Security: Nimda raises the security stakes

posted onSeptember 27, 2001
by hitbsecnews

A new worm shows added layers of sophistication, and should be a warning to us all.

In a world where viruses are gaining in functionality, it is becoming increasingly important to reduce the opportunities for infection to occur. Recent attacks from Code Red worms, followed by last week's appearance of the Nimda virus, underline the need for constant vigilance and, specifically, the crucial requirement to keep up with security patch deployment.

David Perry, global director for education at anti-virus specialist Trend Micro, believes the Nimda virus could have caused major problems had it been given a seriously malicious payload.

Perry believes that one of the reasons why we are seeing so many viruses that have more nuisance value than posing a real threat to data stems from the psychological profiles of the virus writers.

"A lot of viruses are being written by hapless kids who are more interested in gaining international notoriety than in causing real damage. Basically, it is innocent teenage behaviour stemming from the fact that they see celebrity and notoriety being rewarded similarly," he said.

This sheds new light on how viruses should be treated. If worldwide publicity is the aim of the culprits, the price of this notoriety - or fame as the virus writer sees it - has to be seen to be so high as to reduce its attraction.

That means the threat of serious punishment. But, while mechanisms for tracking down the sources of virus attacks is becoming more effective, time after time the arrests that follow end in the legal equivalent of a slapped wrist.

John de Wit, the perpetrator of the Anna Kournikova virus, looks as though he will be given a community service sentence, despite the fact that his attack affected thousands, or even millions, of users. The problem was that the FBI could only find 55 companies that would publicly admit to being victims of the attack and this lack of evidence reduces the severity of the case.

The mixture of the writer's desire for fame and the macho attitude of the victims who feel their business credibility is under threat if they step into the limelight means that the balance between publicity and punishment is tipped in favour of the virus writers.

De Wit has admitted his guilt but, more worrying, has insisted that he is incapable of writing code. He is one of a growing number of "script kiddies" who download toolkits from the Internet and build their own viruses with a minimum of technical knowledge.

If attitudes to the victims of an attack are to change so that more people will come forward when a case goes to court, then the effects of the viruses need to become so obvious that their presence within a company cannot be concealed. A virus will appear one day that will bring companies to their knees and Nimda shows that this day might not be so far away.

Nimda is a combi virus which uses two basic infection methods but applies these through four channels of attack. One channel shows a determination to spread the infection that is far more dangerous than the recent Code Red attacks. Where Code Red took advantage of a single known vulnerability in Microsoft's Internet Information Server (IIS), Nimda tests for one of about 16 vulnerabilities.

Perry said, "I have not seen a virus with so much attached. We are looking at 'Virus - The Operating System'. It underlines a need to keep up with all the latest patches on the server and to ensure that client systems are similarly protected. Companies should use the latest-version releases and ensure that users install all the browser security upgrades as soon as they are made available."

It is increasingly advisable to employ attachment-stripping software to remove compressed files, Visual Basic programs and other executables from e-mails. The loophole that remains is that, ironically, encryption is used to protect the integrity of data, when that data could in fact be a virus or the carrier of a virus.

When the data is decrypted, it is often inside the firewall and may already have passed the band of virus protection software.

This is extremely dangerous with a virus such as Nimda, which can infect and attack in many ways. The best method of cure is prevention and this comes back to loading patches as they become available.

By registering with Microsoft Technet on the Web, a bulletin can be requested which will give full details of newly discovered vulnerabilities as soon as a patch is available. Hackers also watch for these bulletins as information sources for their next exploit, so rapid patch application is always recommended.

Prevention also means educating all users not to click on attachments they are not expecting. Relying on user participation is dangerous because curiosity sometimes spoils the plan.

"Some users will click on a suspect attachment just to see what happens," said Perry. "They expect to see something like the fantastic displays shown in the movies, but Nimda is a 'nothing to see' virus.

"After clicking on it, they think nothing more about it - but the damage has already been done."

Fact file: the Nimda worm
Systems affected
Microsoft IIS 4.0 and 5.0, Microsoft Outlook with Microsoft Internet Explorer (especially version 5.x).

Primary source of infection
A vulnerability in Windows Internet connection security under Internet Explorer 5.x.

Lifecycle
The default settings for Internet security allow executable (.exe) files to be launched automatically when an HTML-based e-mail is opened or by retrieving a Web page while browsing. The Nimda worm is contained in an attachment called README.exe, attached to an e-mail or Web page, which is automatically launched in this way. Alternatively, the user clicks on the attachment and launches the attack.

Nimda then tries to spread in four ways:
1. It infects .exe files on the local disc of the host so when these files are sent to other users and executed their PC is infected. The RICHED20.DLL file is changed. This is launched by Wordpad and Word to open .doc document files, so cleansed ,exe files will be reinfected when the word processor is launched
2. It mails itself as the README.exe attachment to contacts in the Address Book of the host system and to addresses found in stored Web pages, including the temporary Web cache area of the host's disc
3. It scans the network to find an IIS server. It then tries 16 known vulnerabilities to infect the server. Success leads to random modification of some pages so that visitors to the site are automatically infected
4. It scans the local network, either from the server or from a client, to find file shares and drop in the infected RICHED20.DLL file, if possible. When any user accesses the shared document files, they launch the virus.

Removal
Most anti-virus developers have standalone detection and disinfection programs on their sites. These will also be included in the latest releases of their data files for their proprietary anti-virus software.

http://www.cw360.com.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs