Nimda – the worm finds new tricks
The word ‘Nimda’ may not be the most well remembered in the cyber-crime hall of fame but as malicious worm outbreaks go, Nimda certainly contributed to the malware landscape and was able to cause havoc on 18 September, 10 years ago in 2001.
Long before cloud based security services were the norm and virus scanning was only performed once a week, the Nimda worm was effectively unleashed onto the global computer network exactly a week after the 9/11 atrocities. Because of this timing, some media quickly began speculating a link between the worm and Al Qaeda, although this rumour was quickly quashed by the FBI, but it did highlight the fact that cyber warfare can be a real threat carefully orchestrated by sophisticated cyber gangs or even terrorists and not script kiddies tucked away in dormitories.
The Nimda worm came hot on the heels of the “Code Red” scare in August 2001, when a variant of the original worm infected more than 250,000 machines in only a few hours, but this helped block the spread of Nimda as businesses had just patched vulnerable machines.
Nimda – so called because it is ‘admin’ spelt backwards - was so effective because it used every trick in the book to exploit PC vulnerabilities. In total, five different infection paths were created to cause havoc:
- via email
- via open network shares
- via browsing of compromised web sites
- exploited vulnerabilities found in Microsoft's Web server, Internet Information Server (IIS)
- via back doors left behind by the "Code Red II" and "sadmind/IIS" worms
This ‘seek and infect’ mission was critical to Nimda’s success. When the worm arrived by email, it used a MIME exploit allowing the threat to be executed by reading or previewing the file. If a compromised Web server was visited, users were prompted to download a eml (Outlook Express) email file, which contained the worm as an attachment. But, not only were files compromised by the virus, the whole server was. The worm created open network shares on the infected computer, allowing access to the system and it was during this process, the worm would create a guest account with administrator privileges but without supplying a password. It would then share the drives with the rest of the world, leaving the system open for all to view.
When Nimda was first discovered, Symantec’s Security Response placed the virus on a code four – the highest level possible, applying to threats when extreme global network incident activity is in progress. It then took a further 18 months for the worm to be downgraded to a level two.
We certainly know that this won’t be the last threat of its kind. Here at Symantec.cloud we monitor 11 million end users across more than 55,000 organizations a day, ensuring businesses are secure using the power of the cloud.
I expect the next ten years will be as interesting as the last ten, if not more so; the battle lines will continue to be re-drawn and the advances in technology will be exploited to its full potential on both sides.