Home & Office

FBI investigates Nimda worm

UPDATE: FBI creates task force to investigate attack by 'Nimda', which hits both servers and PCs running Microsoft software
Written by Robert Lemos, Contributor and  Matt Loney, Contributor

A computer worm that spreads to both servers and PCs running Microsoft software flooded the Internet with data on Tuesday, prompting the FBI to create a task force to investigate the attack, sources said (see also: "New virus downloads itself from Web pages" and "Help and HowTo: Nimda").

Known as "Nimda" or "readme.exe", the worm spreads by sending infected email messages, copying itself to computers on the same network, and compromising Web servers using Microsoft's Internet Information Server (IIS) software.

"It is extraordinary how much traffic this thing has created in a couple of hours," said Graham Cluley, senior security consultant for antivirus company Sophos. "As far as we can see, it doesn't seem to be using any psychological tricks because it's all automated."

Mailing lists for the security community quickly generated news of the worm, as infected servers scanned the Internet for vulnerable servers.

Sources in the antivirus community told ZDNet that the FBI has set up a "task force" to study the virus. The FBI held conference calls three times Tuesday night with antivirus experts to discuss the investigation, sources said.

"There was a task force set up today, and there were a lot of things discussed," said Vincent Gullotto, director of antivirus research at security software firm Network Associates.

An FBI representative said the agency was "assessing" the incident, but so far it found no relationship between the online deluge and last week's terrorist attacks on the World Trade Center and the Pentagon.

"There has been no indication that this is linked (to Tuesday's) attack," said FBI spokeswoman Debbie Weierman. "That is the question of the day."

At a news conference Tuesday about last week's terrorist attacks, Attorney General John Ashcroft also spoke about the Internet worm. "This could be heavier than the July activity with Code Red," he said.

He noted that there is "no evidence" linking the worm, which he said may have first appeared on Monday, "to the terrorist attacks of last week."

The worm was noticed by several Silicon Valley companies. "It does appear to be more aggressive than Code Red," said spokeswoman Pamela Sklar of network equipment maker 3Com. She added that the company's IT department received more hits per hour from Nimda than it did from Code Red, but that there was no direct effect on email or Internet access.

The worm's name sparked speculation about its origin. Nimda, for example, is the backward spelling of admin, the common shorthand for the system administrator. While the worm has text indicating that it may have originated in China, that is in no way hard evidence, experts said.

Others pointed out that NIMDA is the name of an Israeli defence contractor.

The worm apparently generates an avalanche of Internet traffic because of its multi-pronged attack on both servers and PCs.

The server component of the virus exploits an old and previously patched flaw in IIS called the Unicode Directory Traversal vulnerability.

Once a server is infected, the worm continues to scan for other vulnerable computers. In addition, the program takes control of the part of Microsoft's IIS software that delivers Web pages, allowing the virus to trump a request for any page--even invalid requests--and instead return a page infected with the virus.

In addition to its ability to cross between servers and PCs, the Nimda worm seems to be more virulent because it automatically executes in Microsoft's Outlook email software under the program's "medium" security setting.

"There appears to be a MIME exploit," said Eric Chien, chief researcher for antivirus software maker Symantec's European operations. "It appears that it is doing some kind of exploitation in email."

Nimda also appears to be capable of spreading by other means, including Internet relay chat (IRC), an online chat format, and by FTP for remotely exchanging files.

"My guess is we may also see it spread through Internet relay chat," said Alex Shipp, senior antivirus technologist at email screening firm MessageLabs.

And that may not be the end of it. "We have also found an FTP component in there," Shipp said. "It may be trying to download nasty stuff from some Web site somewhere--we're still not sure. We know it is using FTP, but we don't know how yet."

MessageLabs said it stopped more than a hundred copies of the virus attached to email messages within an hour of the first incident, which arrived from Korea at 12:10 p.m. GMT.

Most of the Nimda copies captured by MessageLabs originated from the United States, leading the company to speculate that was where the virus originated.

While thousands of people likely became aware of the worm when their in-boxes were flooded with email, for some the damage was more severe.

Mel Lower of Davenport, Iowa, who hosts Web sites for small businesses through EarthLink, said two of his customers' sites were inaccessible for much of Tuesday.

Lower said he contacted EarthLink and was told that the worm "crippled" two Unix server farms. EarthLink could not immediately be reached for comment.

When Nimda arrives in an email, it appears as an attachment named readme.exe. This is the same name used by another current virus called W32/Apost-A, so antivirus companies say many people should already be wary of attachments bearing that name.

However, analysis of the worm is ongoing, experts said.

"First of all, we are talking guesses at this time," said Fred Cohen from the University of New Haven in Connecticut. "Clearly, (it) just showed up this morning."

For some time Tuesday morning, the worm's double whammy had experts believing that two pieces of code were spreading at the same time.

The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University issued a warning Tuesday morning about malicious code scanning for vulnerable Web servers and an email worm called Readme.exe.

"We are recommending to sites that they verify the state of security patches on all IIS servers and email client software," the warning said.

Interest in software security companies was heightened late Tuesday, although it was unclear if investors were reacting to the worm or to the terrorist attacks. In a research note, a USB Piper Jaffray analyst called such companies "one of the safest bets in technology".

Shares of Symantec and RSA Security slipped during daily trading but climbed after hours. Symantec fell $2.37, or 6.25 percent, to $35.52 during regular hours. But the stock gained 73 cents, or 2 percent, to $36.25 in after-hours trading.

Symantec creates software and utilities used to secure networks and maintain PCs.

RSA Security, a maker of encryption and security software, was down 48 cents, or 2.74 percent, to $17.07 when the closing bell rang at 1 p.m. PDT. But the shares gained 33 cents, or 1.93 percent, to $17.40 in after-hours trading.

And shares of Internet Security Systems, a network-protection company, finished the day up 45 cents, or 3.4 percent, to $13.70. The climb continued in after-hours trading, up 90 cents, or 6.5 percent, to $14.60.

Analyst Gene Munster at USB Piper Jaffray wrote in a note to clients that the attacks on the World Trade Center and the Pentagon may heighten investor interest in security software firms.

"While growth rates may need to decline from 45 percent to 30 percent, we still believe it is one of the safest bets in technology," Munster wrote.

Staff writer Matt Loney contributed from London.

See the Viruses and Hacking News Section for the latest headlines.

See the Net Crime News Section for the latest on hacking, fraud, viruses and related issues.

See the Internet News Section for full coverage.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards