The Nimda worm has spread wildly, infecting many Microsoft Windows 9x, ME, NT 4.0, and 2000 machines, and its network scans have brought some networks to their knees.

It was first reported on September 18th in the morning almost one week after the terrorist attack on the World Trade Center and the Pentagon. There is however no known or reported connection between the two attacks. The worm has also been known as W32/Nimbda-A, Concept5, Code Rainbow, and Minda. The word Nimda could be admin spelled backwards.

The damages inflicted on machines infected by the Nimda worm include:

* degrading network performance due to the worm's aggressive scanning for new machines to infect;

* activating a guest account and granting it administrative permissions;

* giving the world full access to the c: drive;

* replacing executables with infected versions (virus-like behavior);

* adding Javascript code to HTML, HTM, and ASP files (infecting them);

* deleting the security restrictions on network shares;

* filling up system drives; and

* changing the machine's start-up so that the worm will restart on a reboot.

The Nimbda worm uses four methods to spread itself to new machines:

* email,

* an attack against vulnerabilities in the Microsoft IIS web server,

* an attack against Microsoft Internet Explorer when browsing web pages, and

* infecting executable files on the local drive and network shares,as a virus would.

The details on these attacks are listed below.3

Email. The Nimda worm spreads itself using email by exploiting a vulnerability in the Microsoft Internet Explorer libraries used by Outlook and Outlook Express to parse and display HTML code. The email has the worm as an attachment that is marked as an audio/x-wave MIME type. When this message is viewed or previewed, Outlook or Outlook Express will execute it and infect the machine.

Servers. The worm uses several methods to attack web servers. It scans the Internet looking for machines running Microsoft IIS and checks these machines for a back door installed by the Code Red II worm. If it fails to find the back door, it will try to exploit a series of IIS vulnerabilities. The vulnerabilities the worm attempts to exploit include:

*

the "Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability",

*

the "Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability",

*

and the "Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability".

Browsing. Once a machine is infected, a piece of Javascript code is added to all HTML, HTM, and ASP files that will cause a file named readme.eml to be downloaded automatically when the page is browsed using a vulnerable version of Microsoft Internet Explorer. This downloaded file will then be executed and will infect the machine.

Virus. The worm also has virus-like capabilities. It will search local drives and shares on the network, infecting executables and copying itself using names such as richd20.dll, admin.dll, and readme.exe. These copies and executable files will infect or re-infect machines when they are executed. If executed with the parameter of dontrunold on the command line an infected file will execute only the worm.

Each of the vulnerabilities that the Nimda worm exploits to spread itself has been announced previously on mailing lists and other sources and patches announced by Microsoft. For example the "Microsoft IIS 4.0/5.0 File Permission Canonicalization Vulnerability" was announced August 10, 2000. This should be a lesson to all administrators about the need to keep patches for security problems up to date. While it is true that keeping machines patched will not prevent all exploits, it would have prevented successful exploitation of a machine by this worm.

Determining if your network is infected

Signs that a machine has been scanned by the worm are lines in the logs such as:

* /scripts/..%5c../winnt/system32/cmd.exe

* /msadc/..%5c../..%5c../..%5c/..

* /scripts/..%5c../winnt/system32/cmd.exe

* GET /MSADC/root.exe HTTP/1.0"

Email systems will have transfered email with attachments named readme.exe. Signs of infection of web pages will be the addition of the infecting Javascript in the web pages.

Defensive measures

Vendors of anti-virus and intrusion detection tools have released updates and signatures. Administrators and owners of Microsoft 9x, ME, NT 4.0, and 2000 machines and network administrators should update their tools and use them to detect and clean infected machines. It is also necessary to apply the appropriate patches or upgrades to Internet Explorer and IIS.

An interesting and creative defense developed against the Code Red worm but useful for this worm is LaBrea. LaBrea creates what the author calls a tarpit or a sticky honeypot. It listens on unused IP addresses on a network and will answer connection attempts in a way designed to slow a scan by an attacking machine and cause it to get stuck. One thing to watch for is that LaBrea will by default take up all unused IP addresses on its subnet (what it decides are unused IP addresses). It is written to try and protect against problems with other machines on the network but there is still a potential for problems.

This worm is very dangerous and difficult to eradicate. The multiple infection vectors make it very difficult to stop from spreading and the multitude of machines with unpatched vulnerabilities give it a fertile field to grow in. It is the first or one of the first worms that infects not only the client but also the server machines. Patching all vulnerable machines and cleaning infected machines will be required to control the spread of the Nimda worm. Keeping our machine's patches as up to date as possible will prevent problems in the future.