. For End User Systems 7 1. Keep using a reliable Antivirus Product 2. Disable Java Scripts 3. Do NOT open suspicious attachments in e- mails 4. Use the patch provided by your vendor
- 30. 8 References 1. C. M. University, “resources.sei.cmu.edu,” 12 2001. [Online]. Available: https://resources.sei.cmu.edu/library/assetview.cfm?assetID=49 6190 2. cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0884 3. cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0333 4. cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0154 5. cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0854 6. R. Lemos, “ZDNET,” 19 09 2001. [Online]. Available: https://www.zdnet.com/article/helpand-howto-nimda/
- 31. 9 Methodology The goal of this research is to understand more about the NIMDA Worm: Exploitation, Detection, and Propagation in Windows. The research for this topic was conducted using a Google survey, websites, books, academic studies, research papers and lectures. Using all of the aforementioned sources, I acquired the required data and analytics for my study.
- 32. 10 Conclusion The core idea behind NIMDA's findings is that it will weaken the system's confidentiality, exposing it to future attacks by making it susceptible through file changes. Furthermore, this warm attack has resulted in a significant amount of unavailability in the target systems. NIMDA uses a variety of propagation techniques, including email propagation, Windows share propagation and Web propagation. Other than the major themes, this research report also covers subtopics such as NIMDA eradication, how to guard against NIMDA, and expert suggestions/recommendation om how to protect from NIMDA.
- 33. Thank You ! Stay Safe. 33
Editor's Notes
- #2: Greetings everyone and welcome to my presentation. First of all, let me thank you all for attending here today. Let me start by saying a few words about my own background.
- #5: Here is how I archived this final output
- #6: The main purpose of this Research is to evaluate and provide a proper and comprehensive understanding about the Exploitation Detection Propagation Prevention of the NIMDA Worm. Which has been Identified as parasitic software worm or self-contained "network worm“.
- #8: (IIS) Internet Information Service
- #9: By changing registry, records, and operating system files, it also causes harm to the infected host computers configured with insecure “shares,” and devices that have not been cleaned to remove "root.exe" left behind after the "Code Red II" or “Sadmind” worms are all easy targets for Nimda.
- #11: If Nimda infects one computer on a network, it will search for vulnerable "shares" on other machines. if it encounters a share with no password, it copies itself to and infects the new machine, and afterwards, the newly infected machine then becomes worm's host for future attacks within the new network. extensions like .eml or.nws / in every writable folder
- #12: 2. When a vulnerable user accesses the Web pages served by the infected server, Nimda will infect the user's computer. This is occurring due to victim's machine's insecure Internet Explorer
- #13: (MAPI) Messaging Application Programming Interface 2. which include the malicious code for all the acquired email addresses The infection even has a malicious code which tries to resend compromised emails every 10 days
- #15: It originated when a user visited a website hosted on a compromised Intranet server. As illustrated in the above figure, user on right-side, uses a vulnerable Internet Explorer and navigates to a Nimda-infected website on the left-side. Since this Firewall rule "allows" outbound/outgoing HTTP requests across the Firewall on Port 80, the user is permitted to do this activity. In this case, (http:// GET /home.asp) is actually a user outbound HTTP request, where GET request is the request for the web site for "home.asp." This is an abbreviated version of an HTTP request, not the full version. Then the worm launches a new window in the visitor's browser and hides it from user view. Nimda searches all the local drives for the files with file extensions DEFAULT, INDEX, and MAIN. HTML, .ASP, or .HTM when it connects to a Web server. When a user visits a site's home-page, the very first pages they see are typically the .ASP orelse .INDEX. By encoding such files with a multivolume MIME encoding technique, the Worm creates copies of its own. It adds a bit of JS (JavaScript) to all of these files that control the web browser pop-up windows in such a manner that it is hidden from the view of the IE (Internet Explorer) user. This weakness is associated with the IE version 5.1 and the vulnerability is called as "Automatic Execution of Embedded MIME Types.
- #16: Deleting log data in order to cover up such acts. In addition to that >> Credit/debit card numbers, banking details, and personal details could be compromised File removal/destruction or modification could be expected
- #17: The "Web Server Directory Traversal" vulnerability in Microsoft IIS 4.0 and 5.0 provides remote hackers to read things outside of web root & potentially execute arbitrary instructions/commands by using incorrect URLs that include UNICODE encoded characters/symbols. Allows hackers to access arbitrary instructions/commands by encoding the characters ".." (two dots) and "" twice. It’s a HTML e-mail functionality in IE Web Browsers 5.5 and earlier permits hackers to run attachments by providing an uncommon MIME format for the attachment that Internet Explorer browser does not handle correctly. When the user has opened Microsoft Office 2000 file/document, the folder of that file/document will be first of all used to locate DLLs files such as 'riched20.dll' &'msi.dll', that could enable a remote attacker to execute instructions/commands by embedding a Trojan-Horse DLL into same folder as the document.
- #19: 1. which is left behind by sadmind or Code Red II worms Noticeable file size increments in hard drive / Noticeable slowdown in the computer / Limited free space in disk drives/HDD
- #20: There was a unique signature detected with each and every data packet transmitted out from a compromised device and here are some of ‘em which have been provided by relevant authorities
- #22: But luckily those traffic related to infection techniques were banned and avoided in the sub network router in orders to prevent any further infections. Windows NT 4.0 was linked to network for allowing the Sys admins to get and install the current fixes. In concept, this is a good practice, but in exercise of real world, the boxes have been locked onto a sub-network along with a Nimda infected server, causing all of them to be infected at the same time.
- #24: 1. If u find out sth new, nonmatter the scenario u need to share that knowledge. Higher the awareness lesser the risk For an example : imagine u hv one email server with security mechanism implemented correctly , but according to constantly growing business needs of ur org u hv installed new email server, so then u just leave the new email server as it is without any security . NO gentlemen you can use network virus scanning software to secure it. Show your supervisor how much a serious virus attack on your network could cost. This is a good reason to initiate or upgrade to necessary virus security precautions. Join a protection email list to stay up to date. You will be notified on how to act upon a worm infection.
- #25: ARP - Address Resolution Protocol (Address Resolution Protocol(ARP) is used to dynamically map layer-3 network addresses to data-link addresses. ) SMTP - Simple Mail Transfer Protocol TFTP - Trivial File Transfer Protocol ( is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files ) SMB - Server Message Block ( is a network file sharing protocol, for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism )
- #26: MAPI (Messaging Application Program Interface) is a Microsoft Windows program interface that enables you to send E-mail from within a Windows application and attach the document you are working on to the e-mail note. NetBIOS (Network Basic Input/Output System) is a network service that enables applications on different computers to communicate with each other across a local area network (LAN).
- #28: The traffic flow when it enters to a network under your administrative control is managed by ingress filtering **TFTP >> Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.
- #29: The traffic flow when it exits a network under your administrative control is managed by Egress filtering
- #30: When the automatic updates are available users, need to use those features. To be successful, NIMDA require the use of a successful JavaScript. As a result, the CERT/CC advises that end users systems to disable JS until all necessary updates are installed and anti-virus software/app is updated. 4. Users of Internet Explorer 5.0 and later are advised to install the Microsoft fix for the "Automatic Execution of Embedded MIME Types"
- #32: IEEE, ZDnet, ResearchGate, Wikipedia, techtarget, f-secure
- #33: NIMDA was first identified in September 2001. Mostly the IIS servers that got affected by this worm. And also, there are several CVE vulnerabilities that are associated with NIMDA Worm and those vulnerabilities also been described in this research paper. Apart from the main topics some other sub topics like Eradication of NIMDA, how to protect against NIMDA and what are the recommendations of the experts are also been deeply described in this research paper
- #34: I am truly grateful for ur time and concern in this regard. Stay home stay safe Peace n love everyone.