Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Protect Your Network from the Nimda Worm

09/21/2001

The Nimda worm has spread wildly, infecting many Microsoft Windows 9x, ME, NT 4.0, and 2000 machines, and its network scans have brought some networks to their knees.

It was first reported on September 18th in the morning almost one week after the terrorist attack on the World Trade Center and the Pentagon. There is however no known or reported connection between the two attacks. The worm has also been known as W32/Nimbda-A, Concept5, Code Rainbow, and Minda. The word Nimda could be admin spelled backwards.

The damages inflicted on machines infected by the Nimda worm include:

The Nimbda worm uses four methods to spread itself to new machines:

Comment on this articleHave you encountered Nimda? What other methods should system administrators rely on to protect their networks?
Post your comments

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

Email. The Nimda worm spreads itself using email by exploiting a vulnerability in the Microsoft Internet Explorer libraries used by Outlook and Outlook Express to parse and display HTML code. The email has the worm as an attachment that is marked as an audio/x-wave MIME type. When this message is viewed or previewed, Outlook or Outlook Express will execute it and infect the machine.

Servers. The worm uses several methods to attack web servers. It scans the Internet looking for machines running Microsoft IIS and checks these machines for a back door installed by the Code Red II worm. If it fails to find the back door, it will try to exploit a series of IIS vulnerabilities. The vulnerabilities the worm attempts to exploit include:

Browsing. Once a machine is infected, a piece of Javascript code is added to all HTML, HTM, and ASP files that will cause a file named readme.eml to be downloaded automatically when the page is browsed using a vulnerable version of Microsoft Internet Explorer. This downloaded file will then be executed and will infect the machine.

Virus. The worm also has virus-like capabilities. It will search local drives and shares on the network, infecting executables and copying itself using names such as richd20.dll, admin.dll, and readme.exe. These copies and executable files will infect or re-infect machines when they are executed. If executed with the parameter of dontrunold on the command line an infected file will execute only the worm.


Each of the vulnerabilities that the Nimda worm exploits to spread itself has been announced previously on mailing lists and other sources and patches announced by Microsoft.


 

Each of the vulnerabilities that the Nimda worm exploits to spread itself has been announced previously on mailing lists and other sources and patches announced by Microsoft. For example the "Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability" was announced August 10, 2000. This should be a lesson to all administrators about the need to keep patches for security problems up to date. While it is true that keeping machines patched will not prevent all exploits, it would have prevented successful exploitation of a machine by this worm.

Determining if your network is infected

Signs that a machine has been scanned by the worm are lines in the logs such as:

Email systems will have transfered email with attachments named readme.exe. Signs of infection of web pages will be the addition of the infecting Javascript in the web pages.

Defensive measures

Vendors of anti-virus and intrusion detection tools have released updates and signatures. Administrators and owners of Microsoft 9x, ME, NT 4.0, and 2000 machines and network administrators should update their tools and use them to detect and clean infected machines. It is also necessary to apply the appropriate patches or upgrades to Internet Explorer and IIS.

An interesting and creative defense developed against the Code Red worm but useful for this worm is LaBrea. LaBrea creates what the author calls a tarpit or a sticky honeypot. It listens on unused IP addresses on a network and will answer connection attempts in a way designed to slow a scan by an attacking machine and cause it to get stuck. One thing to watch for is that LaBrea will by default take up all unused IP addresses on its subnet (what it decides are unused IP addresses). It is written to try and protect against problems with other machines on the network but there is still a potential for problems.

This worm is very dangerous and difficult to eradicate. The multiple infection vectors make it very difficult to stop from spreading and the multitude of machines with unpatched vulnerabilities give it a fertile field to grow in. It is the first or one of the first worms that infects not only the client but also the server machines. Patching all vulnerable machines and cleaning infected machines will be required to control the spread of the Nimda worm. Keeping our machine's patches as up to date as possible will prevent problems in the future.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.