Symantec™ Security Gateways Reference Guide - Sawmill

330 IDS eventsIntrusion attemptsNimda Worm EBase Event:Details:Response:W32_NIMDA_E_MMThe worm takes advantage of a vulnerability in Microsoft IIS which could enable a remote user toexecute arbitrary commands. This is due to the handling of CGI filename program requests.By default IIS performs two separate actions on CGI requests. The first action decodes the filenameto determine the file type (for example, .exe, .com, and so forth) and the legitimacy of the file. IISthen carries out a security check. The final process decodes the CGI parameters, which determineswhether the file will be processed or not.The final process includes an undocumented third action: not only does IIS identify the suppliedCGI parameters, but it also decodes the previously security check approved CGI filename.Therefore, if a filename composed of escaped characters passes the security check, the secondprocess will unescape the escaped characters contained in the filename, revealing the intendedactions. Depending on what the escaped characters represent, varying actions may be performed.For example, ‘..%255c’ represents ‘..\’, so decoding ‘..%255c’ to ‘..\’ could leverage directorytraversal attacks.The method by which this vulnerability is exploited could allow the execution of arbitrarycommands.Note that these requests are fulfilled in the context of the IUSR_machinename account. Anattacker exploiting this vulnerability is able to gain access to the host with these privileges. It maybe possible for them to gain further privileges and completely compromise the system from thispoint.It has been reported that various encoding combinations under Microsoft Windows 2000 Serverand Professional may yield different outcomes.In addition, it was reported that Microsoft Personal Web Server 1.0 and 3.0 is vulnerable to thisissue.The worm Nimda(and variants) actively exploit this vulnerability.Nimda sends itself out by email, searches for open network shares, attempts to copy itself tounpatched or already vulnerable Microsoft IIS Web servers, and is a virus infecting both local filesand files on remote network shares. The worm uses the Unicode Web Traversal exploit to spread tovictims surfing an already infected Web server. If you visit a compromised Web server, you will beprompted to download an .eml (Outlook Express) email file, which contains the worm as anattachment. When the worm arrives by email, the worm uses a MIME exploit allowing the virus tobe executed just by reading or previewing the file.Please refer to the following link for more information about the worm itself and possible fixtoolsagainst it:Symantec Write-up for W32.Nimda.E@mmAfter resolving the issue, try:■■■Not accept communications from unknown hosts.Dedicating a separate drive or volume for published content.Not running certain services on critical systems, especially those that acceptuntrusted input.