Re: Your focus-ms / focus-ids posting...

From: Naseer Bhatti (naseer@fibre.net.pk)
Date: 09/19/01 

Message-ID: <001e01c140e5$57a67620$ec3487cb@z2m8v2>
From: "Naseer Bhatti" <naseer@fibre.net.pk>
To: <root@charliefox.com>, <focus-ids@securityfocus.com>, <focus-ms@securityfocus.com>
Subject: Re: Your focus-ms / focus-ids posting...
Date: Wed, 19 Sep 2001 13:30:10 +0500

> I am a security researcher looking into the Nimda worm. I am currently
> evaluating the binary file of the virus for clues on how it works. I was
> wondering how you arrived at the list of SMTP servers you posted. I cannot
> find any references to the names or IP's in files after disassembly. Did
> you sniff the traffic from a compromised system or find the names / IP's
> somehow embedded in the binary. Any leads you can provide would be greatly
> appreciated.

This is the due to the beautiful coding of the code. It won't gives you the
real info after even disassemble. It always gives you false info even you
diassemble it. There is also no such reference in the file which leads you
to any info regarding its workings, i-e outbound connections. However you
can always check the behaviour of the worm live. I checked it upon my newly
made virtual OS. It gives the worm a full room to run on. All the inbound
and outbound traffic is monitored and checked piece by piece.

I got the smtp info from the outbound traffic. I also got some strange info
out of that. The worm also sends info to 2 of the IPs which are not supposed
to be on the internet. I mean, thay are multicast addresses.
227.1.116.127 and 239.119.219.117. The alarming one is server1.sans.org
(167.216.133.33 )

If the worm do sends some of the info to remote machines, (smtp) it can be a
great threat. It means the worm is setting some sort of info for its master.
I have also gathered two possibilities of the working of the worm. First, it
might be random addresses which the worm is trying to send E-mail. It
collects all the address book entries and tries to send the mail as
replication to all of those IPs. This is less possible cause I searched out
my address book of the infected system. It dos'nt contains any link to the
IPs the worm is sending info, or the worm is using these servers as its smtp
relay. Second, as I have discussed earlier some sort of info to its master.
I was unable to gather that info. However I am still trying to get that and
hopefully will be able to do so.

If you got or need any further info please don't hessitate to hook me up
with an E-mail.

Thanks,

Naseer