Introduction
This practical was written by picking a top 10 port that
appeared on the CID graph at the time of writing. I chose a graph from
Figure 1:CID Graph
Targeted Port: Port 80
- Port 80 is a reserved port number for HTTP Hypertext Transfer Protocol). A Request for Comments (RFC) for this can be found at: http://www.w3.org/Protocols/rfc2616/rfc2616.html
- The most commonly associated service with port 80 is web services.
- Port 80 typically uses the protocol HTTP – The Hypertext Transfer Protocol. It is an application level protocol. This protocol is used in distribution, collaborative, hypermedia information systems. HTTP is a connectionless, stateless protocol that can be used for a number of different purposes such as name servers and distributed object management systems. It achieves this through extensions of its request methods, error codes and headers. A prominent feature of HTTP is the typing and negotiation of data representation, allowing systems to be built independently of the data being transferred.
HTTP is also used as a generic protocol for communication between client applications and proxies/gateways to other internet systems. This includes those supporting the following:
- SMTP – Simple Mail Trasfere Protocol
(http://www.faqs.org/rfcs/rfc821.html)
- NNTP – Network News Transfer Protocol
(http://www.faqs.org/rfcs/rfc977.html)
- FTP – File Transfer Protocol (http://www.faqs.org/rfcs/std/std9.html)
- GOPHER - (http://tangible.media.mit.edu/~ullmer/papers/pgopher/node2.html)
- WAIS - Wide Area Information System (http://psrg.lcs.mit.edu/publications/Papers/icdcsabs.htm)
Because of this, HTTP allows a basic hypermedia access to other resources available from other applications.
The above information was gathered from RFC 2616 and that can be referenced at: http://www.w3.org/Protocols/rfc2616/rfc2616.html.
Exploit Details
Name: Directory Traversal Vulnerability
Operating System: IIS 5
IIS 4
Microsoft NT 4 Server with IIS
Microsoft NT 4 Workstation with IIS
Microsoft NT 4 Server and Workstation SP1 with IIS
Microsoft NT 4 Server and Workstation SP2 with IIS
Microsoft NT 4 Server and Workstation SP3 with IIS
Microsoft NT 4 Server and Workstation SP4 with IIS
Microsoft NT 4 Server and Workstation SP5 with IIS
Microsoft NT 4 Server and Workstation SP6 with IIS
Microsoft NT 4 Server and Workstation SP6a with IIS
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP 1
Microsoft Windows 2000 Professional SP 2
Microsoft Windows 2000
Microsoft Windows 2000 SP 1
Microsoft Windows 2000 SP 2
Microsoft Server 2000
Microsoft Server 2000 SP 1
Microsoft Server 2000 SP 2
Microsoft Advanced Server 2000
Microsoft Advanced Server 2000 SP 1
Microsoft Advanced Server 2000 SP 2
Microsoft Datacenter Server 2000
Microsoft Datacenter Server 2000 SP 1
Microsoft Datacenter Server 2000 SP 2
Microsoft Windows 98 w/personal web server 4
Protocols/Services: This vulnerability affects all versions of Windows with IIS 5 installed and running and the Personal Web Server 4 on Windows 98. It is also commented that this will work on NT 4. For the purpose of this Practical, all my tests were done against Microsoft Windows 2000 with IIS 5 running. The Directory Traversal vulnerability focuses on the Web service within IIS.
Brief Description: In November of 2000, NSFOCUS reported that vulnerability exists with regards to the way IIS handles a request for an executable file. In addition to the mishandling of the executable request, an attacker could also follow the request with some commands for the executable.
Description of Variants
The Unicode exploit was discovered in October 2000. Since its initial conception, which is covered in the Advanced Incident Handling and Hacker Exploit class taught by SANS, there have been updates to this vulnerability. In addition to these updates, attackers have also learned how to better use this exploit to manipulate systems. This practical will cover the more popular to date. Listed below you will find the Microsoft updates as they were announced:
- MS00-057, posted in August 2000, is a security Bulletin that discusses the “File Permission Canonicalization” Vulnerability. This Vulnerability is unrelated to the Directory Traversal Vulnerability outlined in this practical. However, the patch to fix the File Permission Canonicalization Vulnerability fixed the Directory Traversal Vulnerability as well. Please note that this was a coincidence since the Directory Traversal Vulnerability was not discovered yet. For more information on the File Permission Canonicalization Vulnerability see Microsoft’s MS00-0057 Security Bulletin at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-057.asp
- MS00-078,
posted
- To inform its customers of the new vulnerability and the increased risk it poses.
- To urge customers who haven’t already applied the patch to do so immediately.
This bulletin can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp
- MS00-086,
posted on
- The
final edit came on
How does it work?
Overview
This exploit works by an attacker constructing a URL that would cause IIS to navigate to any desired folder in the same logical drive and access the files in it. This can be achieved by using the Unicode character representations of “/” and “\”. This allows a user to traverse the server to any directory on the same logical drive as the web application. In addition to this, unauthenticated users can perform the following: delete, modify or execute in these directories. This is possible because by default, an attacker will use the IUSR_machinename account. This account is, by default, a member of the Everyone and Users group. By using this method, a remote user with no credentials the same rights as a user who could successfully log on. Therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups, can be manipulated.
Unicode
What is it
To get a better understanding of the Directory Traversal Vulnerability, let’s take a look at Unicode. Unicode provides a unique number for every character. Unicode is completely independent and does not rely on the following in any way:
- Platform
- Program
- Language
The Unicode standard has been adopted by such industry leaders as Apple, HP, IBM, JustSystem, Microsoft, Oracle, SAP, Sun, Sybase, Unisys and many others and is implemented in many Operating Systems and Internet Browsers. Unicode is incorporated into programming languages such as Java, Corba, XML, WML and so on.
Unicode attempts to provide a solution to electronically map every character of every language to a number equivalent. This would create over 65,000 characters that must be broken down into a 16 bit character definition.
For this specific Vulnerability, we will be focusing on the following:
%c0%af = /
%c1%9c = \
The purpose of this practical is to focus on the Vulnerability, therefore, I have decided to supply links to sites and information regarding Unicode versus going into detail on Unicode and how it works.
For more specific information on this, Lucent has written a white paper on it and can be located at: http://www.lucent.com/livelink/197020_Whitepaper.pdf
A good site for reference on the Unicode and UTF-8 can be found at: http://www.unicode.org.
Steven Shields wrote a practical for SANS that goes into details about how Unicode works. This paper will provide details of the method used to transform common characters into Unicode formatted characters. This paper can be referenced at:
http://www.sans.org/infosecFAQ/threats/traversal.htm.
Examples
CERT Example
To take this a step further. IIS restricts files on the server to access only those files located in the web folders. The example below was taken from the Cert Vulnerability Note VU#111677, which can be referenced at http://www.kb.cert.org/vuls/id/111677. Therefore, if a user tries to access a file like this, it will fail because IIS restricts access by default to files outside the web folders:
http://www.target.com/data/winnt/file.dat
In addition, an attempt to execute a file not in a ‘marked as executable’ directory will fail:
http://www.target.com/data/program.exe
This would attempt to download the file instead of execute it.
Now let’s say an administrator wants an executable to be run by the viewer. The administrator can do so by marking the directory in which the executable lies “executable”. Certain folders are already assigned as executable folders by default in an IIS server, ‘Scripts’ is an example of such a folder. So if we take the following and try it again with this knowledge:
http://www.target.com/scripts/program.exe
It would launch. Program.exe would also have to lie in the scripts directory for this to be true. Now, how would you launch a file not in the Scripts folder, in a non-executable privileged folder? Let’s add a twist to this, let’s trick IIS to use the scripts executable settings on a different folder that doesn’t have the right. This is where you will see the Directory Traversal vulnerability:
http:www.target.com/scripts/..%c1%9c.../winnt/system32/cmd.exe?/c+dir
This will work because we use Unicode to bypass IIS checks and reference the Scripts folder where the Scripts folder has executable rights, and direct the privileges to the winnt/system32/cmd.exe file. In other words, launch cmd.exe in the scripts folder.
NET USE Example
If NetBIOS is installed on the target machine, and there are no filtering devices between you and the target (e.g. firewall, router) that deny or drop NetBIOS connection attempts, this is another possible attack using the Directory Traversal Vulnerability.
http:www.target.com/scripts/..%c1%9c.../winnt/system32/cmd.exe?/c+net+use+\\servername\sharename
As you can see, we use the same technique as described in the example above, with the addition of c+net+use+\\servername\sharename.
c+net+use is the input we want in the cmd.exe that we launched. In other words, launch cmd.exe and input into that the command net use. When we use the command net use, we must specify the name of the server we want to attach to and the share we want to use. This information can be gathered multiple ways, which I will not go into. With this command, we have mounted a share on the target system. Now files can be copied, uploaded and downloaded by the attacker. An attacker could upload files or programs by using the Unicode exploit and is important to note since the attacker could upload a Trojan, some kind of remote control software, or even a key logger that will capture all your keystrokes, and your passwords that you use to enter sites like yahoo, hotmail or even online banking.
Breakdown
If we look at a sample, we see the following:
Http://www.target.com/scripts/..%c1%1c.../winnt/system32/cmd.exe?/c+dir
Http://www.target.com/scripts/..%c0%2f.../winnt/system32/cmd.exe?/c+dir
Http://www.target.com/scripts/..%c0%af.../winnt/system32/cmd.exe?/c+dir
Http://www.target.com/scripts/..%c1%9c.../winnt/system32/cmd.exe?/c+dir
Chinese Language Unicode, %c1%1c and %c0%2f, where this exploit was first discovered, is illustrated by the first two listed above. If you try the Chinese Language Unicode on an English Language IIS server, it will fail. The last two, %c0%af and %c1%9c, are the English Unicode translations and will fail to exploit the Chinese Language IIS servers.
To get a good grasp at how this works, let us take a closer look. For this walk through we will examine:
Http://www.target.com/scripts/..%c1%9c.../winnt/system32/cmd.exe?/c+dir
This is the address of our target machine. It can consist of an IP or domain name.
/scripts/
Next we see the directory that has executable rights, the Scripts folder. Now that we have referenced this, we will use the Unicode to take us back to root, where we will traverse to the actual executable we want to run.
%c1%9c
%c1%9c is Unicode for “\”. In essence this takes us back to the root, or the beginning of the drive (e.g. C: or D:).
/winnt/system32/
Here we direct it to the folder where the executable lies. In this case, the command shell executable, or CMD.exe, is located in the winnt/system 32 folder.
cmd.exe?c+dir
Finally, we see our request for the system to launch the cmd.exe executable. The ?c+dir is the command that we want our executable to perform. Here, we ask the CMD.exe to do a directory listing of its scripts directory. Why did it show us the scripts directory? Because winnt/system 32 is the directory where cmd.exe is located, but we ran it from the inetpub/scripts directory.
Example of Exploit
For further illustration, let’s see what this would actually look like. Figure 2 has a screen shot of the results of the command in an Internet Explorer browser.
Figure 2:Sample Output
In Figure 2, we can see how easy it is to view files on a vulnerable system.
Utilization of Exploit
EyeIS
There are many programs out there that exploit this vulnerability. One particular one that comes with an easy to use GUI is eyeIS by parsec. They developed this tool so that they could check their IIS servers quickly. To use this tool, you can download it at http://www.parsec.de.tf/. Once you have downloaded it, install it and launch the executable. I would like to make a note on the opening banner.
Figure 3:Legal Banner
In Figure 3, the banner very clearly states that the author of eyeIS “may log your IP address while using eyeIS.” This program will send out, over the internet, information about you and the system you scan. Therefore, I would not recommend you scanning systems that you do not have permission to scan or that are critical to you or your organization. Click the “Accept” button, and you will see the main GUI as shown in Figure 4.
Figure 4:ParSec Gui
The first step is to tell eyeIS the TFTP client you wish to use. Almost all Operating Systems have this built in, so click the “TFTP Settings” button and input the IP address of the machine you are using eyeIS from. Then, in the space where it says www.yourserver.com, put in a target IP address or a URL that you wish to scan and click the “Connect” button. If it is vulnerable, you will see a screen like the one shown in Figure 5.
Figure 5:ParSec Sample
EyeIS has added functionality beyond what I have described here. It also has the ability to view text documents, upload netcat and then have obtained a limited command shell with your target machine, and so on.
NIMDA
Another attack that will try and use this vulnerability is the NIMDA worm. The NIMDA worm tries several different methods to try and exploit a system, and one way is the IIS/PWS Extended Unicode Directory Traversal Vulnerability. Let’s examine a screen shot of a W3SVC1 log on an IIS 5 server.
Figure 6:IIS Log
The key focus is shown in the last four lines of Figure 6. This is the NIMDA worm trying to exploit this vulnerability on an IIS web server.
As you can see as illustrated above, this exploit can be used
in many different aspects. Everyone from
System Administrators making tools to help you to people writing
Signatures
IIS Logs
The best place will be your IIS logs. They are located in your WINNT/SYSTEM32/LogFiles/ directory in Windows 2000. However, before you look in your logs, you should ensure you are logging the right information so that your log files provide you with the most useful of information. I recommend the following:
- Client IP Address
- User Name
- Service name
- Server IP Address
- Server Port
- Method
- URI stem
- URI Query
- Protocol Status
After you have ensured that your logging is correct, you can open your logs. Figure 7 will show an actual portion of an IIS server on a windows 2000 machine. In Figure 7, please pay note to the last four lines.
Figure 7:IIS Log
These four lines show the NIMDA worm trying to exploit the Directory Traversal vulnerability so that it can infect your machine. In short, if you see any form of:
- %c1%1c
- %c0%2f
- %c0%af
- %c1%9c
In your logs, someone is trying this vulnerability on your system.
Honeynet Project
Lance Spitzner, along with a group of security experts, run a project called “The Honeynet Project.” This project is designed to learn from hackers and crackers. It is a network setup, to simulate a regular, real working environment. The only difference is, that’s it is heavily monitored and logged and it’s not a real company’s network. The project is documented well at their web site http://project.honeynet.org.
One of the key pieces of this project is a part they call “Scan of the Month.” What they do is give you vital pieces of information, log files, and etc, and ask you to figure out what has happened, how a system was exploited, what exploit was used and so on. In February, 2001, they did a piece on the Unicode Directory Traversal Attack. The reason I wish to mention it, is that there are several papers written by people on it. They also include screen shots and very specific definitions on this attack. In addition to this, the Honeynet Team highlighted this attack on their networks in their book entitled “Know Your Enemy”. Let’s take a look at Figure 8. Here we see a specific packet in a binary log format.
Figure 8:Unicode Binary
In this example, we do not see a specific request to the %c0%af
Unicode in the ASCII text portion.
This is because it has already been decoded for us. We must look into the HEX code to see
it. If you examine the first 2 lines as
illustrated in Figure 9, we see reference to the %c0%af three separate times (CO AF as underlined
in Figure 9). Remember, that is because
it was already decoded and is a good reason to always examine everything in
your logs!
Figure 9:Unicode 2
How do I protect My Systems
Windows 2000(All Versions) and NT 4(All Versions)
There are a number of steps you can take to protecting your systems from the IIS/PWS Unicode Directory Traversal Vulnerability. This patch will eliminate the Directory Traversal Vulnerability. Microsoft makes suggestions in addition to this patch to help secure your server:
- Configure IIS so that the web folder is on different logical drive than your system. For example, put your web data on the D: drive and everything else on the C: drive.
- Eliminate all unneeded files and folders from your site. For example, remove the samples folder if you aren’t using them.
- Change the permissions of the IUSR_machinename so that it does not have write permissions anywhere on your system.
The Microsoft Bulletin # MS00-078 that addresses this specific vulnerability can be referenced at:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-078.asp
Microsoft has released a Security patch for IIS. This patch contains a collection of hotfixes for this and other known vulnerabilities. This patch can be referenced and downloaded from:
http://www.microsoft.com/windows2000/downloads/critical/q277873/default.asp
Microsoft has created a checklist of steps to follow when building a checklist. Some key points include:
- Setting appropriate ACL settings on Virtual Directories – Microsoft provides suggestions concerning user rights to CGI, Script and other file types associated with IIS and Web Services.
- Logging setup – Recommendations include using W3C logging and enabling the following: Client IP, User Name, Method, URI Stream, HTTP Status, Win32 Status, and User Agent.
- Disable or remove all sample applications located in the IIS samples virtual directory, IIS Documentation virtual directory and the Data Access virtual directory.
- Disable Parent Paths which allows someone to use the “..” in calls to functions such as MapPath. This option is a default and this Microsoft document will help you disable it.
For more information on this Security checklist or to download the checklist, go to:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp
Microsoft has released an IIS lockdown tool. This is a program they have developed to help secure your IIS server from many of the recently discovered exploits. This tool has two modes of installation. It has an Express Lockdown, which will secure it with a single click of a button and an Advanced Lockdown mode which gives you the choice of what services and options you want active on the server. This tool offers an Undo option, in case you want to activate a service or option later on or made a mistake during the initial lockdown, and a comprehensive help system that give you information on the options it allows you to manipulate. For further information or to download this tool, please go to:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
SANS is now teaching IIS security in their Advanced Incident Handling and Hacker Tools course. The new section in the GCIH was developed to cover the security concerns with the implementation of IIS 5.0 and Windows 2000 SP1. It covers such topics as:
- Protocol Configuration of specifying DNS servers and the addition of domain suffixes.
- Configuring services on the server – which ones to leave active and which ones should be disabled.
- Configuring Terminal Services – settings and rights are just two of the many topics they cover for this category.
Please note, however, that it was not developed as a step by step procedure of hardening IIS. For further information about the SANS GCIH course, please go to:
Personal Web Server 4 (Windows 98)
This patch was created privately and advertised by Security Focus as a fix to the Personal Web Server 4 package that many people installed on Windows 98. This patch includes fixes for the MS99-010 (File Access Vulnerability in Personal Web Server - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp), MS00-078 (Patch for Web Server Folder Traversal Vulnerability - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp), MS00-86 (Web Server File Request Parsing Vulnerability - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-086.asp) and MS01-026 (A cumulative patch for IIS containing the above mentioned security patches - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-026.asp) bulletins. This patch is a combination of the Microsoft File Access Vulnerability patch for Personal Web Server and Dynamic Link Libraries from the Superfluous Decoding Operation that could Allow Command Execution via IIS. The patch can be downloaded here:
http://www.geocities.com/p_w_server/pws_patch/index.htm
Detection
Most Intrusion Detection Systems identify the Unicode Directory Traversal attack today. The following have rules specific for Directory Traversal Exploits:
- ISS - Internet Security Scanner
- NFR – Network Flight Recorder
- Snort – www.snort.org
Source Code
There is no exploit code required to manipulate this vulnerability. That is what makes it very effective, quick and easy. But these facts make it a very dangerous vulnerability. Anyone could type these lines into a URL of a browser and start to do damage to your systems if you do not properly secure and patch them. I would go so far as to say that the actual exploit source code would be the Microsoft Operating System itself.
Vulnerability in the News
This vulnerability is interesting because I think it said a lot about system administrators and their outlook on security. Even though this vulnerability was discovered around November 2000, it was not until the following year that it actually started making headlines that showed that many administrators did not patch their systems. In addition to this, this vulnerability made news in many different ways. From scriptors making scripts for attackers to use to Worm creators implementing the exploit in their creation, as I outlined earlier.
On February 14 and 15, 2001, Arttrition.org posted the following sites that were defaced using this vulnerability:
- New York Times http://www.attrition.org/mirror/attrition/2001/02/15/business.nytimes.com/
- Compaq http://www.attrition.org/mirror/attrition/2001/02/15/business.nytimes.com/
- Intel
http://www.attrition.org/mirror/attrition/2001/02/15/talisman3.cps.intel.com/
- Alta Vista http://www.attrition.org/mirror/attrition/2001/02/14/merchant.shopping.altavista.com/
- Hewlett Packard http://www.attrition.org/mirror/attrition/2001/02/14/e-learning.hp.com/
F-Secure released an article that outlined the entire NIMDA worm. In the beginning, they make reference to this vulnerability, even though it is only part of the worm, it is a significant part. You may find this article here:
http://www.europe.f-secure.com/v-descs/nimda.shtml
Cert put out an advisory on
http://www.kb.cert.org/vuls/id/111677
Security Focus put out an advisory as well. Their advisory includes information about the vulnerability, how it works, and how to protect you. It can be found at:
http://www.securityfocus.com/bid/1806
The ‘Sadmind’ worm was one of the
more popular
http://www.theregister.co.uk/content/8/18811.html
http://www.cert.org/advisories/CA-2001-11.html
http://www.zdnet.com/products/stories/reviews/0,4161,2716653,00.html
References and Citations
Websites
Gettys, J.; Mogul, J.; Frystyk, H.; Leach, P.; Masinter, L.; Berners-Lee, T.
“Request For Comments: 2616.” June 1999
URL: http://www.w3.org/Protocols/rfc2616/rfc2616.html
Postel, Jonathon
“Simple Mail Transfer Protocol” August 1982
URL: http://www.faqs.org/rfcs/rfc821.html
Kantor, Brian;
Lapsley, Phil
”Network News
Transfer Protocol” February 1986
URL: http://www.faqs.org/rfcs/rfc977.html
Postel, J.;
Reynolds, J.
”File Transfer
Protocol” October 1985
URL: http://www.faqs.org/rfcs/std/std9.html
Attrition.org,
URL: http://www.attrition.org/mirror/attrition/2001/02/15/business.nytimes.com/
Attrition.org,
URL: http://www.attrition.org/mirror/attrition/2001/02/15/business.nytimes.com/
Attrition.org,
URL: http://www.attrition.org/mirror/attrition/2001/02/15/talisman3.cps.intel.com/
Attrition.org,
URL: http://www.attrition.org/mirror/attrition/2001/02/14/merchant.shopping.altavista.com/
Raitzer, David
“Microsoft Personal
Web Server 4.0 Extended UNICODE Directory Traversal and File Access
Vulnerability Patch for Windows 95/98”
URL: http://www.geocities.com/p_w_server/pws_patch/index.htm
Microsoft TechNet,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS99-010.asp
Microsoft TechNet,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp
Microsoft TechNet,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-086.asp
Microsoft TechNet,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-026.asp
Microsoft TechNet,
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
Microsoft TechNet, 2001
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp
Microsoft Corporation,
URL: http://www.microsoft.com/windows2000/downloads/critical/q277873/default.asp
Paranoid Security 2001, ya_weakness, No|d, Version 0.99
URL: http://www.kb.cert.org/vuls/id/111677
Microsoft TechNet,
URL: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-057.asp
Miller, Nate “Microsoft IIS Unicode Exploit” August 2001
URL: http://www.lucent.com/livelink/197020_Whitepaper.pdf
Ullmer, Brygg
“Gopher”
URL: http://tangible.media.mit.edu/~ullmer/papers/pgopher/node2.html
Duda, Andrzej; Sheldon, Mark
“Content Routing in Networks of WAIS Servers” June 1994
URL: http://psrg.lcs.mit.edu/publications/Papers/icdcsabs.htm
Attrition.org,
URL: http://www.attrition.org/mirror/attrition/2001/02/14/e-learning.hp.com/
Tocheva, K; Erdelyi, G; Podrezov, S; Rautiainen, S.; Hypponen, M.
“NIMDA”
URL: http://www.europe.f-secure.com/v-descs/nimda.shtml
Internet Security Systems
“Code Blue Worm”
URL: http://xforce.iss.net/alerts/advise96.php
Reuters
“’Code Blue’ Sighted in
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2811110,00.html
Delio, Michelle
“Code Blue Targets
URL: http://www.wired.com/news/technology/0,1282,46624,00.html
Security Focus
“Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability”
URL: http://www.securityfocus.com/bid/1806
Greene, Thomas, “Worm puts old IIS attack in full-auto
mode”.
URL: http://www.theregister.co.uk/content/8/18811.html
URL: http://www.cert.org/advisories/CA-2001-11.html
Knight, Will. “Worm exploits Solaris to attack IIS sites”
URL: http://www.zdnet.com/products/stories/reviews/0,4161,2716653,00.html
Books
The Honey Project Team. Know Your Enemy.