Nimda Worm Running Rampant on Web

 
 
By Jim Rapoza  |  Posted 2001-09-18 Email Print this article Print
 
 
 
 
 
 
 
The anticipated follow-up to the Code Red worm attacks got under way Tuesday with a far-reaching outbreak of W32.Nimda infestations. The aggressive worm, which seeks 16 vulnerabilities in Microsoft Corp.s IIS software, is thought to have infected thousands to tens of thousands of Web servers and slowed Internet traffic for many more, according to security experts. The massive spread of Nimda came as the FBI issued renewed warnings about cyber-terrorism in the wake of last weeks attacks on New York and Washington. Officials at the FBIs NPIC (National Infrastructure Protection Center) said Tuesday that a group of hackers calling themselves The Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. According to the FBI, The Dispatchers claimed to be targeting communications and finance.
"There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place," NPIC officials said in a statement. "The Dispatchers claim to have over 1,000 machines under their control for the attacks. It is likely that the attackers will mask their operations by using the IP addresses and pirated systems of uninvolved third parties."
An FBI spokesman declined to connect the Dispatchers warning with the Nimda outbreak. W32.Nimda. is a double-threat, operating as a hybrid between a virus and a worm. Like Code Red, it attempts to take over IIS systems by utilizing known security holes in the Web server. However, while Code Red used only one security hole, W32.Nimda makes over 16 attempts on a system trying different exploits and in one server log eWEEK Labs saw it appear to try over 20 GET attempts on a server it was attacking. The program is also spreading itself through e-mail through an attachment called readme.exe. If an Outlook client is not set to high security settings the virus can spread itself using the Outlook clients address book. Filtering out .exe files at the mail server should prevent the spread of W32.Nimda in this manner.
Probably the most unique way in which W32.Nimda spreads itself is through the Web server of an infected system. Once W32.Nimda infects an IIS system, it downloads a dll and gains administrative access. Compromised servers may then display a Web page prompting a visitor to download an Outlook file that contains the worm as an attachment, according to Eric Chien, program manager at Symantec Corp. in Cupertino, Calif. According to an alert on www.incidents.org, reports are that Internet Explorer 5.x will automatically execute the file, which is called readme.eml. Nimda also uses the traditional method of propagating through network shares. It looks for shares that allow access to the Guest account with no password required.
 
 
 
 
Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel