February 1st, 2002, 12:06 AM
nmidia defense using *nix+apache
Ok, I know you all are going to think I am crazy for posting this idea, but I don't really care
What I am proposing is to use apache + *nix as a tool in the defense from nmidia virus.
First lets look at the attack sequence from nmidia:
xxx.xxx.xxx.xxx -- [date] "GET /scripts/root.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /MSADC/root.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
xxx.xxx.xxx.xxx -- [date] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0"
And so on. using different hex values to obtain and execute cmd.exe
Now we can do one of a few different things possible.
One would be to create the directory structure that nmidia is looking for and adding it into httpd.conf as an alias.
(we need this to be an executable directory)
Or create a winnt file structure in a file and mounting it using the loopback device (not sure about this one)
Now what we would do is build a script (perl anyone?) and name it cmd.exe then place it in the newly created file structure. (someone in antichat stated that cmd.exe is a windows executable, and this wouldn't be posible to "execute in *nix) Yes I know this, but so what, *nix really doesn't care about file extensions, all we want is to have nmidia "trigger" the script.
Once the script has been "triggered" we could possibly do a couple of different things here.
One would be to have "cmd.exe" scan the infected system for some form of a mail service and have it send a mail to
the infected user notifying them of their nmidia problem.
Or we can have "cmd.exe" do a reverse DNS lookup and split the hostname to obtain the "somehost.com" which will
more than likely be an ISP and send a mail to firstname.lastname@example.org asking them to forward or notify the infected user.
Well this is all just a thought i had in my caffine indused rants
\"UNIX is basically a simple operating system, but you have to be a genius to understand the simplicity.\"
February 1st, 2002, 04:31 PM
This same thing has been discussed quite thoroughly on both SecurityFocus' Bugtraq and Focus-MS mailing lists lately. I'd recommend signing up if you really want to keep on the up and up about what vulnerabilities have been discovered.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?