Security: Nimda raises the security stakes

A new worm shows added layers of sophistication, and should be a warning to us all.

A new worm shows added layers of sophistication, and should be a warning to us all.

In a world where viruses are gaining in functionality, it is becoming increasingly important to reduce the opportunities for infection to occur. Recent attacks from Code Red worms, followed by last week's appearance of the Nimda virus, underline the need for constant vigilance and, specifically, the crucial requirement to keep up with security patch deployment.

David Perry, global director for education at anti-virus specialist Trend Micro, believes the Nimda virus could have caused major problems had it been given a seriously malicious payload.

Perry believes that one of the reasons why we are seeing so many viruses that have more nuisance value than posing a real threat to data stems from the psychological profiles of the virus writers.

"A lot of viruses are being written by hapless kids who are more interested in gaining international notoriety than in causing real damage. Basically, it is innocent teenage behaviour stemming from the fact that they see celebrity and notoriety being rewarded similarly," he said.

This sheds new light on how viruses should be treated. If worldwide publicity is the aim of the culprits, the price of this notoriety - or fame as the virus writer sees it - has to be seen to be so high as to reduce its attraction.

That means the threat of serious punishment. But, while mechanisms for tracking down the sources of virus attacks is becoming more effective, time after time the arrests that follow end in the legal equivalent of a slapped wrist.

John de Wit, the perpetrator of the Anna Kournikova virus, looks as though he will be given a community service sentence, despite the fact that his attack affected thousands, or even millions, of users. The problem was that the FBI could only find 55 companies that would publicly admit to being victims of the attack and this lack of evidence reduces the severity of the case.

The mixture of the writer's desire for fame and the macho attitude of the victims who feel their business credibility is under threat if they step into the limelight means that the balance between publicity and punishment is tipped in favour of the virus writers.

De Wit has admitted his guilt but, more worrying, has insisted that he is incapable of writing code. He is one of a growing number of "script kiddies" who download toolkits from the Internet and build their own viruses with a minimum of technical knowledge.

If attitudes to the victims of an attack are to change so that more people will come forward when a case goes to court, then the effects of the viruses need to become so obvious that their presence within a company cannot be concealed. A virus will appear one day that will bring companies to their knees and Nimda shows that this day might not be so far away.

Nimda is a combi virus which uses two basic infection methods but applies these through four channels of attack. One channel shows a determination to spread the infection that is far more dangerous than the recent Code Red attacks. Where Code Red took advantage of a single known vulnerability in Microsoft's Internet Information Server (IIS), Nimda tests for one of about 16 vulnerabilities.

Perry said, "I have not seen a virus with so much attached. We are looking at 'Virus - The Operating System'. It underlines a need to keep up with all the latest patches on the server and to ensure that client systems are similarly protected. Companies should use the latest-version releases and ensure that users install all the browser security upgrades as soon as they are made available."

It is increasingly advisable to employ attachment-stripping software to remove compressed files, Visual Basic programs and other executables from e-mails. The loophole that remains is that, ironically, encryption is used to protect the integrity of data, when that data could in fact be a virus or the carrier of a virus.

When the data is decrypted, it is often inside the firewall and may already have passed the band of virus protection software.

This is extremely dangerous with a virus such as Nimda, which can infect and attack in many ways. The best method of cure is prevention and this comes back to loading patches as they become available.

By registering with Microsoft Technet on the Web, a bulletin can be requested which will give full details of newly discovered vulnerabilities as soon as a patch is available. Hackers also watch for these bulletins as information sources for their next exploit, so rapid patch application is always recommended.

Prevention also means educating all users not to click on attachments they are not expecting. Relying on user participation is dangerous because curiosity sometimes spoils the plan.

"Some users will click on a suspect attachment just to see what happens," said Perry. "They expect to see something like the fantastic displays shown in the movies, but Nimda is a 'nothing to see' virus.

"After clicking on it, they think nothing more about it - but the damage has already been done."

Fact file: the Nimda worm
Systems affected
Microsoft IIS 4.0 and 5.0, Microsoft Outlook with Microsoft Internet Explorer (especially version 5.x).

Primary source of infection
A vulnerability in Windows Internet connection security under Internet Explorer 5.x.

The default settings for Internet security allow executable (.exe) files to be launched automatically when an HTML-based e-mail is opened or by retrieving a Web page while browsing. The Nimda worm is contained in an attachment called README.exe, attached to an e-mail or Web page, which is automatically launched in this way. Alternatively, the user clicks on the attachment and launches the attack.

Nimda then tries to spread in four ways:

  1. It infects .exe files on the local disc of the host so when these files are sent to other users and executed their PC is infected. The RICHED20.DLL file is changed. This is launched by Wordpad and Word to open .doc document files, so cleansed ,exe files will be reinfected when the word processor is launched.
  2. It mails itself as the README.exe attachment to contacts in the Address Book of the host system and to addresses found in stored Web pages, including the temporary Web cache area of the host's disc.
  3. It scans the network to find an IIS server. It then tries 16 known vulnerabilities to infect the server. Success leads to random modification of some pages so that visitors to the site are automatically infected.
  4. It scans the local network, either from the server or from a client, to find file shares and drop in the infected RICHED20.DLL file, if possible. When any user accesses the shared document files, they launch the virus.

Most anti-virus developers have standalone detection and disinfection programs on their sites. These will also be included in the latest releases of their data files for their proprietary anti-virus software.

Read more on Antivirus, firewall and IDS products