What you've indicated is certainly a significant danger of this worm. Once a
system has been compromised by the worm, you essentially have lost integrity
on that system, even after you've removed the worm. The CERT advisory on the
NIMDA worm (http://www.cert.org/advisories/CA-2001-26.html) says that the
only safe way to recover is to reinstall the server. However, what if that
server happened to be the PDC or a BDC or an Active Directory DC? In that
case, the SAM/AD is potentially compromised for the domain. Of course, it's
not good practice to have IIS running on a DC but that doesn't stop it from
happening. The fact that an infected server is broadcasting it's IP around
the world doesn't help since it merely advertises compromised systems. A
wily hacker could use that information to infect a system (or many) and then
go in later at their leisure to probe what's on that system.

The point is, the procedures that are being documented to remove NIMDA (and
Code Red II) often don't discuss the potential side effects of the infection
other than the direct impact of the infection itself. I'd say that whole
networks have been compromised and won't be fixed because people aren't
looking beyond the obvious.

Greg

on 9/20/2001 8:26 PM, Poomba1 at poomba1.geoYAHOO.COM wrote:

> One thing puzzles me with respect to all this "nimda" clean up
> documentation. From articles
> I've read here in this group and others, most couldn't resist but to map a
> default admin share
> from a system that was banging away at their network. I myself used a
> "shutdown" utility to
> stop a machine on a neighboring subnet. There seems to be no concern or
> mention that a
> compromised machine could very well have it's entire SAM compromised.
> My theory is simple, what is to say a compromised system hasn't had it's
> "config" folder
> looked into? Maybe some alternate script used the intense scanning of it's
> own network
> to determine infected machines. Then went out and captured the SAM and has
> legitimate
> username/password info (from using a variety of utilities freely available)
> of some 100,000
> machines. So 9/10 machines have people who do reset and change all
> passwords, that
> would still leave a possible 10,000 machine "zombie" force that one could
> have legitimate
> logon credentials for. Do people feel it is too far fetched? If your web
> server on the wire was
> compromised, would you be willing to take the chance? Everyone talks about
> how these
> cleanup utilities will get you back on track. Great, now someone can return
> in a couple
> weeks to take control without having to break in.
>

--
Greg Francis
Sr. System Administrator
Gonzaga University
francisgonzaga.edu
509-323-6896
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]