There are distinct attack patterns delivered to the Microsoft IIS web server by different versions of the Code Red, and Nimda worms. The IIS - Code Red Worm Policy and IIS - Nimda Worm Policy monitor incoming HTTP traffic to the web server for these attack patterns. In this update we also offer the Vulnerable CGI Script Policy where we added 32 rules to check for IIS specific CGI's. In addition, we have added the Delete ITA Filter Log Policy to manage the ITA Filter Log size (this is a configure to detect policy see below for configuration instructions). These policies only work if the instructions for installation and configuration of the ITAFilter.dll on the appropriate host have been implemented. This .dll and other additional information can be found here:

Download Intruder Alert Policies

• Microsoft IIS - Code Red Worm Policy
• Microsoft IIS - Nimda Worm Policy
• Vulnerable CGI Scripts Policy
• Delete ITA Filter Log Policy

• ITA ISAPI Filter (Click here to read the ITA ISAPI Installation instructions)

Affected Platforms

Windows 2000, Windows NT Agents

The Code Red worm is malicious code sent as an HTTP request (Code Red Write-Up). The worm's HTTP request exploits a known buffer-overflow vulnerability in Microsoft's IIS web servers (Symantec Security Response Advisory). This exploit was publicly acknowledged and a patch protecting against the exploit has been available since 18 June, 2001, (Microsoft Security Bulletin MS01-033). This policy detects multiple attack patterns matching the different Code Red worms. These patterns are configured in one rule for efficiency. This policy is a 'Drop and Detect' policy when used with the ITA ISAPI Filter provided in this update.

The policy is available here

Policy rules include:

• Code Red Detected:
  This policy detects multiple versions of the Code Red worm. This worm attempts to overflow a buffer in the ISAPI extensions of the IIS server.

The name of this virus came from the reversed spelling of "admin". The worm sends itself out by email, searches for open network shares, attempts to copy itself to unpatched or already compromised Microsoft IIS web servers, and is a virus infecting both local files and files on remote network shares.

The worm uses the Unicode Web Traversal exploit. A patch for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows 2000 Gold or Service Pack 1 and information regarding this exploit can be found at Microsoft's TechNet website.

When the worm arrives by email, the worm uses a MIME exploit allowing the virus to be executed just by reading or previewing the file. Information and a patch for this exploit can be found at Microsoft's TechNet website.

If you visit a compromised Web server, you will be prompted to download an .eml (Outlook Express) email file, which contains the worm as an attachment. You can disable "File Download" in your Internet Explorer internet security zones to prevent this compromise.

Also, the worm will create open network shares on the infected computer, allowing access to the system. During this process the worm creates the guest account with Administrator privileges.

This policy is a 'Drop and Detect' policy when used with the ITA ISAPI Filter provided in this update.

The policy is available here.

Policy rules include:

• Nimda Detected
  This policy detects multiple versions of the Nimda worm propagating via vulnerable version if Microsoft IIS.

Most web servers, including Microsoft's IIS, support Common Gateway Interface (CGI) programs to provide interactivity in web pages enabling functions such as data collection and verification. Default installation of most web servers come with sample CGI scripts - in many cases these sample scripts and frequently used scripts contain vulnerabilities that allow a user to execute code on the local system. Below is a list of vulnerable CGI scripts specific to Microsoft's IIS. This policy is a 'Drop and Detect' policy when used with the ITA ISAPI Filter provided in this update This policy detects attempts to access any one of the files below.

The policy is available here.

Policy rules include:

• Agora.cgi Access
  Reference: BugTraq ID: 3976; It is possible for a remote attacker to learn the absolute path of the location of this script thus providing information to be used in future attacks.
• Anaconda Directory Access
  Reference: CVE-2000-0975; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.
• Anyform2 CGI Access
  Reference: CVE-1999-0066; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• BNBForm CGI Access
  Reference: CVE-1999-0937; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• BNBSurvey CGI Access
  Reference: CVE-1999-0936; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Classifieds.cgi Access
  Reference: CVE-1999-0934; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• DCForum.cgi Access
  Reference: CAN-2000-1132; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• Extropia Webstore CGI Access
  Reference: CVE-2000-1005; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.
• GBook.cgi Access
  Reference: CAN-2000-1131; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Info2www Access
  Reference: CVE-1999-0266; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Mailfile.cgi Access
  Reference: CVE-2000-0977; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• MultiHTML CGI Access
  Reference: CAN-2000-0912; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Net.Data db2www CGI Access
  Reference: CVE-2000-0677; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• News.cgi Access
  Reference: CVE-2000-0720; This CGI script contains a bug that would allow an attacker to modify the authoring privileges in the program.
• OpenView5 CGI Access
  Reference: CVE-2000-1058; This CGI script contains buffer overflow allowing an attacker to execute arbitrary code on the webserver.
• Pollit.cgi Access
  Reference: CVE-2000-1068; CVE-2000-1069, CVE-2000-1070; This CGI program contains multiple bugs allowing an attacker to perform virtually any function on the webserver to include arbitrary code executions, administrative changes, and local file reading.
• Sambar cgitest.exe Access
  Reference: CVE-1999-0070; This CGI script contains a bug that would allow an attacker to list files on the web server.
• Shop.cgi Access
  Reference: CVE-2000-0921; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.
• Simplestguest.cgi Access
  Reference: CAN-2001-0022; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Simplestmail.cgi Access
  Reference: CAN-2001-0024; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Status.cgi Access
  Reference: CVE-2000-0056; This CGI script contains a bug that would allow an attacker to cause a Denial of Service to the web server.
• Textcounter CGI Access
  Reference: CAN-1999-1479; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Viewsrc.cgi Access
  Reference: CVE-1999-0174; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.
• WEBGais CGI Access
  Reference: CVE-1999-0176; This CGI script contains a bug that would allow an attacker to execute arbitrary commands on the web server.
• WWWBoard Access
  Reference: CVE-1999-0953; This CGI script contains a bug that would allow an attacker to read encrypted passwords on the web server.
• Way-Board CGI Access
  Reference: CAN-2001-0214; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• WebPALS CGI Access
  Reference: CAN-2001-0217; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.
• WebSite Uploader.exe
  Reference: CVE-1999-0177; This CGI script contains a bug that would allow an attacker to execute arbitrary code on the web server.
• Websendmail Access
  Reference: CVE-1999-0196; This CGI script contains a bug that would allow an attacker to access arbitrary files on the web server.
• Wguest/Rguest Access
  Reference: CAN-1999-0467; This CGI script contains a bug that would allow an attacker to read arbitrary files on the web server.
• Win-C-Sample Access
  Reference: CVE-1999-0178; This CGI script contains a buffer overflow that would allow an attacker to execute arbitrary commands on the web server.
• Zml.cgi Access
  Reference: BugTraqID: 3759; This CGI script contains a bug that would allow to read arbitrary files via a '..' (dot dot) Directory Traversal attack.

1. Install the ITA ISAPI Filter and configure the agent monitoring the web server to monitor an external audit log. See section 5.15 in ITA 3.6 User's Guide.
2. Change the ITA web agent select clause in the Start Timer rule to reflect the name of the agent on the web server.
3. Ensure the ITAFilter.log is located in the path specified by the Action clause, Append to File, in the Delete ITAFilter.log rule.
4. Save the Delete ITA Filter Log policy and restart the agent on the web server being monitored.

• Start Timer
  This rule detects for agent start up and starts a timer to raise a flag every 20 seconds.
• Raise Flag
  This rule raise a flag every time the timer goes off.
• Delete ITAFilter.log
  This rule detects the raised flag and appends an entry to the ITAFilter.log marking it for deletion by the ITA ISAPI Filter.

In order to use the policies associated with IIS the ITA ISAPI Filter needs to be installed on the web server being monitored by an Intruder Alert agent.

Installation Instructions

Download the ISAPI filter from the Symantec Security Response Web site, unzip the itafilter.dll file, and copy it to the %SYSTEMROOT%\system32\inetsrv folder. Then open the Internet Services Manager and select the Server Icon.

1. Right-Click the selected icon and scroll down until Properties has been selected. Click the Properties Menu item.
2. Click the Edit button that is next to the Master Properties of the WWW Service.
3. Click the ISAPI Filters Tab
4. Click Add. Type a name for the ISAPI filter. Click Browse and select the ISAPI filter that you copied (%systemroot%\system32\inetsrv\ITAFilter.dll).
5. Click Ok.
6. Restart the IIS Service. To do this, return to (1) above and select Restart IIS..., or use the Services applet that is located in Control Panel (in Windows NT 4.0).
7. Browse back to the ISAPI Filters tab (by following steps 1-5) and verify that the filter is loaded properly. You should see a green arrow pointing up under the Status column.