[Snort-sigs] Sigs DB info for SID 1290

David Wilburn bug at ...270...
Sat Jun 22 08:44:03 EDT 2002


See attached.  Here's hoping the online signature DB gets fixed soon.

-Dave Wilburn
-------------- next part --------------
Rule:  
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flow:to_client,established; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; reference:url,www.cert.org/advisories/CA-2001-26.html; rev:7;)
--

Sid:
1284

--

Summary:
The source web server may have sent a web page to the destination web client
with malicious mobile code.  This malicious mobile code instructs the
web client to download and execute a Nimda-infected .EML attachment.
The destination web client may have been duped into downloading a
Nimda-infected attachment from the source web server.

--
Impact:
A Nimda-infected web server may have spread the Nimda worm to the web
client.

--
Detailed Information:
One of the methods the Nimda worm uses to propagate is by passing malicious
mobile code from an infected web server to a web client.  The Nimda-infected
mobile code often uses the filename extension ".EML".

--
Attack Scenarios:
The fully automated Nimda worm that has already infected an IIS web server
searches
through and infects the local web pages with malicious javascript.  When
a vulnerable web client attempts to load a web page from this server, the
javascript will cause the web client to download and execute the
Nimda-infected readme.eml file, causing the web client to become
Nimda-infected.

--
Ease of Attack:
The Nimda worm is fully automated and spreads rapidly.

--
False Positives:
This signature may false alarm on web pages that describe the Nimda worm.

--
False Negatives:
The Nimda worm may spread via any file with the .EML or .NWS extension, not
just readme.eml.  This rule will not catch other .EML or .NWS files.

--
Corrective Action:
Examine the captured packet to determine whether the traffic was from a
Nimda-infected web server or just security web pages describing how the Nimda
worm works.
Examine both the web server and the web client to determine whether they
are Nimda-infected.

--
Contributors:

--
References:
http://www.incidents.org/react/nimda.pdf
http://www.cert.org/advisories/CA-2001-26.html


More information about the Snort-sigs mailing list