Cert struggles to make sense of Nimda attack


Cert struggles to make sense of Nimda attack

Cliff Saran
CERT, the US government-backed institute that monitors Net security, is advising system administrators to take drastic measures to avoid spreading the rampant Nimda worm.

"The only safe way to recover from the system compromise is to format the system drive[s] and reinstall the system software from trusted media [such as vendor-supplied CD-ROM]," according to the latest Cert advisory posted on 20 September.

Sophos has created a utility called SWNIMDA for cleaning up the damage to servers caused by the virus.

But according to Sophos, Windows NT administrators cannot run the software to clean up infected servers without first buying software called NTFSDOS Pro v3.03 from Winternals.

Richard Brain, technical director at anti-hacking specialist ProCheckup, said: "The situation is really bad. I would say Sophos and Cert do not yet understand how the worm really works. Rebooting the server to DOS is fairly extreme."

This is a particularly complex worm, said Brain, who thought better options would become available in coming days as more users and experts examine the worm.

ProCheckUp has introduced a free tool - WormAlert - designed to limit the impact of Nimda and future Internet worms. "Part of the problem with Internet worms is that system administrators are often unaware their servers are infected," said Brain.

WormAlert allows users to check which worms have been attacking their servers. It does this by analysing their Web, FTP (file transfer) and e-mail log files, checking for log information associated with the Nimda attack. "The log will identify the server that sent the attack and then forward an e-mail to the server's system administrators to alert them that their server is sending out the worm," said Brain.

The free tool can be downloaded from www.wormalert.org

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy