http://www.pcworld.com/news/article/0,aid,98504,00.asp Sam Costello, IDG News Service Monday, May 06, 2002 The Nimda and Code Red worms, which emerged along with dire warnings that they could bring down large sections of the Internet (but didn't), may have a second chance. New data in a study by Arbor Networks shows that both worms are alive and well, and still infecting new victims daily. Though the data from Arbor's study is still preliminary, it shows a wide range of Code Red, Code Red 2, and Nimda infections, according to Dug Song, security architect at Arbor. The company has been monitoring a large section of the Internet since September and in that time has seen machines associated with about 5 million unique IP addresses become infected with one of the three worms, he said. Infections Increase Though Nimda infections are fairly level, the rate of Code Red 2 infections is up in the last month, he said. "There appears to be an ever-growing pool of Code Red 2-infected hosts [every month]," he said. Why Code Red 2 continues to spread is still a mystery to Arbor, Song said. "We don't know what's accounting for this," he said. "It's counterintuitive," since infected systems should be getting patched and removed from the Web, he said. Arbor's study isn't the only data that points to a continued presence for the worms. The worms still hold places in the top 20 viruses detected worldwide in April by Kaspersky Labs, and antivirus vendor Trend Micro has had more than 1500 reports of Nimda activity worldwide in the last 24 hours, according to a virus map on its Web site. Nimda and Code Red both attack security vulnerabilities in Microsoft's IIS Web server product, although patches to fix the flaws have been available for nearly a year. Despite the longstanding presence of the patches and the major push to fix vulnerable systems near the time of the original outbreaks, both worms have been constantly active since their release, said Oliver Friedricks, director of engineering at the consulting firm SecurityFocus. SecurityFocus is "still seeing a pretty consistent level of both worms," Friedricks said, though there has been a small increase in activity in the last few months. This is likely due to "people ... putting new systems on the Internet and not patching them" and those systems getting infected, he said. Preventable Problem The infection of unpatched machines that are new to the Internet is one of the main causes of the continued spread of the worms, said Russ Cooper, surgeon general of TruSecure and editor of the NTBugtraq security e-mail list. Despite the data from Arbor and SecurityFocus, Cooper said the number of systems infected by the worms seen by TruSecure has been down slightly. The continued spread of the worms and the conditions that allow it pose a serious problem, Cooper said. "We have a serious flaw in our infrastructure," he said. Machines that are, or once were, infected with Code Red or Nimda may have been compromised by attackers, he said. "There are probably a significant number of machines that have been compromised and nobody knows," Cooper said. Those machines could be used to launch massive denial-of-service attacks, though TruSecure has seen no indications that such attacks are imminent, he said. "It stands to reason that somebody may [launch such an attack]," he said. SecurityFocus' Friedricks agreed, saying "it is fairly trivial for someone to do that. It's not really rocket science." Arbor's Song underscored just how far from rocket science such an attack would be. Those attacks could be launched from a standard Web browser using Nimda-infected hosts, he said. "The bar is extremely low to launch a major, worldwide denial-of-service attack," he said. Song is still working to assess what sort of damage could be wrought from such an attack and expects to release more information from the study in a month or so. Ongoing Concern None of the three researchers has an easy solution to the problem, though. A government agency with the goal to discover, notify, and educate businesses about such infections could help, Friedricks said. There is currently no such agency, he said. For his part, Cooper urges some way to hold accountable any users or companies who are spreading worms and other malicious code. One possible way would be to make Internet service providers liable for their customers' spreading of malicious code, he said. He did concede, though, that such a step was not likely to occur. Neither is sure what will help change the situation. Even with 2001 being such a notable year for computer security incidents, thinking and behavior around these issues has not changed enough, Cooper said. "Maybe it's going to take a massive online attack ... a concerted attack against government interests. It's hard to say what will cause a shift in the thinking," Cooper said. Until thinking changes, though, all three agree that Nimda and Code Red will persist, much as other viruses do. As long as there are vulnerable systems on the Internet, "they'll be out there for a while," Friedricks said. "It's very unlikely that we'll see any fix to this until the installed base of IIS servers is upgraded or patched," Arbor's Song said. "Code Red and Nimda are going to be a permanent part of the Internet landscape for some time to come," he said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 04:54:56 PDT