Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
In this presentaion wwe are mainly focussing on the blow mentioned key topics related to NIMDA warm;
What is NIMDA ?
Propagation via Windows Shares, Web & Emails.
How NIMDA works via web browsers?
What can Attacker Do after Compromising Your System?
CVEs related to Nimda.
Signs of Infection.
NIMDA Signatures.
Key aspects involved like OS, protocols, Applications & Services.
Recommendations for For Network Admins & For End User Systems.
7. What is NIMDA ?
1
NIMDA which is the backword spelling of word
“ADMIN”
It is a malicious file infection computer warm that
got infected to Windows IIS servers and Internet
Explorer and made them weak
Occurred in 18th of September 2001
8. What is NIMDA ?
1
1. Uses commands that trick the targeted
program into granting access
2. Worst case scenario – reformatting of
affected disks + program reinstallation
3. Mainly takes advantage of
• out-of-date MS applications on networked computers
• servers with vulnerable Internet Information Service (IIS)
• PCs running vulnerable Internet Explorer (IE)
10. 1. User may have read, write, connect, delete, and execute
privileges on any file system
2. It depends on configuration established by the sys
admin
3. A share with no password = successful infection
4. Makes multiple MIME-encoded duplicates
10
1) Windows Shares
11. 1. First, check for previous infections of
"Code Red II" worm
2. Second, check for Microsoft exploits that
Nimda uses.
3. User infection
11
2) Web
12. Use MAPI service to collect email addresses from infected
machines
Then send emails with attachment called “readme.exe”
Any vulnerable IE user can be infected by that attachment
Email Propagation characteristics:
◇ Variable mail subject
◇ Closely 57344 (bytes) size attachment
12
3) Email
15. What can Attacker Do
after Compromising
Your System?
3
1. Passwords can be stolen or changed
2. Placing keystroke-logging software in your device
3. Reconfiguration of Firewall rules
4. Sending harmful content using victim`s e-mail
address
21. 5
1. All the identifies systems were entirely
rebuilt or fixed
2. Some infected servers kept sending infection
techniques to others
3. Systems were rebuilt using an Windows NT
4.0 SP3 image which seems to be much
reliable in this case
4. Immediately after the infection all the
necessary systems were quarantined.
23. 6
1. Awareness
2. Scale up your network should be parallel with its
security also
3. On both servers and workstations, virus
identification software all should be kept up to
date
4. Implement a mission critical backup process
5. Approved and trusted virus protection for all the
platforms and OS
6. Make it a habit for everyone to follow security
best practices
24. 6
Operating Systems
Microsoft Windows 95
Microsoft Windows ME
Microsoft Windows 98
Microsoft Windows NT
Microsoft Windows 2000 workstation
Protocols
HTTP
ARP
SMTP
TFTP
SMB
TCP/IP
Key Aspect Involved
27. For Network Admins
7
Ingress filtering
• Must be used to prevent externally started
inbound connection(s) to unauthorized services at
the boundary.
• Only device that need the allow inbound
connections are, severs.
• Port 80/TCP >> can stop copies of NIMDA
• Filtering ports 69/UDP >> can stop the worm
from being downloaded to IIS using TFTP
28. For Network Admins
7
Egress filtering
• Outbound connections towards the Internet
are required by machines offering public
services
• Port 69/UDP >> can restrict certain
components of the worm's spread
29. For End User Systems
7
1. Keep using a reliable Antivirus Product
2. Disable Java Scripts
3. Do NOT open suspicious attachments in e-
mails
4. Use the patch provided by your vendor
31. 9
Methodology
The goal of this research is to understand
more about the NIMDA Worm: Exploitation,
Detection, and Propagation in Windows. The
research for this topic was conducted using a
Google survey, websites, books, academic
studies, research papers and lectures. Using all
of the aforementioned sources, I acquired the
required data and analytics for my study.
32. 10
Conclusion
The core idea behind NIMDA's findings is that it will
weaken the system's confidentiality, exposing it to
future attacks by making it susceptible through file
changes. Furthermore, this warm attack has
resulted in a significant amount of unavailability in
the target systems. NIMDA uses a variety of
propagation techniques, including email
propagation, Windows share propagation and Web
propagation. Other than the major themes, this
research report also covers subtopics such as
NIMDA eradication, how to guard against NIMDA,
and expert suggestions/recommendation om how
to protect from NIMDA.
Greetings everyone and welcome to my presentation. First of all, let me thank you all for attending here today.
Let me start by saying a few words about my own background.
Here is how I archived this final output
The main purpose of this Research is to evaluate and provide a proper and comprehensive understanding about the Exploitation Detection Propagation Prevention of the NIMDA Worm. Which has been Identified as parasitic software worm or self-contained "network worm“.
(IIS) Internet Information Service
By changing registry, records, and operating system files, it also causes harm to the infected host
computers configured with insecure “shares,” and devices that have not been cleaned to remove "root.exe" left behind after the "Code Red II" or “Sadmind” worms are all easy targets for Nimda.
If Nimda infects one computer on a network, it will search for vulnerable "shares" on other machines. if it encounters a share with no password, it copies itself to and infects the new machine, and afterwards, the newly infected machine then becomes worm's host for future attacks within the new network.
extensions like .eml or.nws / in every writable folder
2. When a vulnerable user accesses the Web pages served by the infected server, Nimda will infect the user's computer. This is occurring due to victim's machine's insecure Internet Explorer
(MAPI) Messaging Application Programming Interface
2. which include the malicious code for all the acquired email addresses
The infection even has a malicious code which tries to resend compromised emails every 10 days
It originated when a user visited a website hosted on a compromised Intranet server. As illustrated in the above figure, user on right-side, uses a vulnerable Internet Explorer and navigates to a Nimda-infected website on the left-side.
Since this Firewall rule "allows" outbound/outgoing HTTP requests across the Firewall on Port 80, the user is permitted to do this activity.
In this case, (http:// GET /home.asp) is actually a user outbound HTTP request, where GET request is the request for the web site for "home.asp."
This is an abbreviated version of an HTTP request, not the full version. Then the worm launches a new window in the visitor's browser and hides it from user view.
Nimda searches all the local drives for the files with file extensions DEFAULT, INDEX, and MAIN. HTML, .ASP, or .HTM when it connects to a Web server.
When a user visits a site's home-page, the very first pages they see are typically the .ASP orelse .INDEX. By encoding such files with a multivolume MIME encoding technique, the Worm creates copies of its own.
It adds a bit of JS (JavaScript) to all of these files that control the web browser pop-up windows in such a manner that it is hidden from the view of the IE (Internet Explorer) user.
This weakness is associated with the IE version 5.1 and the vulnerability is called as "Automatic Execution of Embedded MIME Types.
Deleting log data in order to cover up such acts.
In addition to that >>
Credit/debit card numbers, banking details, and personal details could be compromised
File removal/destruction or modification could be expected
The "Web Server Directory Traversal" vulnerability in Microsoft IIS 4.0 and 5.0 provides remote hackers to read things outside of web root & potentially execute arbitrary instructions/commands by using incorrect URLs that include UNICODE encoded characters/symbols.
Allows hackers to access arbitrary instructions/commands by encoding the characters ".." (two dots) and "" twice.
It’s a HTML e-mail functionality in IE Web Browsers 5.5 and earlier permits hackers to run attachments by providing an uncommon MIME format for the attachment that Internet Explorer browser does not handle correctly.
When the user has opened Microsoft Office 2000 file/document, the folder of that file/document will be first of all used to locate DLLs files such as 'riched20.dll' &'msi.dll', that could enable a remote attacker to execute instructions/commands by embedding a Trojan-Horse DLL into same folder as the document.
1. which is left behind by sadmind or Code Red II worms
Noticeable file size increments in hard drive / Noticeable slowdown in the computer / Limited free space in disk drives/HDD
There was a unique signature detected with each and every data packet transmitted out from a compromised device and here are some of ‘em which have been provided by relevant authorities
But luckily those traffic related to infection techniques were banned and avoided in the sub network router in orders to prevent any further infections.
Windows NT 4.0 was linked to network for allowing the Sys admins to get and install the current fixes. In concept, this is a good practice, but in exercise of real world, the boxes have been locked onto a sub-network along with a Nimda infected server, causing all of them to be infected at the same time.
1. If u find out sth new, nonmatter the scenario u need to share that knowledge. Higher the awareness lesser the risk
For an example : imagine u hv one email server with security mechanism implemented correctly , but according to constantly growing business needs of ur org u hv installed new email server, so then u just leave the new email server as it is without any security . NO gentlemen you can use network virus scanning software to secure it.
Show your supervisor how much a serious virus attack on your network could cost. This is a good reason to initiate or upgrade to necessary virus security precautions.
Join a protection email list to stay up to date. You will be notified on how to act upon a worm infection.
ARP - Address Resolution Protocol (Address Resolution Protocol(ARP) is used to dynamically map layer-3 network addresses to data-link addresses. )
SMTP - Simple Mail Transfer Protocol
TFTP - Trivial File Transfer Protocol ( is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files )
SMB - Server Message Block ( is a network file sharing protocol, for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism )
MAPI (Messaging Application Program Interface) is a Microsoft Windows program interface that enables you to send E-mail from within a Windows application and attach the document you are working on to the e-mail note.
NetBIOS (Network Basic Input/Output System) is a network service that enables applications on different computers to communicate with each other across a local area network (LAN).
The traffic flow when it enters to a network under your administrative control is managed by ingress filtering
**TFTP >> Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.
The traffic flow when it exits a network under your administrative control is managed by Egress filtering
When the automatic updates are available users, need to use those features.
To be successful, NIMDA require the use of a successful JavaScript. As a result, the CERT/CC advises that end users systems to disable JS until all necessary updates are installed and anti-virus software/app is updated.
4. Users of Internet Explorer 5.0 and later are advised to install the Microsoft fix for the "Automatic Execution of Embedded MIME Types"
NIMDA was first identified in September 2001. Mostly the IIS servers that got affected by this worm.
And also, there are several CVE vulnerabilities that are associated with NIMDA Worm and those vulnerabilities also been described in this research paper.
Apart from the main topics some other sub topics like Eradication of NIMDA, how to protect against NIMDA and what are the recommendations of the experts are also been deeply described in this research paper
I am truly grateful for ur time and concern in this regard.
Stay home stay safe
Peace n love everyone.