nmidia defense using *nix+apache
Ok, I know you all are going to think I am crazy for posting this idea, but I don't really care :flip:
What I am proposing is to use apache + *nix as a tool in the defense from nmidia virus.
First lets look at the attack sequence from nmidia:
xxx.xxx.xxx.xxx -- [date] "GET /scripts/root.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
And so on. using different hex values to obtain and execute cmd.exe
Now we can do one of a few different things possible.
One would be to create the directory structure that nmidia is looking for and adding it into httpd.conf as an alias.
(we need this to be an executable directory)
Or create a winnt file structure in a file and mounting it using the loopback device (not sure about this one)
Now what we would do is build a script (perl anyone?) and name it cmd.exe then place it in the newly created file structure. (someone in antichat stated that cmd.exe is a windows executable, and this wouldn't be posible to "execute in *nix) Yes I know this, but so what, *nix really doesn't care about file extensions, all we want is to have nmidia "trigger" the script.
Once the script has been "triggered" we could possibly do a couple of different things here.
One would be to have "cmd.exe" scan the infected system for some form of a mail service and have it send a mail to
the infected user notifying them of their nmidia problem.
Or we can have "cmd.exe" do a reverse DNS lookup and split the hostname to obtain the "somehost.com" which will
more than likely be an ISP and send a mail to email@example.com asking them to forward or notify the infected user.
Well this is all just a thought i had in my caffine indused rants