A new worm that can infect all 32-bit Windows computers and propagates using multiple methods has spread across the world, according to Roger Thompson, technical director of malicious code at TruSecure Corp.
The worm, called Nimda (admin spelled backwards), can spread via e-mail attachments, HTTP (Hypertext Transfer Protocol) or across shared hard disks inside networks, Thompson said. The worm can infect all 32-bit Windows systems – Windows 98, 2000, Millennium Edition, XP, NT – because it scans systems for between 10 and 100 different vulnerabilities and exploits them when found, he said.
“It looks like they’ve made a Swiss Army Knife,” Thompson said, referring to the number of different tools the worm can use to attack systems.
“Every Win32 system is going to be vulnerable, if not from one (vulnerability), then from another,” he said.
The Code Red worm, which infected systems this past July, was assigned a threat level of V-CON 3 to V-CON 4, but today’s worm has been assigned V-CON 5, the highest possible infection threat rating, said Colin Taylor, security consultant with Sensible Security Solutions Inc., an Ottawa-based virus research and consulting firm.
“There is a severe infection rate and it is basically racing across the Internet right now doing what it does best – this is the worst I’ve seen since I’ve been with the company,” Taylor said.
“It’s basically sharing information that’s going to help protect some of these people and make clean up a little easier in days ahead of us now.”
When spread by e-mail, Nimda arrives in inboxes as an attachment called “Readme.exe” or sometimes Readme.eml, Thompson said. The Readme file, however, has a malformed header (the data at the beginning of a file that allows a system to identify its type) which makes the computer think it is a WAV, or sound, file, he said. However, Readme.exe is in fact a program and can be executed just from the preview panel when viewing it without it being opened, he said.
Once the worm has infected a system, be it by HTTP, e-mail or disk sharing, it then scans its local subnet (a chunk of the Internet) looking for vulnerable systems, Thompson said. Though some systems, such as those that are up to date on their patches, are protected behind firewalls or those that are filtering .exe attachments, will be safe from some aspects of the worm, that it spreads via three methods makes it more difficult to stop, he said. The spread of the worm across shared disks, which are more than likely entirely unprotected, “is going to be a real pain,” he said.
The worm was discovered by Thompson’s worldwide network of “worm catcher” systems at 9:08 a.m EST on Sept. 18, he said. Within half an hour, it had spread across the whole world, he said.
“(Nimda) is certainly much faster, much more aggressive and much bigger” than Code Red, Thompson said. Code Red was another recent worm that caused a good deal of damage and consternation for systems administrators worldwide.
The U.S. Federal Bureau of Investigation does not currently believe that the worm is related to the Sept. 11 terrorist attacks in New York and Washington, D.C., according to a statement released by Attorney General John Ashcroft. There had been some initial speculation that the worm was related to the attacks, because it occurred one week after the attacks and the worm was first discovered by some researchers at close to 9:11 a.m. The date of the attacks was 9/11.
Michael Murphy, Canadian general manager of Symantec Corp., said he didn’t want to raise alarm bells about the worm.
“I would be careful to attribute the Internet slowdown to only this,” he said speaking on the day the worm was released. “There could be other things on the Internet as well, right now. The Internet slowdown isn’t 100 per cent because of this and I think Code Red had a much greater capability and in reality was more wide-spread, and even then its impact on the Internet bandwidth wasn’t widespread. It wasn’t huge. But then, that was a couple of weeks ago, before the events of Sept. 11.”
He continued that, while he didn’t want to create hype and he didn’t know for certain if this worm had anything to do with it. Hacktivism is even more of a reality after the terrorist attacks on the U.S.
“People need to be ever vigilant and ever conscience,” Murphy said, adding that some of his reports show the origin of the worm to be the People’s Republic of China, but he couldn’t confirm it.
“One of the risks of Sept. 11 is increased hacking attacks in general. We do have political hacktivism as a result of Sept. 11, what I would call vigilante hacking. Everyone is in a different state – a weakened state – and others are going to use to worst to exploit the good nature of other people. People need to scrutinize e-mail that comes in. Be mindful and aware.”
Murphy said the easiest way to avoid the worm is to filter it from the firewall gateway, but if users have already been hit, there is a solution available.
Though Code Red did not ultimately have an impact on Internet performance despite some initial claims to the contrary, “we may actually see a hit on the Internet (and its performance)” with Nimda, Thompson said.
Computer security bodies the Computer Emergency Response Team/Coordination Center (CERT/CC) and Incidents.org both issued alerts about increased activity on the Internet on Sept. 18, stating that the activity may be related to the worm.
The spread of Nimda comes after warnings from a number of groups saying that attacks on networks and Web sites were possibilities after the terrorist attacks against New York and the Pentagon, outside of Washington. Though Thompson declined to comment on a possible connection between this worm and those attacks, saying it was inappropriate, the advisory released by TruSecure said, “we cannot discount the coincidence of the date and time of release, exactly one week (probably to the minute) as the World Trade Center attack.”
With files from By Sam Costello, IDG News Service, Boston Bureau.