NIMDA Gives Intruders Administrator Privileges
Corporate IT managers grappling with the latest and greatest threat to the Internet, NIMDA, will find cold comfort in knowing the worm gives intruders administrator-level privileges, says a security expert.
The worm was discovered around 9 a.m. yesterday and complaints about Internet slowdowns have been proliferating since.
A security expert from TruSecure discovered the worm and named it after the file name that transports it: W32.nimda.a.mm. However experts from Exodus Communications believe the NIMDA virus is designed not just to compromise computer systems, but to take over and manipulate them in the long run.
"NIMDA is admin spelled backwards in case you havent noticed," said Charles Neal, head of the Exodus Cyber Attack Tiger Team. A 20-year veteran of the FBI, Neal started his career in the bureaus cybercrime division with the investigation of hacker Kevin Mitnick, and ended his government work with the Mafiaboy case.
Tuesday morning, Exodus Intrusion Detection System "lit up like a Christmas tree." The Web hoster then put out a honeypot, a server designed to trap a worm for analysis; it got a copy of the virus 30 seconds later. Initial analysis of the software revealed it elevates guest privileges to administrator level, which means intruders get to control computers infected with NIMDA. Exodus believes that applying patches wont protect against the worm. The worm appears to modify thousands of files on user machines. Exodus recommends infected clients literally rebuild their computers.
"Unless you run something like a service of ours called Content Integrity Monitoring, which monitors files so that you know if a file changes, you have no way of knowing what has been added or deleted," said Neal.
Exodus expects hundreds of thousands of machines to be infected by NIMDA, which would make recovery very costly. While there is no information yet about why NIMDA was released, Exodus experts noted that the virus was unleashed at almost exactly the same time as the World Trade Center attacks a week ago. It is unclear, though, if the worm is the handiwork of U.S. crackers aiming to retaliate against non-U.S. computer users, or vice versa.
NIMDA has become the "Swiss army knife" of malicious worms, using numerous attack signatures to infiltrate and inundate Windows-based PCs and servers. It makes Code Red, which infected more than 300,000 Microsoft Web servers in July and August, look benign.
A security expert from TruSecure says its possible to become infected just by browsing an infected Web site. NIMDA will also infect any vulnerable Windows machine attached to the same network as an infected system.
"This will definitely be the biggest malicious code event of the year," said Roger Thompson, TruSecures technical director of malicious code research.
Because it is spreading so quickly and has a much larger pool of potential victims, Nimda is creating an ad hoc denial-of-service attack on the Internet. The worm is hogging bandwidth resources and hindering access to thousands of Web sites, said Stefan Savage, co-founder of DoS specialist Asta Networks.
A spokesperson for VeriSign reported a 20 percent increase in Domain Name System traffic this morning, although it hadnt confirmed the source.
Keynote Systems, however, which reports on Internet performance metrics, stated overall Internet traffic was moving in its normal parameters.
E-mail users have been receiving the worm via attachments called "README.EXE," but a spokesperson from antivirus company Symantec says Microsoft Outlook users dont need to open the attachment to become infected, just the e-mail message itself.
While rumors abound that the worm could be associated with last Tuesdays terrorist attacks, U.S. Attorney General John Ashcroft said in a news conference today that there has been no evidence of a connection.
However, businesses still reeling from the events of last week are going to find Nimda adding insult to injury, said Arvind Narain, senior vice president of Internet services of McAfee.com.
"These are difficult times for businesses that have been hard-hit," Narain said. "While some of the events may have been in only certain parts of America, it has a ripple effect, and companies are already dealing with loss."
The reason Nimda is more threatening than Code Red is it can attack any one of 16 known vulnerabilities in Microsofts Internet Information Services 4.0 and 5.0 Web servers, whereas Code Red was only designed to attack one.
"The biggest twist is its like a Swiss army knife. It has a whole bunch of different ways to come at you," Thompson said. Basically, Nimda has a key ring full of keys, and if one doesnt work, it simply uses the next one.
In fact, its aware of the Trojan horse left by Code Red variants, and looks for it on systems. If it finds the Trojan horse, it will activate it and use it to infect that system.
Also making Nimda more destructive is the fact that it is less selective of its victims. While Code Red infected primarily Windows 2000 servers running IIS 5.0, Nimda can infect almost anything, including the PCs of users who surf a Web site thats been infected with the Nimda worm, said Thompson.
Thompson warned, however, that much still needed to be learned about Nimda. The full ramifications of Code Red were still being discovered weeks after its initial release. Code Red contained less than 4,000 bytes of code. Nimda contains 54,000.
As for protection, anti-virus vendors such as F-Secure, McAfee, Symantec and Trend Micro are releasing updates to their software to deal with the problem, but new details are being discovered about Nimda all the time, McAfees Narain said.
"There are no guarantees and there are going to be variants of this particularly nasty rascal," Narain warned.
Max Smetannikov contributed to this report.