September 19, 2001 12:50 PM PDT
Home users face biggest risk from Nimda
A coalition of government security officials and antivirus software industry experts released a warning to home computer users on Wednesday morning to take Nimda--and the security of their computer systems--seriously.
"It is still out there, and home users are going to be the primary mechanism for the e-mail spread of this virus," said Vincent Weafer, a senior director of Symantec's security response center, who took part in the coalition's discussions on Tuesday.
Nimda--which is "admin," the shortened form of "system administrator," spelled backwards--started spreading early Tuesday morning and quickly infected PCs and servers across the Internet. Also known as Readme.exe and W32.Nimda, the worm is the first to use four different methods to infect not only only PCs running Windows 95, Windows 98, Windows Me and Windows 2000, but servers running Windows 2000 as well.
Much of the worm's virulence is due to its automated spread.
The e-mail attachment will open automatically under Microsoft's Outlook e-mail program if the program's security settings are at "low" and a security patch has not been installed. On PCs that don't use Outlook, the worm can still spread using its own e-mail engine, but it won't execute automatically.
In addition, the worm generates an avalanche of Internet traffic when it scans local chunks of the Internet for vulnerable servers to which it can spread. The automated scanning caused many connectivity problems for businesses on Tuesday.
"It seems to randomly be going through every IP (address) of my network," said Ian Neubert, director of information services for online telecommunications equipment seller TWAcomm, which found itself inundated with scans from infected machines. "This is ridiculous."
By midday Tuesday, each of TWAcomm's IP addresses had seen upwards of 9,000 scans from infected machines.
Other companies' Web servers had become infected with the worm, putting at risk any PC user viewing a Web page hosted on such a server.
In one case, the marketing site for fast-food chain Carl's Jr. had been
CNET Networks' Rose Aguilar helps us understand what makes "Nimda" tick. (1:44)
"That server is hosted elsewhere," said Daniel Baker, director of IT security for Carl's Jr. parent company CK Restaurants. "They are aware of the problem and will have it resolved soon." Baker added that the worm had not infected the company's own network.
Other companies weren't so lucky.
A representative of network-protection service Counterpane Internet Security said that several of its customers' servers had to be shut down to clean them of the Nimda worm. Security services firm Neohapsis also confirmed that a Fortune 500 client's network had been extensively infested with copies of the worm.
Antivirus firm Trend Micro upped the number of infections reported through its World Virus tracking Center to 26,000 from 15,000 late Tuesday.
Yet most businesses seem to be controlling the infections, said Symantec's Weafer.
"They have a handle on the initial problem of blocking the virus," Weafer said. "Now it's recovery mode, and that can take weeks and months." Almost 700 customers reported incidents of infections to Symantec on Tuesday, he said, evenly split between businesses and home users.
It's those home users that have antivirus experts worried.
Owners of home PCs generally fall behind in securing systems with new software updates and the latest virus definitions for antivirus software, Weafer said.
"Yesterday, the large part of the problem was getting good analysis of the worm," he said. "Today, it's getting home users to protect their systems."
David Dittrich, senior security engineer for the University of Washington and a computer forensics expert, agreed.
"The home users are the hardest ones to deal with," Dittrich said. "We have tried to get the word out that they need to do something, but they don't listen."
Dittrich said software makers will have to become more pro-active about contacting customers when major security threats like Nimda arise. Rather than post an advisory on a hard-to-find Web site, software companies should send e-mail to customers telling them to update their software immediately.
"Somehow, as the number of patches coming out is going up exponentially, the word has to get out to a larger number of people to apply the patches," he said. "In the end, it may be like automakers, with recalls and everything."