When computer security historians look back at 2001, the emergence of the Nimda and Code Red worms will likely sit close to the top of their significant events lists. Both worms were heralded as threats that could have brought down large sections of the Internet, but when this didn’t happen the security spotlight quickly moved elsewhere.
New data obtained from a study by Arbor Networks Inc. will likely refocus that spotlight as it shows that both worms are alive and well and still infecting new victims daily. Though the data from Arbor’s study is still preliminary, it shows a wide range of Code Red, Code Red 2 and Nimda infections, according to Dug Song, security architect at the Waltham, Massachusetts, Arbor.
Arbor has been monitoring a large section of the Internet since September and in that time has seen machines associated with about 5 million unique IP (Internet Protocol) addresses become infected with one of the three worms, he said.
Though Nimda infections are fairly level, the rate of Code Red 2 infections is up in the last month, he said.
“There appears to be an ever-growing pool of Code Red 2-infected hosts (every month),” he said.
Why Code Red 2 is continuing to spread is still a mystery to Arbor, Song said.
“We don’t know what’s accounting for this,” he said. “It’s counterintuitive” since infected systems should be getting patched and removed from the Web, he said.
Arbor’s study isn’t the only data that points to a continued presence for the worms. The worms still hold places in the top 20 viruses detected worldwide in April by Kaspersky Labs Ltd., and antivirus vendor Trend Micro Inc. has had more than 1,500 reports of Nimda activity worldwide in the last 24 hours, according to a virus map on its Web site.
Nimda and Code Red both attack security vulnerabilities in Microsoft Corp.’s IIS (Internet Information Services) Web server product, though patches to fix the flaws have been available for nearly a year. Despite the long-standing presence of the patches and the major push to fix vulnerable systems near the time of the original outbreaks, both worms have been constantly active since their release, said Oliver Friedricks, director of engineering at SecurityFocus Inc., located in San Mateo, California.
SecurityFocus is “still seeing a pretty consistent level of both worms,” Friedricks said, though there has been a small increase in activity in the last few months. This is likely due to “people … putting new systems on the Internet and not patching them” and those systems getting infected, he said.
The infection of unpatched machines that are new to the Internet is one of the main causes of the continued spread of the worms, said Russ Cooper, surgeon general of Herndon, Virginia-based TruSecure Corp. and editor of the NTBugtraq security e-mail list. Despite Arbor’s and SecurityFocus’ data, Cooper said the number of systems infected by the worms seen by TruSecure has been down slightly.
The continued spread of the worms, and the conditions that allow it, pose a serious problem, Cooper said.
“We have a serious flaw in our infrastructure,” he said.
Machines that are, or were once, infected with Code Red or Nimda may have been compromised by attackers, he said.
“There are probably a significant number of machines that have been compromised and nobody knows,” Cooper said. Those machines could be used to launch massive denial of service attacks, though TruSecure has seen no indications that such attacks are imminent, he said.
“It stands to reason that somebody may (launch such an attack,)” he said.
SecurityFocus’ Friedricks agreed, saying “it is fairly trivial for someone to do that. It’s not really rocket science.”
Arbor’s Song underscored just how far from rocket science such an attack is, saying that those attacks could be launched from a standard Web browser using Nimda-infected hosts.
“The bar is extremely low to launch a major, worldwide denial of service attack,” he said. Song is still working to assess what sort of damage could be wrought from such an attack and expects to release more information from the study in a month or so.
None of the three researchers has an easy solution to the problem, though. A government agency with the goal to discover, notify and educate businesses about such infections could help, Friedricks said. There is currently no such agency, he said.
For his part, Cooper said there needs to be some way to hold users or companies who are spreading worms and other malicious code accountable. One possible way to do this would be to make Internet service providers liable for their customer’s spreading malicious code, he said. He did concede, though, that such a step was not likely to be taken.
Neither is sure what will help change the situation. Even with 2001 being such a notable year for computer security incidents, thinking and behavior around these issues has not changed enough, Cooper said.
“Maybe it’s going to take a massive online attack … a concerted attack against government interests. It’s hard to say what will cause a shift in the thinking,” Cooper said.
Until thinking changes, though, all three agree that Nimda and Code Red will persist, much as other viruses do.
As long as there are vulnerable systems on the Internet, “they’ll be out there for a while,” Friedricks said.
“It’s very unlikely that we’ll see any fix to this until the installed base of IIS servers is upgraded or patched,” Arbor’s Song said.
“Code Red and Nimda are going to be a permanent part of the Internet landscape for some time to come,” he said.