Vendors rush to release anti-Nimda tools

Network Associates Inc. and Trend Micro Inc. joined a growing number of vendors on Wednesday offering utilities designed to help protect businesses from the rapidly spreading Nimda worm.

The Santa Clara, Calif.-based company’s McAfee Avert anti-virus research lab has created an online command-line scanner, known as NimdaScan, which lets users detect, clean, and delete the worm from their systems. The scanner can remove open shares, guest users, and registry keys that the worm creates. It can also scan the core route of an enterprise’s network to clean out infections for users who are unaware as to whether or not they have been infected.

Meanwhile, Trend Micro of Cupertino, Calif., announced on Wednesday a downloadable anti-Nimda utility that promises to restore the integrity of system files, thus repairing any damage that the worm has already created on client machines. Trend Micro recommended that users first scan their systems for the virus by using the company’s HouseCall virus scanner, a free online utility. Furthermore, Trend Micro also released an updated pattern file to remove the worm, which can be downloaded from the company’s Web site.

Other security companies have also risen to the challenge. Symantec, the Cupertino, Calif.-based giant, announced the availability of an online utility that promises to detect the worm and repair system damage in one step. The company is also reportedly working on a separate tool to remove the worm from PC memory.

McAfee executives report NimdaScan is a standalone utility that uses technology borrowed from McAfee’s VirusScan product. Some of the new technologies built into NimdaScan might be incorporated in McAfee’s next scanning engine, due sometime in March, according to Vince Gullotto, senior director of McAfee’s Avert division. “NimdaScan is designed to clean up some of the things that customers are going to have to manually clean, like registry keys,” he said. “That saves them a lot of time and effort.”

McAfee’s ASaP online services division, which offers managed anti-virus solutions for small and midsized businesses, has also created an anti-Nimda update for its customers.

Meanwhile, the company’s Sniffer Technologies unit released a new filter for its Sniffer protocol analyzer, which monitors network traffic and delivers statistical data to network administrators. The filter looks for the precise HTTP requests that Nimda uses when it communicates, allowing users to fine-tune their existing Sniffer solutions to search specifically for Nimda traffic.

The main benefit is cost and time-savings, according to Jeff Fanelli, lead systems engineer at Sniffer.

“If you’re looking at a large network, you’re going to have thousands of devices talking to each other, and perhaps only a handful of them are infected,” he said.

In yet another move to combat Nimda, Network Associates’ PGP Security division announced the upcoming release of Distributed CyberCop Scanner 2.0, a tool that probes systems and identifies machines with vulnerabilities. The new version lets enterprises perform distributed scans for some 850 openings that hackers could exploit and delivers comprehensive reports to network administrators. The product will be available in late September at US$23 per device.

CyberCop’s new distributed scanning feature could be particularly helpful to companies with large, diverse networks, according to Jim Magdych, security research manager of Network Associates’ PGP Security group.

“In very large enterprises, you might have separate network segments that are behind a firewall. So by placing an engine at those distributed locations, you can communicate with the engine, tell it what you want to scan, and then collect the results as it completes the process,” Magdych said.

Evaluating the impact

Michael Erbschloe, vice president of research at the Computer Economics consulting firm in Carlsbad, Calif., estimated that 2.2 million Nimda infections took place over one 24-hour period and placed the worldwide economic impact of the worm at $531 million in cleanup costs and downtime.

“A lot of machines have to be taken out of service until they’re cleaned,” Erbschloe said, referring both to servers and desktops. He estimated that, of the 2.2 million infections, 65 percent were servers and 35 percent were desktops.

Erbschloe marveled at Nimda’s destructive power.

“It’s the fastest worm I’ve seen,” he said. “We still face another $200 million in inspecting systems and doing patching. In spite of the fact that we did a lot of patching during Code Red, a lot of machines haven’t been patched.”

U.S. Attorney General John Ashcroft has denied speculation that the Nimda worm is related to last week’s terrorist attacks on New York and Washington. But Erbschloe, author of the recently published book Information Warfare: How to Survive Cyber Attacks, suggested that because Nimda appeared on the same day of the terrorist attacks, a connection is possible.

“It’s a new style of war,” Erbschloe said. “It doesn’t really matter what the source of Nimda is. You can have a variety of enemies that can attack you in a combination of physical and cyber events. They take advantage of circumstances.”

Moreover, if America enters into a war with Afghanistan, as has been widely speculated, domestic enterprises will be significantly more vulnerable to cyber attacks, Erbschloe said.

“Terrorists will no longer focus on military targets, because commercial targets are so easy to get to and so easy to cause huge amounts of economic impact to,” he said. “When you’re tied to a network for communications and you start taking hits, you start losing money. And one of the key goals of ‘information warfare’ is to impact GDP, slow down industrial productivity, and hinder military activity,” Erbschloe said.

Proof of a connection between the terrorist bombings and Nimda could come over the next few weeks, especially if more worms appear. That could suggest that terrorists are attempting to cripple America’s communications and financial networks.

The Nimda worm, which can infect all 32-bit Windows systems, spreads via e-mail attachments, HTTP, and shared hard disks inside networks.

Microsoft has also posted patches to its web site at: