Latest Worm Nimda Spreads Via Many Paths

An aggressive hybrid of virus and worm ran rampant across the Internet last week, slowing traffic and causing site shutdowns. But the real damage from W32.Nimda may end up being the cost to eradicate it.

An aggressive hybrid of virus and worm ran rampant across the Internet last week, slowing traffic and causing site shutdowns. But the real damage from W32.Nimda may end up being the cost to eradicate it.

In what is already a tense period—with numerous government warnings of hacking threats in the wake of the terrorist attacks in New York and Washington—the Nimda outbreak shook security experts and users alike and sparked calls for increased vigilance from network administrators and software vendors.

When Nimda first struck, many observers thought that a separate e-mail virus and a Code Red-like IIS (Internet Information Services)- based worm were striking at the same time. It turned out that Nimda— with the most aggressively virulent propagation mechanisms ever seen—was using four separate mechanisms to spread itself.

Roman Danyliw, Internet security analyst at the CERT Coordination Center at Carnegie Mellon University, in Pittsburgh, said Nimdas attack is representative of the new breed of cyber-threat. "This is certainly not the first worm weve seen that exploits [multiple weaknesses]," Danyliw said. "These types of attacks ... are becoming the weapon of choice."

Nimda spreads through e-mail using an attachment called readme.exe. Nimda also spreads as a worm using multiple known holes in Microsoft Corp.s IIS Web server, making it much more aggressive than Code Red, which used just one propagation method. The worm also spreads by accessing network shares that allow access to the guest account.

Nimdas most unique and dangerous propagation method, however, is through a users Web browser. Once Nimda gets control of an IIS system, it adds to all .html and .asp files a piece of JavaScript that tries to download a file called readme.eml. Versions of Internet Explorer prior to 5.5 Service Pack 2 will automatically download and execute this file.

Once on a system, Nimda makes changes to the registry, adds files, and infects binaries and documents. If any of these files are opened, Nimda will again begin to spread. As a result, the only way to eradicate Nimda from a PC or server is to scrap all installed software and start from scratch.

By late last week, security experts at Trend Micro Inc., in Cupertino, Calif., said some 180,000 machines—most in the United States—had been infected. Most security vendors contacted said the spread of Nimda seemed to have leveled off.

In tests of an infected system, eWeek Labs saw all of the reported signs of infection. An updated version of Symantec Corp.s Norton AntiVirus detected and removed a large number of infected files, and almost all anti-virus vendors now have versions that detect Nimda. However, most vendors concede that, due to the virulent nature of Nimda, users need to reformat their drives to be 100 percent sure of its eradication.

Officials at security vendor Network Associates Inc., in Santa Clara, Calif., last week estimated some 2 million machines could ultimately be infected and cleanup costs could top $500 million.

CERTs Danyliw said the ability of worms such as Nimda to propagate quickly puts the onus on IT administrators and security services "to patch faster ... [and] to get information about vulnerabilities out faster."

He stopped short of blaming weaknesses in Microsoft IIS outright but said the real solution "is for the software industry to implement better processes that eliminate the holes in software in the first place."

Patches for the weaknesses exploited by Nimda have been available for months, experts said.

"A distinction needs to be made between vendors who exert a good-faith effort to make a product secure and vendors who demonstrate a reckless disregard for security," said Markus De Shon, security analyst at SecureWorks Inc., in Atlanta.

Others in the industry put the responsibility squarely on the users, however.

"Failure to properly apply [available patches] would be the fault of administrators. A software vendor is not going to administer your servers for you," said Craig Rodenberg, information security manager at Data Return Corp., in Irving, Texas. "Three worms have hit in the past six months, all using the same exploits. Now theres a new worm, and people are again surprised that their servers are still not patched and are vulnerable."