Introduction

If the computer security community looks back upon the third quarter this year, this is probably not with happiness and joy. Gloom and exhaustion are probably better suited adjectives. This quarter has shown some of the worst incidence with respect to the propagation of and damage caused by malicious programs ever.

Even more disastrous events, on 11 September in New York City and Washington DC, were, of course, of major concern for people all over the globe. However, these catastrophic events are not be discussed in this Security Information.

There are three different malicious programs that by far have caused the majority of problems in the 3rd Quarter:

• CodeRed
• W32/Sircam
• W32/Nimda

Unfortunately it has been a long time since the latest Security Information from Norman before this. However, it has seldom or never been more appropriate to publish a new issue, than shortly after Q3 this year.

This Security information will discuss and attempt to analyze the different incidents as well as draw some conclusions regarding implications for the security community, organizations and the end user.

A similar summing-up was issued after the Melissa incident in spring 1999. This document may still be of some interest.

The three culprits - an overview

Code Red (Detailed information in the description)

Code Red was first seen in the wild in July this year. It is a so-called worm, but of a new type. This worm exists only as a memory process and is never found as a file on disk. Thus it represented a challenge for the traditional antivirus tools as they were design to look for viruses in files (of some kind).

Code Red exploits a security hole in the indexing service in the popular Microsoft Internet Information Server IIS). It tries to exploit cunning IIS by issuing a special http request (web request). Vulnerable computers are infected and try to infect other computers

Interestingly... Microsoft published 18 June 2001 a patch that secures IIS servers from this vulnerability i.e. several weeks before the worm began its fast propagation. Nevertheless enormous amounts of web servers were affected (some estimated several hundred thousands), and the Internet was probably affected with respect to performance because of all the traffic generated from infected servers.

W32/SirCam (Detailed information in the description)

SirCam is probably by far the most widespread malicious program ever! Most likely this worm even overshadows the havoc caused by Nimda (see below) in infections and attempts to infect. Its entry did not appear in such an explosive manner as Nimda, though.

SirCam spread from an infected computer by sending itself to all addresses in the address book and to all email addresses found in the Temporary Internet files folder. This latter spreading method means that email addresses published on web sites are a particular target for emails infected by SirCam.

A brief period during a weekend one of Norman's public email addresses available from the web received, during a 24 hour one SirCam-infected email each minute - from the same sender! Similar - if not that extreme - instances of mass-mailing from one infected computer, have been seen at Norman's several times - as late at the previous week.

This shows one of SirCams peculiarities: It does not seem to stop, and is still on the very top of lists of infections each day - more than two months after it was first seen. This is unprecedented!

SirCam is very dangerous for companies and other organizations as it sends infected documents from the infected PC to the abovementioned recipients. Such documents may of course be highly confidential.

SirCam infects a computer when the user opens the email attachment. To open email attachments that may contain malicious programs, have been warned against all the time from all kinds of security organizations for several years. Supposedly SirCam, however, makes users forget this precaution as the email is often sent from a known sender and the attachment seems legitimate in its file name.

Food for thought... More than two months after all antivirus vendors published virus detection files, which supported detection of SirCam, this is still spreading heavily.

W32/Nimda (Detailed information in the description)

Not since LoveLetter in May 2000 has one seen such an outbreak as that caused by Nimda in the middle of September 2001. Most reports say that Nimda was even worse.

Nimda uses several spreading techniques:

1. Email attachment with the file README.EXE. Infected computers send emails to Windows address book and email addresses in Temporary Internet Files.
2. Infection of web servers running Internet Information Server by using several different exploits
3. Infections by surfing on infected web sites by unpatched versions of Internet Explorer with Active Scripting enabled.
4. An infected computer infects shares in a network that it has write access to.

The main spreading mechanisms seems beyond an organization seem to be 2 and 3 above. The email sent in 1 seems to be so obviously suspect that most recipients will not open it.

Ironically...

• Microsoft has provided patches for all the exploits against IIS used by Nimda (2 above).
• Microsoft has provided patches for Internet Explorer so that those who installed the patch were not vulnerable to the exploit used by Nimda (1 above).
• Several security organizations - including Norman, see e.g. Security Information 43/1999 - have recommended that one should not use Internet Explorer for surfing the Internet unless Active Scripting is disabled.

Lessons to be learned

Are there any lessons that we can learn from these incidents?

There must be!

End users and network managers

The end users, and in particular people responsible for the corporate networks, must use time and resources to keep up with the security issues regarding products they use in their environment. This is time-consuming, but the alternative may turn out to be worse!

In addition to the security mailing lists available from different vendors, there are several excellent general mailing lists and web sites, which one may subscribe to and visit regularly.

Below are some which should prove useful:

• The SANS Institute (mailing list also available)
• CERT Coordination Center (mailing list also available)
• National Infrastructure Protection Center (part of the US' FBI)
• @Stake
• NTBugtraq (mailing list also available)
• SecurityFocus

The Security Community

All the three incidents discussed in this Security Information prove that even though program patches that secure security vulnerabilities are available, and updated antivirus products are made available to the public, there are lots of users who do not secure their systems against known threats!

This depressing fact is a major challenge for the security community as a whole. Perhaps this community will have to rethink its approach to the general problem?

The software vendors

Time and time again the same products are targeted and exploited. A lot of the attacks from malicious programs during the latest year have used vulnerabilities in Microsoft programs as their means for attacking.

This of course is a problem for Microsoft, and we have seen a clear tendency recently that Microsoft is focusing more on the security aspect of its products. Perhaps the time has (finally) arrived when new functionality is seen as less important - from the vendor's point of view - than making its customers secure when using the vendor's products?

In closing

The incidents discussed here will not be the last of its kind to cause havoc on computers and networks. This is one fact we know!

However, there are some easy and quick, and some not quite as fast, precautions that every security-conscious individual can take. Some of these are outlined above.

This will protect you as a user, as well as protecting others from not being the victim of malicious programs originating from you.

Good thinking, huh?

Per Olav Førland