A Worm with Many Lethal Turns

The diabolically versatile Nimda has exposed more weaknesses than any predecessor. Businesses and individuals, take heed

Customers attempting to reach Verizon Wireless via e-mail have been on hold since Sept. 19. Under siege from the Nimda computer plague, the cell-phone giant was forced to shut down all incoming e-mail, allowing e-mail traffic only within its corporate networks, says a company spokesperson.

That's a headache the company doesn't need as it deals with the aftermath of the World Trade Center attack and a resulting 100% spike in traffic on its wireless network. For smaller telecom companies, such a disruption could have been the equivalent of a communications death sentence. "It is creating some hardship," says company spokesman Brian Wood.

Imagine trying to conduct a business with no e-mail. Anecdotal evidence suggests that hundreds of businesses around the country are dealing with exactly that situation, as Nimda has wreaked havoc on corporate networks. Not that this was entirely unexpected. The FBI and numerous computer-security organizations warned earlier this week about the hazards of the new Nimda worm/virus. Like previous software worms, Nimda can spread from Web server to Web server. And like previous viruses, Nimda can also replicate itself via e-mail.


  The outbreak comes on the heels of CodeRed, a worm that snarled infected Web servers at thousands of companies earlier this summer. Like CodeRed, Nimda picks on Microsoft products, including Outlook and Outlook Express and Redmond's IIS Web servers. The de facto Web-browsing software, Internet Explorer, also can spread Nimda.

But this is a pathogen with a difference. CodeRed and past plagues have generally used only one method to try to invade computer systems. CodeRed spread from one Microsoft Web server to another. Others spread via e-mail traffic from desktop to desktop. The danger with Nimda is that it can use four separate vectors to spread, including basic Web surfing and e-mail.

Net users can unwittingly spread the worm onto their home PCs or corporate networks by downloading infected Web pages with outdated browser software. And unlike CodeRed, which plumbs for a single software vulnerability, Nimda probes for up to 18 known vulnerabilities in systems. In the process, it can soak up significantly more bandwidth than CodeRed.

More insidiously, Nimda creates a new account that enjoys unrestricted administrative access to IIS servers and possibly to the networks linked to them. All in all, it's a far more sophisticated assault.


  Nimda, which started proliferating in earnest on Sept. 18, also can spread via e-mail. Anyone using Microsoft Outlook or Outlook Express can contract the worm by simply reading or previewing an infected message. They don't have to click on anything. Once they read that e-mail, the worm starts sending copies of itself to anyone in Outlook's e-mail address book. Outlook clients with proper patches aren't vulnerable, and properly updated antivirus software will snare these e-mail attacks. Still, millions of desktop computers remain vulnerable.

Individual users may be most at risk. They are generally less likely than corporate IT departments to install and update antivirus software on their home PCs. The exact percentage of home PCs that have antivirus software remains unclear. Even less clear is how many of those systems are regularly updated, a requirement to keep them secure from the latest virus or worm permutation. Regardless, until Sept. 18 no antivirus software would have been completely effective against Nimda -- because computer-security companies had not yet come up with an antidote.

A third vector of transmission is over shared hard drives on internal computer networks. This method can affect any company that uses network hard drives for storage of collaborative files. For example, a publishing company might use such a system for passing edited files from one writer to another. Or a product designer might use shared drives as a way to give lots of people access to project documents.

On home networks, shared drives make it easy to access files from, say, your spouse's computer even though you are working on a different computer. Cable-modem users often unwittingly enable file-sharing when they set up network printers or add hard drives to their home systems. Unplugging shared drives can cause major hassles for companies accustomed to using them as part of a business process.


  The final vector of transmission is through Web browsing. Nimda can plant a program on infected Web servers that allows them to deliver the virus to unsuspecting Net surfers. It does so by adding a small piece of computer code to Web pages stored on those servers that end with common suffixes such as main.html, default.html, and index.html.

Internet users with slightly outdated versions of Internet Explorer then unwittingly download the virus onto their own machine by loading an altered Web page from the infected server. Once the virus is downloaded, it will begin to go through the user's address books, search for file shares, and alter files on their hard drive.

Companies and individuals who haven't installed adequate antivirus software will need to spend a lot more time patching their systems to correct for Nimda. The virus requires alterations of basic network architecture and updates to IIS servers. Nimda supposedly does not exploit new vulnerabilities, although there have been reports that even properly patched IIS servers can get infected. "The work that needed to be done on any one given machine [to control Nimda] typically tripled or quadrupled what would be needed to deal with any other virus," says Vincent Gullotto, senior director of Network Associates' AVERT virus-research center.

Judging from Internet discussion boards, no one fully understands the full extent of damage or disruption that Nimda can cause on individual systems. Traffic on the general Internet may have slowed down as a result of the virus, according to Stefan Savage, a marketing coordinator for Asta Networks, which provides equipment to prevent denial-of-service attacks. Web-site performance tracker Keynote Systems claims it has seen minimal slowdowns in its regular checks of response times at some of the most popular Internet destinations.


  Clearly, though, many companies are sweating. Network Associates slimmed down its Web interface as it labored to deliver Nimda updates to thousands of customers. Verizon and other large companies simply unplugged their systems. RapidNet, a small Internet services provider and tech consultancy in Rapid City, S.D., had four systems on its internal network infected. "Once two of the systems confirmed having the virus, we shut the entire office network down to prevent the spread," says Operations Manager Terisa Enstad.

In the end, the company hurt the most by this outbreak could be Microsoft. These types of worm attacks usually come in waves, and with the work-hour costs associated with securing Microsoft systems starting to soar, many companies are having second thoughts about Redmond's code.

Enstad says RapidNet has started to migrate away from Microsoft products, including Web servers and e-mail software. On Sept. 19, Enstad had already begun installing alternate e-mail systems on the RapidNet internal network. "We have waited a long time for Microsoft to deal with some of the security issues their products create, and we are no longer satisfied with continuing to wait," says Enstad.

Still, waiting and watching is something a lot of vigilant systems administrators will be doing this fall, in anticipation of more Nimda-like worms spreading across the Net.

By Alex Salkever in New York

Edited by Douglas Harbrecht

You might like: