Printer Friendly


(Reuters) - The outbreak of the Nimda computer worm, which has spread rapidly across the Internet, appeared to have peaked on Wednesday for the powerful server machines that drive the Web, but the number of infected PCs may never be known, computer security experts said.

Nimda, a versatile program that spreads itself by e-mail and Web surfing, also targets personal computers, a twist that has allowed it to spread faster and made it harder to track, analysts said.

The self-replicating bug, which scans networks for uninfected computers, threatens to slow the performance of the Internet and e-mail even though it does not erase files or damage systems, experts said.

"Since late yesterday the number of infected Web servers has come down," said Joe Hartmann, director of North American anti-virus research for Trend Micro, a Cupertino, California-based computer security company. "A lot of users have upgraded and done what they need to do to take care of the problem."

Shortly before 10 a.m. PDT on Tuesday, The Cooperative Association for Internet Data Analysis, or CAIDA, part of UC San Diego's Supercomputer Center, had logged 150,000 infected computer servers and PCs worldwide. But by late afternoon Wednesday, that figure had dropped to about 66,000.

"The fact that there's been a 50 percent reduction in less than 24 hours is an amazing improvement over Code Red," said David Moore, a senior researcher at CAIDA. "As far as our reaction times to this sort of problem, we're getting better at it, which is good to see."

Still, the mere presence of the worm has forced some companies to shut down parts of their networks to prevent infection or further exposure. The highest concentration of infected systems was in Canada, Denmark, Italy, Norway, the U.K. and the United States, said Chip Mesec, head of product marketing for San Mateo, California-based SecurityFocus.

"Anyone looking at traffic from this thing is likely only seeing a leg of the elephant," said Allan Paller, director of research the SANS Institute, an education institute for network and computer security in Bethesda, Maryland.

It was still too soon to tell with any certainty where the worm had originated, and it may still take several days to weeks for computer-security experts to piece that together. Moreover, many computers and PCs may still be infected but are now cut off behind firewalls.

Internet security experts had warned of the potential for an increase in invasive computer program after last week's attacks on the World Trade Center and Pentagon, but U.S. authorities have said there was no sign of a direct link to those events.

The worm first appeared in the United States Tuesday, spread to Asia overnight, and thousands of European businesses opened business on Wednesday with infected computer systems.

The worm, the name of which spells admin backward, sends infected e-mail by culling addresses from a user's e-mail program. It infects Web sites and PCs whose users surf those Web sites, and the e-mail bearing the Nimda worm contains an attachment called "readme.exe," which harbors the malicious program.

The attack could prove to be more widespread and damaging than the Code Red infections of July and August, which caused an estimated $2.6 billion in damage because Nimda appears to have been designed to spread quickly among PCs connected to a single network and not just servers, security experts said.

Market researcher Computer Economics Wednesday put the damage caused by Nimda at $530 million, although that could increase. The firm added that automated anti-virus updating processes, which are becoming more popular among businesses and consumers, helped keep the damage down.

Some companies have opted to take some portion of their computer network offline from the Internet while they make sure that it has not been infected, he said.

Intel Corp., the world's largest chipmaker, for example, jumped on the issue early on Tuesday, and its security team moved quickly to install e-mail filters to catch the worm, a company spokesman said, adding that it had not been hit but that e-mail had slowed due to the installation of the filters.

Nimda exploits an already detected vulnerability in Microsoft's Internet Information Server Web software running on Windows NT or 2000 machines, the same breach that the Code Red worms exploited. This time though, experts say, it seeks to infiltrate a server by identifying one of 16 access points.

Once Nimda infects a machine, it tries to replicate in three ways. It has its own e-mail engine and will try to send itself out using addresses stored in e-mail programs. It also scans IIS servers looking for the known vulnerability and attacks those servers. Finally, it looks for shared disk drives and tries to reach those devices.

"It's a like a person with a disease saying, 'Come and kiss me,"' Paller said. "It's going to be very hard to get rid of.

Patches are available for both the IIS vulnerability and Web browsers at http:/ The major anti-virus software companies updated their products to detect the Nimda worm Tuesday and made new versions of their programs available to customers on their Web sites.

"The only safe way to recover if your machine is compromised from this event is to unplug from the network and reload all the software and apply the latest security patches," said Roman Danyliw, Internet security analyst with the CERT Coordination Center.
COPYRIGHT 2001 Millin Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:EDP Weekly's IT Monitor
Geographic Code:1USA
Date:Sep 24, 2001

Related Articles
Nimda - how it works. (VIRUS NOTES).
Five mods of Nimda detected. (Virus Notes).
2001 anti virus review: Kaspersky Labs presents a year-end review of events taking place in anti-virus safety. (Security).
LANguard Network Scanner upgraded. (Network Products).
Top ten viruses and hoaxes reported to Sophos in May 2002. (Security).
Microsoft SQL labs selects Netscreen to protect against Code Red, NIMDA attacks.
GFI email exploit engine. (Virus Notes).
Top Ten Viruses and Hoaxes in July 2002.
Klez worm most prolific virus of year. (Virus Notes).

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters