Aging Worms Still Crawl, Threaten Net

[InfoSec News <isn () c4i org>]

http://www.pcworld.com/news/article/0,aid,98504,00.asp

Sam Costello, IDG News Service
Monday, May 06, 2002

The Nimda and Code Red worms, which emerged along with dire warnings
that they could bring down large sections of the Internet (but
didn't), may have a second chance. New data in a study by Arbor
Networks shows that both worms are alive and well, and still infecting
new victims daily.

Though the data from Arbor's study is still preliminary, it shows a
wide range of Code Red, Code Red 2, and Nimda infections, according to
Dug Song, security architect at Arbor. The company has been monitoring
a large section of the Internet since September and in that time has
seen machines associated with about 5 million unique IP addresses
become infected with one of the three worms, he said.

Infections Increase

Though Nimda infections are fairly level, the rate of Code Red 2
infections is up in the last month, he said.

"There appears to be an ever-growing pool of Code Red 2-infected hosts
[every month]," he said.

Why Code Red 2 continues to spread is still a mystery to Arbor, Song
said.

"We don't know what's accounting for this," he said. "It's
counterintuitive," since infected systems should be getting patched
and removed from the Web, he said.

Arbor's study isn't the only data that points to a continued presence
for the worms. The worms still hold places in the top 20 viruses
detected worldwide in April by Kaspersky Labs, and antivirus vendor
Trend Micro has had more than 1500 reports of Nimda activity worldwide
in the last 24 hours, according to a virus map on its Web site.

Nimda and Code Red both attack security vulnerabilities in Microsoft's
IIS Web server product, although patches to fix the flaws have been
available for nearly a year. Despite the longstanding presence of the
patches and the major push to fix vulnerable systems near the time of
the original outbreaks, both worms have been constantly active since
their release, said Oliver Friedricks, director of engineering at the
consulting firm SecurityFocus.

SecurityFocus is "still seeing a pretty consistent level of both
worms," Friedricks said, though there has been a small increase in
activity in the last few months. This is likely due to "people ...  
putting new systems on the Internet and not patching them" and those
systems getting infected, he said.

Preventable Problem

The infection of unpatched machines that are new to the Internet is
one of the main causes of the continued spread of the worms, said Russ
Cooper, surgeon general of TruSecure and editor of the NTBugtraq
security e-mail list. Despite the data from Arbor and SecurityFocus,
Cooper said the number of systems infected by the worms seen by
TruSecure has been down slightly.

The continued spread of the worms and the conditions that allow it
pose a serious problem, Cooper said.

"We have a serious flaw in our infrastructure," he said.

Machines that are, or once were, infected with Code Red or Nimda may
have been compromised by attackers, he said.

"There are probably a significant number of machines that have been
compromised and nobody knows," Cooper said. Those machines could be
used to launch massive denial-of-service attacks, though TruSecure has
seen no indications that such attacks are imminent, he said.

"It stands to reason that somebody may [launch such an attack]," he
said.

SecurityFocus' Friedricks agreed, saying "it is fairly trivial for
someone to do that. It's not really rocket science."

Arbor's Song underscored just how far from rocket science such an
attack would be. Those attacks could be launched from a standard Web
browser using Nimda-infected hosts, he said.

"The bar is extremely low to launch a major, worldwide
denial-of-service attack," he said. Song is still working to assess
what sort of damage could be wrought from such an attack and expects
to release more information from the study in a month or so.

Ongoing Concern

None of the three researchers has an easy solution to the problem,
though. A government agency with the goal to discover, notify, and
educate businesses about such infections could help, Friedricks said.  
There is currently no such agency, he said.

For his part, Cooper urges some way to hold accountable any users or
companies who are spreading worms and other malicious code. One
possible way would be to make Internet service providers liable for
their customers' spreading of malicious code, he said. He did concede,
though, that such a step was not likely to occur.

Neither is sure what will help change the situation. Even with 2001
being such a notable year for computer security incidents, thinking
and behavior around these issues has not changed enough, Cooper said.

"Maybe it's going to take a massive online attack ... a concerted
attack against government interests. It's hard to say what will cause
a shift in the thinking," Cooper said.

Until thinking changes, though, all three agree that Nimda and Code
Red will persist, much as other viruses do.

As long as there are vulnerable systems on the Internet, "they'll be
out there for a while," Friedricks said.

"It's very unlikely that we'll see any fix to this until the installed
base of IIS servers is upgraded or patched," Arbor's Song said.

"Code Red and Nimda are going to be a permanent part of the Internet
landscape for some time to come," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.