Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Latest Worm Nimda Spreads Via Many Paths



 By: Chris Gonsalves
2001-09-24
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
An aggressive hybrid of virus and worm ran rampant across the Internet last week, slowing traffic and causing site shutdowns. But the real damage from W32.Nimda may end up being the cost to eradicate it.

An aggressive hybrid of virus and worm ran rampant across the Internet last week, slowing traffic and causing site shutdowns. But the real damage from W32.Nimda may end up being the cost to eradicate it.

In what is already a tense period—with numerous government warnings of hacking threats in the wake of the terrorist attacks in New York and Washington—the Nimda outbreak shook security experts and users alike and sparked calls for increased vigilance from network administrators and software vendors.

When Nimda first struck, many observers thought that a separate e-mail virus and a Code Red-like IIS (Internet Information Services)- based worm were striking at the same time. It turned out that Nimda— with the most aggressively virulent propagation mechanisms ever seen—was using four separate mechanisms to spread itself.

Roman Danyliw, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh, said Nimdas attack is representative of the new breed of cyber-threat. "This is certainly not the first worm weve seen that exploits [multiple weaknesses]," Danyliw said. "These types of attacks ... are becoming the weapon of choice."

Resource Library:

Nimda spreads through e-mail using an attachment called readme.exe. Nimda also spreads as a worm using multiple known holes in Microsoft Corp.s IIS Web server, making it much more aggressive than Code Red, which used just one propagation method. The worm also spreads by accessing network shares that allow access to the guest account.

Nimdas most unique and dangerous propagation method, however, is through a users Web browser. Once Nimda gets control of an IIS system, it adds to all .html and .asp files a piece of JavaScript that tries to download a file called readme.eml. Versions of Internet Explorer prior to 5.5 Service Pack 2 will automatically download and execute this file.

Once on a system, Nimda makes changes to the registry, adds files, and infects binaries and documents. If any of these files are opened, Nimda will again begin to spread. As a result, the only way to eradicate Nimda from a PC or server is to scrap all installed software and start from scratch.

By late last week, security experts at Trend Micro Inc., in Cupertino, Calif., said some 180,000 machines—most in the United States—had been infected. Most security vendors contacted said the spread of Nimda seemed to have leveled off.

In tests of an infected system, eWeek Labs saw all of the reported signs of infection. An updated version of Symantec Corp.s Norton AntiVirus detected and removed a large number of infected files, and almost all anti-virus vendors now have versions that detect Nimda. However, most vendors concede that, due to the virulent nature of Nimda, users need to reformat their drives to be 100 percent sure of its eradication.

Officials at security vendor Network Associates Inc., in Santa Clara, Calif., last week estimated some 2 million machines could ultimately be infected and cleanup costs could top $500 million.

CERTs Danyliw said the ability of worms such as Nimda to propagate quickly puts the onus on IT administrators and security services "to patch faster ... [and] to get information about vulnerabilities out faster."

He stopped short of blaming weaknesses in Microsoft IIS outright but said the real solution "is for the software industry to implement better processes that eliminate the holes in software in the first place."

Patches for the weaknesses exploited by Nimda have been available for months, experts said.

"A distinction needs to be made between vendors who exert a good-faith effort to make a product secure and vendors who demonstrate a reckless disregard for security," said Markus De Shon, security analyst at SecureWorks Inc., in Atlanta.

Others in the industry put the responsibility squarely on the users, however.

"Failure to properly apply [available patches] would be the fault of administrators. A software vendor is not going to administer your servers for you," said Craig Rodenberg, information security manager at Data Return Corp., in Irving, Texas. "Three worms have hit in the past six months, all using the same exploits. Now theres a new worm, and people are again surprised that their servers are still not patched and are vulnerable."





  Reader Comments: Latest Worm Nimda Spreads Via Many Paths
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Chris Gonsalves
 


xr۸0{\5|kmY7;ҔlɱVlR╩SHH"HʶfzgyoP/If8E@ht7F?{{~$rȥklJ'{>D{{?.`So92p=z#m)>M3ȩ #<;m^~d .prLQm5xuO`nZN<QǢv)pGgEQ6}$k[1 tfN T| p'DFþa>"J4يᐨqC/g^/ԡo;U'liS[wS!+629zPo+/ @Zj#\DȁYy{w4Tݑ}:[R'-XldUZL 6S!1kkJT>lhY}@|ݑ|YCXw:QtQA3Mu_CԿ($fR [8Ukz=Ķ|{')4qr_ռYoׁn܍..Ƀ-oF6o :Nַ߉ QX"*RpBB7: &}`O> 5٤6'6d}4>/AGAticšϭ@7hC=҉L  w|x;4LAb@&e`M?*DsC hA'r=kJׇ&[?L=u#08wɽ5yP+wK@Ab!LDM}PC\7 >)$@}>  Qi^l}`٠1 5g%qJo;r%FaA7EУ$@!"5i]NP@Br6W? -4rr2ޑzZ*%qR% 93TYJjL=?j1!UG,[E`z9r,T.k Jy[+b4dTH9 v+jQQ Q#U^?])d[L9 =:3dy 0Ą'HwH{cJa->95Z ->ƈMG {D&j+Lo>L>HQox@6}=welٌI8A0:AP,j\p>q|}$З^r_o2MS`>۬ ̙#>d tE=b$~f -D,D!', 9*e+*ܲP:Д2RIդ LyO).EcwBQm㔜Ġ;F])zlQځʹӬ˷YKu7bumIҰ.ԵZ,ei l-X5QW0T:4)i ŠaYlcyty:LIT>4:>{k -j\'{?&TYOCxz#JQSUK>c3  9P8SJ$l%K+׳wN=Zz JN=> c=`tu; ЙN )!c$4)>F XXfThjEVL ."|@( Kҵ瓩; Ң{Z^SvԻ~l4ݴZ#歰AVQ NgT3aAKZ6 }˞C{O;b^-"毻0kMtg 7aT5<VD ȸau-CaP,<<+i0ԁ 0 ~"]l% H }"T0|*UTJeˈ`maS@@khSUt Փ&D^~vZK i?aE_"%t1ڥs!b*/w+g \;OgJR(T1:JZ,r8;,3??Mex$?t@g}}90?O'F2k gڧ{3txk}J-Kp1#j$1?0kY /ÊTU5ݧ i faYXGY h¹`Qдa=EKV0& P"7h[eejڳV dwPL vo|~KZhI;$D;WԲ' &Uj l|ZsG<֔H+N-2Ǩi {5V2*jݬ񌠬,9[D ZXň hqņj ZiMf~ r?NqߎXAu+sD ݼ |3PJQl^.QnH}gtWc24NwoUUASG<:HS$!OdQ%КHZ]X4`|'W2V&OB(J٨-kr p9փ ` 뼂RQKFWӛMO U!7TՀN>NGnR| m$\EC>m^L\Tpp# aPVJBgaC:͂k-90B0q܇J3ڛ5^,@N|G!ZO~4I#z/Ɨhskg GL"iBq=C@! aQ=y(d2RI)e e\|V n&,1wOX]dM!Mo$DDK!Z+2L~vó %qm\-1{G=N _BP`l&Zwm\avv'@Ϣh.svw~D ۇ>\e1a<}םn\fcrj?E!Jq%<47}l J>|jJ?eF&fB, F8oIq'^l!lK7 mu =4.odhhXu.nisOUKJ:\;jdWG, Y#tB^7ǧ5vpR`^Q~H15^3l&zik:R_KٺĂ> n՜$"JsMN3$n Jq1ېsoE!9ºUXHE`&|SL($/W;0r,` $X*XU2^_4>G2sEAVSF(+bK)"$DY |M_f| bt8|Ut"wۿBWa~C<B<Mq<$]{pУJqkf\~<)}B-9ǝ~LҴv8 ln"tUO#2L:*r֚S%[@csKiP:p8ljag(BٺCK -m&Rs SS2%ɩ$E =)!ښI$"8J542 eI? U4㓘PV iWɂtW#'59ܻԹ8/T/i_߹n,D2z=`l)LZa"A|)J| >m\ e!>eOvIJhIw鳎ᬖ^}+ ɏXI9ZCaJF CZtOjYbӝci;F\x v;2(Qf -dZP+ [_Y.40{};]#ޓd=4WDP~zN` hs o.0/cǩm:{@D'
HP[#=p>~ℜ13|mkbKf0>oV8_OKoҭ{¾"CSq j[:+`*9$HH!HN d_"2gNIJn/:}Lzd ,Fu x3DoҼ4hApl3O7C\j~d_c%?_gpo- z [mmE*]s"5P#vދSJqǛ}yJ ГG mזF}Vȿ5LĴhw4TɁo ?֐5'|F}ԲىƓy|yc>,d9_a}40[ɱ=ƙadOB%[e5w+[c'gcc;/F%%oS˱gA jmwBqVE0p>-&8\}5ߊ:"YcCƓdfmio-(oǜxk5)2kN7/6o-).j{\nn'B{7d\ }aK~~ Ɩv/N,Viug.SXSvޚ;JMX\n\*ijLGvVC8{s'NЙq_ipzV9JI+$:9D'ͦxz} ]k4SSK]Iٯ /GfQZ%k6wX;koGu'm=/ѡ[jq/ ;GA,1wm!φ`x/a(a.ЖY-r]pqGa;(F# vw2$g@­^l )uCVr@ ̻#P'4$ot'E~0!8렳-:FT\CxdUm2Pq ܓ:Ѿ ) .k]GBE8ґV^(zb[3,( */͓ V~<,{Ec4k)*?yF~\R-UnAP%Έ`0#+iH5{tޮb?ē_31`eݦ^зSgI,W4\dGJ4Z11a/?/:\gf.yEHH OGj3d زHfPk7OwjUE-{; 57o9]S&U(K#„hH9G{i+uM)tO:ug)#@K\Jҁt=s6'h+YHA" AHAZOtEvGAY*Nr(‹K˶1tn $q6\uȘmb Gˮh<Ax5Јm'#Sz_B%-8uSƂ~ )VBODſ-ڮÑBMډ,%oA/0Wמ;д/,(:3 Uiԃ.p@&'2GIF Ca0V†("BdLoK0#!]E݀Nf0eĪDRaUl_|O0f̃+PI33cT)Aysvzf~[ü]#U[eۉ2JIJae'2[[8vYT(WoV[ckTe߭ufI7Ft+7mєjP8\:!E|n`3ĐDǠi_f|l ]roI%KQI:4ۅEOt m`dn5&.|@+xy7,P$=Y݁,9_^ /jK:}y)r0M7@Ũ/sZ'B?X#rl=rF.Vߘe}1{^+RSku\"jJcֈ:ެ#1s,}"1lF}‹};QB<k%_A8C JzJm|t%uao%6,!A(~m,D-G\m [_1q<3!\G|{˾CY`mI/fdΒR6FG?Ik(>qͳ%eTc$,Hg`AmYs˧cjI8KTRc`ϥ330洿N(!$B !&t^ֽow!|~~~~~Piojkz+QGC㋀qۓ=}oMQY~] &}t.n|uSl7x/}jY "/Xo9 P\$v)%֏{XIvt8žxHfk-HaԊXoֹ p'W 9V/Sw3Kty+0rQ+9rϮ XA tO%F~ц{2n7~0um;%.⛽cKH5ŗA¸rW|kofN?]uۻ CҚC-Vb$;65幙t|ж-c-m*X|j[fXVG IQZ\ӧS@E[_Z.={tӥYoRY0)C,eObp{,hDӺh 0( }g¡Yj,&RXKE:`w3V c4Rf63 ~`PEГt5>F3hνkoH x]ڋK۪]ju͠2zZö$yhc&rM,hMHm!~0 ǀh!le"6? e;l=U݃~Oe# c`yx\(Z@ln+g+H0-{oԍ9@1gF!;Ooq'G^_ug/ 2â=&L~SGTkST0k[긭 7~E.Jʫ=N܀KYhCJ;*ǽb5%?W¤Xt'O,ηU v2.Ed^~EBt *(U܌@߼eu'jI13ʑu+iV}1bs!qhX=LHMt,¶a/)ȁ;] /TmSOǽ7܈es;7J(ab?1vE1h=(CZPBZ]%’}U=Icr9ʊbNk@`b &"lTI7q/d1 CAqy%ǸHFPxAiLz^zk/sϩTh/ZNxSSHkژcΩὙZY9>% RkKN tc T n o"rIo$NPVMKUP*$4@i^(*&@ 6VL}^ULXFLϫ&p]X-PL;W^\V]4_q=o7ݙAfnu&[wVE܀g!E8ߧ#qGO|Odlf-MaaZG vrQ DC>$br&E"#m=*r ~RTK4Cz^ [#WV+R**5YQa.b +F#xyILq':g0ŢvXR=o=' ӝRa *dNք2L\d9_>PP,(jz/;ʏ>?@G0eˡW}j+.MJ1![i , xE5F[q{y >:bQ'#M:q_aci*qwm[,{3E-h<#Թ<׉a^tbS{5sS8Y\`3-nUm}qVҽ]Ft 3sK? :IwJ Ki3?b)l:,<7гR5h+jO5txRrCu(bCobDK .n3FwCˠooeD% TĔcЭaV&wܠn~z*ڟ't2u/xyB G=Nl~G&ݷ}* 3;-RlΦ{OFi%W0O?nmhV|K";{|Q F̊XL t8,$n؃^`+!ԓGĥ)Ӏ!ϼׂWH7˭mH[e'鍀I+62s k/uToݶZ rպ^zM-<,xHsw7Cۑ7½>'qL>0~o9$.+Ra ܝ![:0[,;?pa)?ErБ`b'r s3j7W]ЍQݾ ?чf@L-{nXIAX#hbG#=7.nrj5-i`Ik„0'lx Dzs'IA!5R"%9,ǰglFLNө:,At|괯#@[7d 6B;b<1C|>OȺHU7@Db)G(aE$@5 !\)%ln*7WXp_𦳙B'4M] 3zq"O2}2=jcܕeZm6X35KޝR>ɚCZYQpM t?3a3RC¤vxryL]ƒ $BqнӜZX oXֿӱe2}}И1RQJ1|3ʰLXUʗn̒5[8~kBKr%-ruVнA-'i92dg4t\@!9A%Ոɵ7֝"4/> iVt?tOo׽v犜.:x ZѶpKt{ԝsi~>\>k_oW\“|5WV/ ˙Β^9j\28ѦΈKs!Yx9K x" /ELqx*0̟^wS"vmY QLi210Sh6oZݮ8זC}ހՑt.53;nFh9Pc-W\qPtOvitZzRR"o"#H H FFz;HMA~ ?gy!v~^nfF:>ϴ2ҡ! fe\B/3 /~/3{ %2@y yAȣW2!<#KHH+ ȟN|dȗk o~n2 f fˠ޿ _?}}̠O)+)2w Y@{ f wAɹN2!HodYNϯxpN2ҋIK /ʗa uu^ yVR =^`]dk x.rff{ 9n;k?[O;Bh\jzr+ʞ^&eUziAF[/RQ^/Z+֤[/ݹgֺ+3c+p'k͠~%k"_'OxVf 3yⱡk =*xqa9qA} D |uԧHτ[Ti׿#ZS%/u5@:՞/{fw\;aKƈ DMKIW/'ɱz?] 3/@b:=d.C" #C0t'o7 Lz±0~/ERƠe @䄸 vOj;CśI /VݍƊqExL°kXHM[u&ĤW[E=0ƉJôFo1#9݌ţ*aѾG]$ yD8õ;-a5k[ ~~]@-0 p1o6Nώ{;Y9!EQg m\qś@@rvそlZ>֌\%$daH|8$´}y&xx D亂mv$13{dt.;o{ҝ&<aO,|Ŷ/W㿄$I;P|+ 벛84Ǟ”j>}P.q5sEEבE$*JhӄZ{JfBZ1}M>fo0GJ _,i_3QNǮ'}MH,"~ese'PTg)>AϐTh0xM9%)nՌ[%|F331F#qyU (pd+.7zFZ`Xc \ }wHV&K0Su .Ъr.9|cx w}/wxq?GnOvGDg>V'ًl4=`6f@{ohI-Ox R}r8`k욇~0qGĶ2]|R2MepvRvc ;93ߚ-rΦk~ϖWtm<ml/>uOW]FaJ[z0 _jPw+:`53q7CƮ Ca+kPMXhc 1GY"x~ea# Vt*N`wX{y\(:W=qپ|]*'ꙺVώo0?!2D"VxVyhEisşwl'3e={`ͯ3tgd֌^VMظӍo3a-d4džIkcmOt#ϯ+(