Profiting from Infection?
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
As I write this piece, the deadly dual combo worm/virus known as "Nimda" continues to build up a strong head of steam. There are lots of current infections, it is extremely contagious, the media show tons of news coverage and reports, and a sense of concern is growing about its overall impact on the Internet, Web servers, and Windows clients. According to Russ Cooper, TruSecure's "Surgeon General," this infection was discovered on Tuesday, September 18 between 9:00 and 9:30 a.m. As worms and viruses go, it's pretty sophisticated and nasty. Here's what else Cooper has to say about this particular affliction:
"It propagates itself via e-mail with an infected executable
attachment ("readme.exe") included or by infecting a server
and adding Javascript to all pages on the server. In those cases,
it causes an EML (e-mail) or NWS (newsgroup) browser to open in
a zero-size window on a Web page that automatically executes the
worm and starts the process over again. It attacks random IP
addresses and compromises them, using an IIS vulnerability to
propagate itself. It scans for numerous vulnerabilities until it
finds one it can exploit and it also has the capability to
execute an FTP (file transfer protocol) to download the payload
to the box. It also has its own SMTP engine allowing it to
propagate without relying on any particular e-mail client."
(Source:
http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci770749,00.html.)
Reacting to New Potential Infections
As soon as I heard about this virus yesterday, it struck me as both serious and potentially dangerous to my systems. Consequently, I took the following action:
- I checked the various security advisories, starting with the Symantec AntiVirus Resource Center (SARC). Because I use Norton AntiVirus as my primary antivirus tool, I figured this would not only tell me what was happening, but what I might be able to do about it. Sure enough, the SARC bulletin told me exactly what was up and what to do. Other potential sources for such information include other antivirus vendor sites, plus a variety of clearinghouses for virus advisories (I provide a list of same at the end of this article).
- In reading the Microsoft Security Bulletin mentioned in the SARC bulletin, I learned that the related vulnerability -- based on MIME type vulnerabilities in Internet Explorer and e-mail -- was addressed in Microsoft Knowledge Base article Q299618, the "Internet Explorer 5.5 Security Rollup." Furthermore, my knowledge that new Microsoft Service Packs include all Critical Updates issued prior to their release meant that this update was included in Service Pack 2 (SP2) for Internet Explorer 5.5. Because I just installed that SP2 for IE 5.5 last week, I appeared to be covered.
- I updated the signature files for Norton AntiVirus, and ran a complete system scan, which discovered no infections it could recognize. Closer examination of the list of covered viruses covered failed to mention Nimda by name, so I didn't find this completely reassuring.
- Analyzing symptoms and signatures related to Nimda (all of which are documented in the Russ Cooper piece mentioned earlier and in the SARC bulletin), I learned that certain files are symptomatic of Nimda on end-user machines. Therefore, I scanned my drives looking for files named readme.exe and readme.eml, and for any files with an .eml extension, all of which could indicate a possible Nimda infection. No such files were found.
At this point, I concluded that I had managed to avoid infection, and heaved a sigh of relief. Because I had also configured my email client (Outlook 2000) to reject any incoming messages with executable attachments (including .exe, .com, .bat, .vbs, .dll, and a bunch of other potentially active file types or formats), I figured I was safe anyway, but with a new virus you can never be too sure.