Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors


/
Send to a friend Feedback

Update: Nimda worm spreads three ways; seen as major threat

Related linksToday's breaking news
Send to a friendFeedback

By Ellen Messmer and John Fontana
Network World Fusion, 09/18/01

A new type of fast-spreading, complex computer worm dubbed Nimda presents such a serious security threat that some antivirus experts are urging organizations and individuals to temporarily disconnect from the Internet, especially if the organization is also infected, until the nature of Nimda is more completely known.

Nimda - "admin" spelled backwards - is a complicated computer worm still under study by antivirus experts, who believe it's a distributed denial-of-service attack tool like Code Red. Nimda so far is not known to deliberately destroy the files of Microsoft Internet Information Server or the PCs it infects. But because it propagates at least three ways - as an e-mail virus, through network share, and by IIS Web pages - security experts say corporations should take maximum precaution at this time.

"We don't know completely how Nimda works yet," said Russ Cooper, antivirus expert at TruSecure. "But it is spreading extremely rapidly. As a preventative measure, you should disconnect from the Internet temporarily."

While other security vendors, including Computer Associates and McAfee, didn't issue warnings to disconnect from the Internet, they agreed that experts are still sorting out what the computer worm can and can't do. "It is employing several techniques to propagate," said Ian Hameroff, business manager for security solutions at Computer Associates. "We may need to treat these kinds of viruses by quarantining them."

McAfee Senior Vice President Arvind Navrain said, "We are advising people to show extreme caution," adding "this is a cocktail of a worm plus a virus."

A Microsoft spokesperson said the company is investigating the worm but has little information at this time. The spokesperson confirmed that the worm is affecting many customers.

Sharon Rucman, senior director of Symantec's security response group, said it would be prudent for corporations to disconnect from the Internet if their systems have become infected.

"There's still a lot unknown about it," she noted.

How it works

What they do know is that Nimda spreads by e-mail similarly to the recent Sircam virus. Symantec says Sircam propagates by worming its way into a victim's PC and responding to all e-mail that comes to the victim from then on.

Nimda arrives with a README.exe executable file attached in the e-mail. Variants on the loose may include other attachments as well. If a victim clicks on the file, which poses as an Audio Wave file, the Nimda worm will install itself inside the victim's machine.

But the victim doesn't necessarily have to click on the file to open it. A flaw in Internet Explorer version 5.0 and 5.01 exploited by the Nimda worm will open the attachment anyway. That flaw was corrected by Microsoft on March 29 with a security patch detailed in Microsoft bulletin MS01-020.

Microsoft says customers that have installed the Outlook E-mail Security Update to Outlook 98, 2000 and 2001 cannot be infected. Users running the security update or Outlook 2001 cannot spread the virus even if infected.

In any event, once Nimda worms its way into the victim's computer, it begins scanning across intranets or the Internet on Port 80 to find IIS servers against which to launch denial-of-service attacks, according to TruSecure's Cooper, who also edits the NTbugtrak security mailing list. He said the virus downloads a 56K-byte program called admin.dll to the victim's machine. Legitimate admin.dll files are usually 20K bytes, Cooper added.

The Computer Emergency Response Team Coordination Center says it saw an increase in scanning for Port 80 Tuesday.

At this point, TruSecure suspects the Nimda worm may have originated in the People's Republic of China.

According to Symantec's Rucman, Nimda is "a denial-of-service attack tool like Code Red II, scanning for corporate subnets." In the past two months, Code Red invaded thousands of Microsoft IIS servers, and the denial-of-service attacks caused considerable congestion in cable-modem networks in particular, as well as peripherally knocking out some DSL modems and other equipment. Microsoft had long ago made a software patch available for the buffer-overflow vulnerability exploited by the Code Red worm, but it became clear that many organizations hadn't installed this patch. Any type of equipment using Microsoft IIS as the Web management interface might require the security patch.

Vulnerabilities exploited by the worm in IIS 4.0 and 5.0 can be patched by the most recent IIS patch available through Security Bulletin MS01-044, according to Microsoft.

The Nimda worm is also seeking to invade IIS servers by exploiting not just the known buffer-overflow vulnerability that Code Red and its variants use, but perhaps as many as 16 other vulnerabilities as well. "That's what we're trying to pinpoint right now," Rucman added.

Once Nimda invades an IIS Web server, it causes IIS to try to alter Web pages with a particular JavaScript addition. When a victim with a Web browser tries to download the Web page, the Nimda JavaScript addition presents a prompt, asking the user to accept the page. If the user does, the cycle of infection continues. There is some concern that Nimda may work by not only requiring the prompt at all, but also by simply infecting through the Web browser.

Nimda also spreads through the network-file sharing process known as network share. Corporations typically use network share to allow users at PCs within the company to send files directly to each other without having to go through a server, said Symantec's Rucman.

Microsoft's spokesperson said file sharing is not turned on by default in any Windows systems so unless that feature has been specifically activated, systems are not vulnerable.

Given that Nimda does a lot of things all at once in order to launch a denial-of-service attack like Code Red II, security experts are advising to fight it through multiple defenses, including antivirus software, filtering out executable attachments at the gateway and even cutting off access to the Internet.

Related Links

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Contact Senior Editor John Fontana

Other recent articles by Fontana

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.