New and unpatched servers give life support to worms

Security experts claim that new Web servers lacking basic security patches are helping worms such as Nimda and Code Red to...

Security experts claim that new Web servers lacking basic security patches are helping worms such as Nimda and Code Red to thrive.

Both worms were, initially, heralded as threats that could have brought down large sections of the Internet. When this did not happen the security spotlight quickly moved elsewhere.

However, both worms are alive and well and infecting new victims daily.

Arbor Networks has been monitoring a large section of the Internet since September. In that time has seen machines associated with about five million unique IP addresses become infected with one of the three worms, according to Dug Song, security architect at the company.

Although Nimda infections are fairly level, the rate of Code Red 2 infections has risen in the past month, he said.

"There appears to be an ever-growing pool of Code Red 2-infected hosts [every month]," he said. Why Code Red 2 is continuing to spread is still a mystery, Song said.

"It's counterintuitive" since infected systems should be getting patched and removed from the Web, he added.

Arbor's study is not the only data that points to a continued presence for the worms. The worms are in the top 20 viruses detected worldwide in April by antivirus supplier Kaspersky Labs, while its rival, Trend Micro, had more than 1,500 reports of Nimda activity worldwide in a 24-hour period this week.

Nimda and Code Red both attack security vulnerabilities in Microsoft's Internet Information Services (IIS) Web server product, even though patches to fix the flaws have been available for nearly a year.

Despite the long-standing presence of the patches and the major push to fix vulnerable systems near the time of the original outbreaks, both worms have been constantly active since their release, said Oliver Friedricks, director of engineering at SecurityFocus.

Friedricks thought the worms' continued presence was possibly because of "people... putting new systems on the Internet and not patching them", and those systems getting infected, he said.

Russ Cooper of TruSecure, and editor of the NTBugtraq security e-mail list, agreed. The infection of unpatched machines that are new to the Internet is one of the main causes of the continued spread of the worms, he said.

The continued spread of the worms, and the conditions that allow it, pose a serious problem, Cooper said. "We have a serious flaw in our infrastructure."

Machines that are, or were once, infected with Code Red or Nimda may have been compromised by attackers, he added.

"There are probably a significant number of machines that have been compromised and nobody knows," Cooper said. Those machines could be used to launch massive denial of service attacks, although TruSecure has seen no indications that such attacks are imminent, he added.

Read more on Hackers and cybercrime prevention