Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
GayanWeerarathna
51 views
33 slides
Nov 15, 2022
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation
In this presentaion wwe are mainly focussing on the blow mentioned key topics related to NIMDA warm;
What is NIMDA ?
Propagation via Windows Shares, Web & Emails.
How NIMDA works via web browsers?
What can Attacker Do a...
Slide Content
Analysis on NIMDA Worm in Windows | Exploitation | Detection | Propagation Weerarathna P.G.G.G.
Hello! I am Gayan Weerarathna Lets get started with todays presentation… 😉😉 2
CONTENT 1). Introduction 2). Propagations 3). Exploitation 4). Detection 5). Eradication 6). Protection 7). Recommendations 8). References 3
Weekly Roadmap 4 1 3 5 6 4 2 Introduction Exploitation Protection Propagations Detection Conclusion
5
1 Introduction
What is NIMDA ? 1 NIMDA which is the backword spelling of word “ADMIN” It is a malicious file infection computer warm that got infected to Windows IIS servers and Internet Explorer and made them weak Occurred in 18 th of September 2001
What is NIMDA ? 1 Uses commands that trick the targeted program into granting access Worst case scenario – reformatting of affected disks + program reinstallation Mainly takes advantage of out-of-date MS applications on networked computers servers with vulnerable Internet Information Service (IIS) PCs running vulnerable Internet Explorer (IE)
2 Propagation
User may have read, write, connect, delete, and execute privileges on any file system It depends on configuration established by the sys admin A share with no password = successful infection Makes multiple MIME-encoded duplicates 10 1) Windows Shares
First, check for previous infections of "Code Red II" worm Second, check for Microsoft exploits that Nimda uses. User infection 11 2) Web
Use MAPI service to collect email addresses from infected machines Then send emails with attachment called “readme.exe” Any vulnerable IE user can be infected by that attachment Email Propagation characteristics: Variable mail subject Closely 57344 (bytes) size attachment 12 3) Email
3 Exploitation
3
What can Attacker Do after Compromising Your System? 3 Passwords can be stolen or changed Placing keystroke-logging software in your device Reconfiguration of Firewall rules Sending harmful content using victim`s e-mail address
CVEs related to Nimda 3 "Web Server Folder Traversal" vulnerability (CVE- -2000-0884) "Directory Traversal" vulnerability (CVE--2001- 0333) "MIME Attachment Execution" (CVE- 2001—0154) "Office 2000 dll Execution“ (CVE--2000-0854)
4 Detection
Signs of Infection 4 root.exe file string like: [/c+tftp percent 20- I percent 20x.x.x.x percent 20GET percent 20Admin.dll percent 20d:Admin.dll] inside the IIS logs Admin.dll file inside any root folders .nws / .eml files in multiple directories
Signatures 4 web server logs contain the following signatures
5 Eradication
5 All the identifies systems were entirely rebuilt or fixed Some infected servers kept sending infection techniques to others Systems were rebuilt using an Windows NT 4.0 SP3 image which seems to be much reliable in this case Immediately after the infection all the necessary systems were quarantined.
6 Protection
6 Awareness Scale up your network should be parallel with its security also On both servers and workstations, virus identification software all should be kept up to date Implement a mission critical backup process Approved and trusted virus protection for all the platforms and OS Make it a habit for everyone to follow security best practices
6 Operating Systems Microsoft Windows 95 Microsoft Windows ME Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 workstation Protocols HTTP ARP SMTP TFTP SMB TCP/IP Key Aspect Involved
6 Applications Internet Explorer Windows Explorer Outlook Services Microsoft IIS 4.0 MAPI Microsoft IIS 5.0 Net BIOS Key Aspect Involved
7 Recommendations
For Network Admins 7 Ingress filtering Must be used to prevent externally started inbound connection(s) to unauthorized services at the boundary. Only device that need the allow inbound connections are, severs. Port 80/TCP >> can stop copies of NIMDA Filtering ports 69/UDP >> can stop the worm from being downloaded to IIS using TFTP
For Network Admins 7 Egress filtering Outbound connections towards the Internet are required by machines offering public services Port 69/UDP >> can restrict certain components of the worm's spread
For End User Systems 7 Keep using a reliable Antivirus Product Disable Java Scripts Do NOT open suspicious attachments in e-mails Use the patch provided by your vendor
8 References C. M. University, “resources.sei.cmu.edu,” 12 2001. [Online]. Available: https://resources.sei.cmu.edu/library/assetview.cfm?assetID=496190 cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0884 cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0333 cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2001-0154 cve.mitre.org, “CVE,” [Online]. Available: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2000-0854 R. Lemos, “ZDNET,” 19 09 2001. [Online]. Available: https://www.zdnet.com/article/helpand-howto-nimda/
9 Methodology The goal of this research is to understand more about the NIMDA Worm: Exploitation, Detection, and Propagation in Windows. The research for this topic was conducted using a Google survey, websites, books, academic studies, research papers and lectures. Using all of the aforementioned sources, I acquired the required data and analytics for my study.
10 Conclusion The core idea behind NIMDA's findings is that it will weaken the system's confidentiality, exposing it to future attacks by making it susceptible through file changes. Furthermore, this warm attack has resulted in a significant amount of unavailability in the target systems. NIMDA uses a variety of propagation techniques, including email propagation, Windows share propagation and Web propagation. Other than the major themes, this research report also covers subtopics such as NIMDA eradication, how to guard against NIMDA, and expert suggestions/recommendation om how to protect from NIMDA.
Thank You ! Stay Safe. 33
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 51
- Slides 33
- Age 1113 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
20 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
24 views