defend your computer

New Internet worm on loose. US Attorney General John Ashcroft held a press conference 9/18/01 to announce the most dangerous Internet worm yet, dubbed variously Code Blue and Nimda. It attacks through an email attachment (the attachment is "readme.exe"), by infecting Explorer browsers, propagating through netbios shares, and by directly attacking web servers. More on this story --->>

From:

Colleagues,

We and many other Internet sites are presently experiencing two types of attacks:

1. Infected email The subject line on email sent to you is variable. The attachment is "readme.exe" and has a MIME type of "Content-Type: audio/x-wav;". This virus is "network aware", which means it spread through open, unpassworded NetBIOS shares. This is called the W32/Nimda.a@mm

2. A browser based attack that seeks to infect the targets web server. This attack is now termed Code Blue.

From: Davis, Matt [mailto:matt.davis@countryfinancial.com]
Sent: Tuesday, September 18, 2001 11:44 AM
To: Davis, Matt
Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; incidents@securityfocus.com; unisog@sans.org
Subject: Some more details on the worm

When pages are served up by an infected server, it looks as though readme.eml is 'attached' to them. The server attempts to get the client to open them through the following bit of code (from the .dll file):

According to Slashdot, this causes the file to be automatically opened and executed by the client. I haven't been able to confirm or deny that (but if someone can, please do).

Regards,
Matt

--
Matt Davis, MCP
Intermediate Client Server Business Support Analyst
COUNTRY(SM) Insurance & Financial Services
309-821-6288
mailto:matt.davis@countryfinancial.com

How your web browser can get infected by Nimda.From: Russ
Subject: Alert: Check your IIS boxes now!
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

-----BEGIN PGP SIGNED MESSAGE-----

Numerous people have reported that on IIS servers infected with
w32.nimda.amm, when visitors browse to their website the visitor is
offered up README.EML, which in turn downloads README.EXE to the
visitor.

Please, check your IIS boxes now to see if you are infected. I've had
reports of IIS servers with more than 10,000 .eml files present
(mostly as a result of nimda).

While we don't have any conclusive disinfecting procedures yet, any
IIS box that has been infected definitely shouldn't be available to
clients until we do.

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Is hacktivism the answer? In the aftermath of the terrorist attacks of Sept. 11, some hackers are trying to organize strikesagainst Middle Eastern nations. This is a very bad idea. Almost all Middle Eastern nations hate terrorist leader Osama bin Laden and are our allies in bringing him to justice. The only government on the side of the terrorists is Afghanistan. Most of the people of Afghanistan also hate bin Laden and their Taliban oppressors. We need to leave Afghanistan's Internet access up so US cyberwarfare experts can use them for their own rather, ahem, interesting uses.

NIPC (US National Infrastructure Protection Center) has "already received reports of individuals encouraging vigilante hacking activity. Those individuals who believe they are doing a service to this nation by engaging in acts of vigilantism should know that they are actually doing a disservice to the country," their advisory stated. See "It sucks to be me" for details on how these hacktivists are actually harming the war against terrorism.

Us folks at Happy hacker wish to thank those hackers who have helped quiet down over-eager volunteers. Responding to the attacks on America is an extremely delicate operation. If you want to play a role in defending us in time of cyberwar, here are some concrete steps you can take.

First, President Bush will let you know if he needs hacker vigilantes to help. Right now he does NOT WANT VIGILANTE HELP. He probably NEVER will want vigilante help. The kind of baloney that went on with the US/China hacker war of April-May 2001 was an unfortunate holdover from Clinton Administration policies. The Oct. issue of Scientific American carries Carolyn Meinel's analysis of this unfortunate fubar of foreign policy.