Nimda turns a year old tomorrow, but don't expect enterprises to be blowing out candles in the worm's honor.
Unleashed Sept. 18, 2001, Nimda hit networks worldwide one week after the terrorist attacks on New York City and Washington, D.C., certainly kicking IT and security professionals when they were down.
Since then, the first damaging, dangerous hybrid worm continues to attack networks and occupy spots on the top 10 lists of antivirus firms that monitor virus and worm activity.
Nimda attacked a 9-month-old vulnerability in Microsoft's Internet Information Server (IIS) Web server software and had the ability to spread itself across network shares. Nimda also spread via an infected an e-mail attachment (README.EXE), that once opened would infect HTML files on a PC. Eventually, Nimda would crawl its way to a Web server on a network via one of these two methods, making virtually any Web site a trap that could infect new victims.
"Even if the vulnerability was patched, the worm would infect servers from the inside, essentially coming in from behind, and anyone visiting the site would be nailed also," said Roger Thompson, technical director of malicious code research for TruSecure.
Thompson said Nimda ushered out the era of the e-mail borne worm and introduced the merger of the hacking and security worlds with the virus and worm-writing worlds. Fortunately for enterprises, Nimda was the last destructive worm to hit the Internet. Klez made a splash this summer, but it was generally viewed as a nuisance by companies hardened after being hit hard by Nimda and Code Red last summer.
"Klez did not affect companies much; it's been something that is widespread in the home market," Thompson said. "With companies, it's decidedly easy to block. You just block all executables at the gateway."
Still, Thompson said that enterprises are not doing enough to secure their infrastructures and assets.
"Not enough get it, and the 'it' they need to get is multiple layers of security. They need to protect internally as well as the perimeter," Thompson said.
Enterprises, however, are stunted by the economy when it comes to spending on security. A recent SearchSecurity.com survey of 500 IT security professionals determined that awareness of security issues is at an all-time high, but that awareness has not been backed up by spending.
"There have been about 50 Internet Explorer vulnerabilities, and Microsoft has been diligent in issuing patches, but it's simply not possible for people to patch all their workstations in a large corporation every time a new flaw is discovered," Thompson said. "People cannot keep up. It's too costly and there are too many dependencies with other applications. Administrators are worried about breaking applications if they upgrade."
Richmond, Va.-based Circuit City took its lumps with Nimda, and true to form, procedures changed, but spending did not necessarily.
"We are pushing virus signatures faster than we used to. We will even go as far as shutting down the gateway, and we never used to do that," said Circuit City security analyst Steve Alexander. "We'd rather shut down e-mail and quarantine everything. We're also quicker to upgrade things and patch browsers."
A study conducted by application security vendor Sanctum concluded that Nimda and other hybrid worms did initiate a surge in spending in after the September 11 attacks. Seventy percent said that external Internet security threats were their primary concern and that Nimda raised the fear that terrorists could combine a physical attack with a digital attack the equivalent of Nimda.
Thompson said better system configuration is the easy solution, but a difficult chore to complete.
"People say it's easy to configure systems if you make the right changes," he said. "But which are the right changes?"
Thompson said that Nimda is the genesis of a new generation of worm-writing techniques.
"There are going to be new kinds of thinking, new attacks on new places, like the SQL-Spida worm that attacks port 1433," Thompson said. "SQL-Spida doesn't worm across shares, it just blasts in through improperly configured systems. My prediction at the start of the year was that e-mail worms would have just nuisance value. I think in the next 18 months, there will be two events in the damaging nature of Code Red and Nimda.
"But enterprises have gained a lot of ground now that most e-mail worms and their executables have been blocked at the gateway. With upwards of 10 months circulating a month, one is bound to get away. And if somebody who is big and not too bright hasn't configured their system properly, it could get hold of their global address book and spread everywhere."