[ISN] Aging Worms Still Crawl, Threaten Net

From: InfoSec News (isnat_private)
Date: Tue May 07 2002 - 01:51:46 PDT

  • Next message: InfoSec News: "[ISN] Security Flaw Found in Flash Player"

    http://www.pcworld.com/news/article/0,aid,98504,00.asp
    
    Sam Costello, IDG News Service
    Monday, May 06, 2002
    
    The Nimda and Code Red worms, which emerged along with dire warnings
    that they could bring down large sections of the Internet (but
    didn't), may have a second chance. New data in a study by Arbor
    Networks shows that both worms are alive and well, and still infecting
    new victims daily.
    
    Though the data from Arbor's study is still preliminary, it shows a
    wide range of Code Red, Code Red 2, and Nimda infections, according to
    Dug Song, security architect at Arbor. The company has been monitoring
    a large section of the Internet since September and in that time has
    seen machines associated with about 5 million unique IP addresses
    become infected with one of the three worms, he said.
    
    Infections Increase
    
    Though Nimda infections are fairly level, the rate of Code Red 2
    infections is up in the last month, he said.
    
    "There appears to be an ever-growing pool of Code Red 2-infected hosts
    [every month]," he said.
    
    Why Code Red 2 continues to spread is still a mystery to Arbor, Song
    said.
    
    "We don't know what's accounting for this," he said. "It's
    counterintuitive," since infected systems should be getting patched
    and removed from the Web, he said.
    
    Arbor's study isn't the only data that points to a continued presence
    for the worms. The worms still hold places in the top 20 viruses
    detected worldwide in April by Kaspersky Labs, and antivirus vendor
    Trend Micro has had more than 1500 reports of Nimda activity worldwide
    in the last 24 hours, according to a virus map on its Web site.
    
    Nimda and Code Red both attack security vulnerabilities in Microsoft's
    IIS Web server product, although patches to fix the flaws have been
    available for nearly a year. Despite the longstanding presence of the
    patches and the major push to fix vulnerable systems near the time of
    the original outbreaks, both worms have been constantly active since
    their release, said Oliver Friedricks, director of engineering at the
    consulting firm SecurityFocus.
    
    SecurityFocus is "still seeing a pretty consistent level of both
    worms," Friedricks said, though there has been a small increase in
    activity in the last few months. This is likely due to "people ...  
    putting new systems on the Internet and not patching them" and those
    systems getting infected, he said.
    
    Preventable Problem
    
    The infection of unpatched machines that are new to the Internet is
    one of the main causes of the continued spread of the worms, said Russ
    Cooper, surgeon general of TruSecure and editor of the NTBugtraq
    security e-mail list. Despite the data from Arbor and SecurityFocus,
    Cooper said the number of systems infected by the worms seen by
    TruSecure has been down slightly.
    
    The continued spread of the worms and the conditions that allow it
    pose a serious problem, Cooper said.
    
    "We have a serious flaw in our infrastructure," he said.
    
    Machines that are, or once were, infected with Code Red or Nimda may
    have been compromised by attackers, he said.
    
    "There are probably a significant number of machines that have been
    compromised and nobody knows," Cooper said. Those machines could be
    used to launch massive denial-of-service attacks, though TruSecure has
    seen no indications that such attacks are imminent, he said.
    
    "It stands to reason that somebody may [launch such an attack]," he
    said.
    
    SecurityFocus' Friedricks agreed, saying "it is fairly trivial for
    someone to do that. It's not really rocket science."
    
    Arbor's Song underscored just how far from rocket science such an
    attack would be. Those attacks could be launched from a standard Web
    browser using Nimda-infected hosts, he said.
    
    "The bar is extremely low to launch a major, worldwide
    denial-of-service attack," he said. Song is still working to assess
    what sort of damage could be wrought from such an attack and expects
    to release more information from the study in a month or so.
    
    Ongoing Concern
    
    None of the three researchers has an easy solution to the problem,
    though. A government agency with the goal to discover, notify, and
    educate businesses about such infections could help, Friedricks said.  
    There is currently no such agency, he said.
    
    For his part, Cooper urges some way to hold accountable any users or
    companies who are spreading worms and other malicious code. One
    possible way would be to make Internet service providers liable for
    their customers' spreading of malicious code, he said. He did concede,
    though, that such a step was not likely to occur.
    
    Neither is sure what will help change the situation. Even with 2001
    being such a notable year for computer security incidents, thinking
    and behavior around these issues has not changed enough, Cooper said.
    
    "Maybe it's going to take a massive online attack ... a concerted
    attack against government interests. It's hard to say what will cause
    a shift in the thinking," Cooper said.
    
    Until thinking changes, though, all three agree that Nimda and Code
    Red will persist, much as other viruses do.
    
    As long as there are vulnerable systems on the Internet, "they'll be
    out there for a while," Friedricks said.
    
    "It's very unlikely that we'll see any fix to this until the installed
    base of IIS servers is upgraded or patched," Arbor's Song said.
    
    "Code Red and Nimda are going to be a permanent part of the Internet
    landscape for some time to come," he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 04:54:56 PDT