Mailing List Archive

On Tue, Sep 18, 2001 at 06:24:18PM -0400, Alan Pitts wrote:
>
> Hi,
>
> Attached is a .nasl plugin that will check to see if the server has
> been infected by the Nimda Worm.
>
> This plugin will check the index page for readme.eml.
>
> Please comment... I would like ideas on how to improve it.

Hi,

Matt Moore sent me the same plugins a few minutes before you :(

I think that next time I'll give precedence to plugins sent to me via
the mailing list rather than sent to me directly.

Anyway, let's comment the coding style (which is the purpose of this
mailing list after all).


> port = get_kb_item("Services/www");
> if(!port) port = 80;
>
> if ( get_port_state(port) ) {
> soc = open_sock_tcp(port);

If you were a purist (something I'm not), you'd use http_open_socket().
Today, http_open_socket() is exactly the same as open_sock_tcp(), but in
the future it /might/ open a socket to your selected proxy.
(I don't use it myself, not really knowing whether I'll add proxy
support in Nessus. But if you really want to think ahead, this is the
way to go).

> if (soc) {
>
> data = string("GET / HTTP/1.0\r\n\r\n");

You should prefer http_get(), as it forges a full HTTP/1.1 or 1.0
request. The syntax would be :

data = http_get(item:"/", port:port);

(the argument "port" is needed so that NASL can then look in the KB if
the remote server running on that port supports HTTP/1.0 or /1.1).

Which makes me think : maybe doing your request is the way to go, as
it'd return the remote web root (not the root of a virtual server).

Which file is modified when the worm hits ? The web root or the root of
the current virtual server ?


Thanks,

-- Renaud

>
> Which file is modified when the worm hits ? The web root or the root of
> the current virtual server ?

Probably both.

I've had conflicting reports on the infection method. Some have said the
worm inserts the javascript into *every* .htm, .html and .asp it finds
whereas one of the AV vendors (sophos) had a list of specific filenames that
it modified:

index.html
index.htm
index.asp
readme.html
readme.htm
readme.asp
main.html
main.htm
main.asp
default.html
default.htm
default.asp

http_get supplies a Host: header where a servername has been specified - is
it worth adding another request to the plugin which just uses the IP? (This
should view the web root in IIS?)

regards,

Matt






>
>
> Thanks,
>
> -- Renaud

hello List,

I've just seen one description of the worm which states:

'Virus code in stealth executable file with name tftp###, where ### is
any numeric string. File has no extension, but it is definitely a
Windows executable. This file is placed into \Program Files\Common
Files\System\MSADC, and in same directory, Admin.dll appears to be
hacked.'

Anyone confirm this behaviour, specifically that it puts a file called
'Admin.dll' in the MSADC folder (which is usually mapped to /msadc on the
web server)?

Obviously testing for the presence of the tftp file isn't feasible as it has
a random numeric string on the end of the filename, but the plugin could be
updated to also test for /msadc/Admin.dll if this is accurate...

regards,

Matt

Renaud Deraison writes:
> On Tue, Sep 18, 2001 at 06:24:18PM -0400, Alan Pitts wrote:
> >
> > Hi,
> >
> > Attached is a .nasl plugin that will check to see if the server has
> > been infected by the Nimda Worm.
> >
> > This plugin will check the index page for readme.eml.
> >
> > Please comment... I would like ideas on how to improve it.
>
> Hi,
>
> Matt Moore sent me the same plugins a few minutes before you :(

Glad to know that there are multiple people trying to get a plugin out
ASAP. :0)

>
> I think that next time I'll give precedence to plugins sent to me via
> the mailing list rather than sent to me directly.
>
> Anyway, let's comment the coding style (which is the purpose of this
> mailing list after all).
>
>

Thanks for the suggestions! I knew there had to be a better way to
code this.

I had considered using egrep to check for the presence of the longer
JavaScript string that is appended to the files. My thought is the
test would be a more specific (maybe reduce false positives). However,
I could never really get a match using a regex that worked pretty well
w/ perl. Is it worth using egrep for the test ?

> (the argument "port" is needed so that NASL can then look in the KB if
> the remote server running on that port supports HTTP/1.0 or /1.1).
>
> Which makes me think : maybe doing your request is the way to go, as
> it'd return the remote web root (not the root of a virtual server).
>
> Which file is modified when the worm hits ? The web root or the root of
> the current virtual server ?

One of the people I work w/ has a honeypot that was recently
infected. He (Jared Allison) says that the worm has changed more than
just the files mentioned by Sophos. It looks like all files
w/.html, .htm, and .asp. That would mean that using http_get would
work just as well, yes ?

Suggestion: Maybe putting a pointer to the cert advisory would be
helpful for the user. http://www.cert.org/advisories/CA-2001-26.html

Cheers,
Alan

--
-----------------------------------------------------
Alan Pitts | E-Mail: amp@uu.net
UUNet Technologies | Ph: 614.723.4954
-----------------------------------------------------