[ISN] New studies reveal Nimda's tenacity

From: InfoSec News (isnat_private)
Date: Sun Sep 23 2001 - 03:00:31 PDT

  • Next message: InfoSec News: "[ISN] San Diegans fighting new war from their computer terminals"

    http://news.cnet.com/news/0-1003-200-7250546.html
    
    By Robert Lemos
    Special to CNET News.com 
    September 21, 2001, 1:20 p.m. PT 
    
    Nimda's number may not be up.
    
    Security consultants stressed Friday that while the spread of the
    disruptive Nimda worm has slowed, many companies are having
    difficulties rousting the malicious program from their networks.
    
    "It's an awfully insidious little bastard," said Mike Scher, senior
    research consultant with network-protection company Neohapsis. "You
    clean it off of one segment of the network and have to make sure it
    doesn't come back. It's almost like fighting a fire."
    
    After successfully preventing Nimda from entering its network, Scher's
    client--a Forture 500 company--picked up the worm from an employee
    working from home. After that, the program spread quickly throughout
    the corporation's worldwide offices.
    
    "This is a huge organization, so there are lots of infections," said
    Scher, who had been working 48 hours to clean the digital infestation
    from the network. "It's a terrible pain to get off."
    
    The tenacious worm also caused several Internet service providers to
    take drastic steps to block customers from spreading the worm and
    overloading their networks with traffic.
    
    XO Communications acknowledged on Friday that the company severed
    almost a quarter of its customers' Web servers from the Internet in an
    attempt to halt the deluge of data produced by the worm.
    
    "Many of our customers are small businesses," XO spokeswoman Jenna Dee
    said. "They bring in an IT person to set up their network and don't
    have a full-time technical employee. Those types of businesses are the
    most susceptible to these attacks."
    
    Another Internet service provider, DSL.net, completely cut off
    hundreds of its customers after it became apparent that their
    computers had been infected by the worm, according to customers'
    reports. DSL.net did not immediately respond to requests for comment.
    
    The Nimda worm hit so quickly--peaking within 6 hours--and caused so
    much havoc that accurate analysis of the worm has been delayed.
    
    For example, earlier this week, antivirus software company Symantec
    originally classified removal of the Nimda worm as "easy," but 24
    hours later it changed that evaluation.
    
    The latest information shows that the Nimda worm's extensive
    replacement of key files and programs on infected PCs and its use of
    Windows file sharing to spread across local area networks have made it
    difficult to clean out.
    
    Nimda--which is "admin," the shortened form of "system administrator,"
    spelled backwards--started spreading early Tuesday morning and quickly
    infected PCs and servers across the Internet. Also known as
    "readme.exe" and "W32.Nimda," the worm is the first to use four
    different methods to infect not only PCs running Windows 95, 98, Me
    and 2000, but also servers running Windows 2000 and Windows NT.
    
    The worm spreads by four different routes. Microsoft has posted an
    extensive list of patches and advisories to combat the worm.
    
    The worm originally spread quickly by broadly scanning local networks
    and the Internet for Web servers running Microsoft's Internet
    Information Server software that were vulnerable to one of two
    well-known flaws.
    
    First, if the server had already been compromised by the Code Red II
    worm, then Nimda used that backdoor to copy itself to the server as a
    file named "admin.dll." For all other IIS servers, the program
    attempted to use the "Web server folder traversal" vulnerability
    discovered in October 2000 to copy the file "admin.dll" to the server.
    
    Once the file is copied to the computer, the worm executes it and
    infects the new victim. On such servers, the worm creates a "guest"
    account with administrative privileges, copies itself to any network
    drives, makes the C: drive publicly accessible, and appends a script
    to HTM, HTML and ASP files.
    
    The files will attempt to upload a copy of the worm to the computer of
    anyone who views a Web page hosted by the infected computer using a
    browser with JavaScript enabled. The worm also deletes the keys in the
    registry that set the security preferences for the computer and also
    causes itself to be run at start-up.
    
    The ability to infect others through viewing a Web page is the Nimda
    worm's second path of infection.
    
    The snippet of JavaScript added to each Web file on an infected server
    will cause the worm, renamed "readme.eml," to upload from the server
    to the surfer's computer. The worm will run automatically on PCs using
    unpatched versions of Microsoft's Internet Explorer 5.5 SP1 or
    earlier. On any browser with JavaScript enabled, the worm's script
    will cause the browser to try to upload the code but will first ask
    the PC user's permission.
    
    PCs can also be infected through the worm's third mode of
    transmission: e-mail.
    
    On infected computers, the Nimda worm runs its own mail service and
    sends e-mail to addresses in Windows address book as well as to those
    culled from the machine's browser cache, which stores elements of
    recently viewed Web pages.
    
    The e-mail appears to have an attached WAV file, but in reality it
    uses an old MIME (multipurpose Internet mail extensions) vulnerability
    to automatically run the worm once the e-mail is viewed in the mail
    client's preview plane.
    
    Even on computers that are not vulnerable to the security flaw, the
    attachment causes the Outlook and Outlook Express e-mail programs to
    open a dialog box asking the user for permission to open the file.
    
    If the worm infects a PC through either the Web browser or e-mail,
    Nimda acts much like it does on servers. In addition, the worm adds a
    "load.exe" file to the Windows System directory, appends itself to
    many .exe, .eml and Word document files, and replaces common
    applications such as WordPad, WinZip32 and HyperTerminal with a copy
    that executes the worm.
    
    In addition, the worm places copies of "Riched20.dll"--the program
    that is the workhorse text editor for Word, WordPad and other editing
    programs--in multiple places on every accessible hard drive. Whenever
    a program that uses Riched20.dll opens, that also executes the worm.
    
    This ability to spread copies of itself throughout corporate networks
    by using shared drives is the fourth way the worm infects.
    
    Using the network-sharing mechanism, the Nimda worm spreads fast and
    makes extermination very difficult, said Vincent Gullotto, director of
    security software maker Network Associates' antivirus emergency
    response team.
    
    "While you are cleaning one area of the network, it is coming back
    behind you and reinfecting the computers," he said.
    
    Network Associates, Symantec and other security companies have tools
    to help system administrators clean their systems.
    
    Yet even if companies do completely eradicate the worm from their
    networks, Nimda will be out there for a long time, said Jensenne
    Roculan, incident analyst for SecurityFocus.com's ARIS Incident
    Analysis Team. Roculan pointed out that Code Red and its variant still
    account for some 30,000 infections worldwide.
    
    "Code Red is still going strong because of the number of unpatched
    systems on the Web," she said. "If that is any indication, Nimda
    should be around for a while."
    
    Analyses of the Nimda worm can be found at CERT, SecurityFocus.com,
    Neohapsis and most antivirus companies' Web sites.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 05:43:39 PDT