Living with a Hostile Internet

This summer has been a really bad time for those of us who use the Internet for work or for pleasure.

Want to see what's up in the virus/worm world? See Message Lab viruseye's Threatlist, a monthly chart giving the relative number of the viruses they's seen each month: http://www.messagelabs.com/viruseye/threatlist.asp

SirCam is a nasty Outlook worm that randomly picks an item from your hard drive and sends it, with a distressingly convincing wrapper, to everyone you know and also to email addresses it finds on the cached copies of Web pages you visited recently. It also has a destructive payload; it was designed to either empty or fill the C: drive on randomly selected machines. (A bug in its design made that unlikely to occur, but we won't be so lucky the next time.)

SirCam spread by email, but you didn't have to use Outlook or even to have opened an infected message to get it. It also spread by "open network shares" -- creating copies of itself on all writable directories, including those accessed over a local area network. Thus a infected file shared on a network could spread SirCam to all machines on the network.

CERT/CC on SirCam (includes links to other antivirus vendors info on the worm): CERT® Advisory CA-2001-22 W32/Sircam Malicious Code.

Shortly after SirCam began infecting individual PCs, three worms appeared that attacked Microsoft Web servers and brought the Internet to a grinding halt.

The Code Red worms infected Microsoft Internet Information Server (IIS) Web servers running under Windows NT4 or Windows 2000, attacking two well-known vulnerabilities that already had published fixes. Many people whose machines were infected by the Code Reds didn't even realize they were running a Web server, and so they had no idea that they ought to have patched it. (But don't feel bad, even some of Microsoft's Web servers were infected by Code Red.)

CERT/CC on Code Red:

• CERT® Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL
• CERT® Advisory CA-2001-23 Continued Threat of the "Code Red" Worm

Microsoft on the ISS vulernabilities used by Code Red:

Microsoft Security Bulletin MS01-044

SANS Institute:

Code Red FAQ, Code Red II

C|Net on Code Red:

The Big Picture

As bad as the Code Reds were, they didn't spread by email. Nimda, the next worm/virus, was much worse, both from an infection and Internet traffic point of view. "Nimda" is "admin" spelled backwards, which is quite appropriate, because it was a huge problem for system administrators everywhere.

Nimda is an equal-opportunity infector attacking machines running any Windows operating system and spreading four ways:

From an infected machine to arbitrarily selected Web servers.

Like Code Red, Nimda scans the Internet looking for Web servers using Microsoft's Internet Information Server (IIS) and Personal Web Server (PWS) software and attempts to exploit a number of long-known server vulnerabilities or to use "backdoors" left by previous worms, including Code Red.

From infected Web servers to an individual's PC, by browsing infected Web sites.

Yes, visiting the wrong Web site could infect your PC with Nimda. (But not if you have an up-to-date version of Norton AntiVirus, thanks to its File System Realtime Protection.)

From PC to PC via open network shares.

Like SirCam, Nimda creates copies of itself on all writable directories (and also attaches itself to executable files), including shared files accessed over a local area network.

And the standard, via email.

PCs can be infected when Outlook or another email program uses Internet Explorer to open an HTML-formatted message carrying the worm. (Just opening the message is enough, not an attachment.)

CERT/CC on Nimda (includes links to other antivirus vendors info on the worm):

CERT® Advisory CA-2001-26 Nimda Worm

C|Net on Code Red:

The Big Picture

The SirCam filters on tigger and icarus rejected thousands of messages in their first few hours. (We stopped counting after that.) SirCam could and did send people's personal files all over the Internet.

Nimda was similarly widespread. On September 19, just one day after Nimda was first identified, we had to filter (refuse traffic to and from) half the subnets on the UIC campus just to keep the rest of our network going at a crawl. On September 21, there were still 300 individual machines on campus that were filtered due to Nimda. [Note: It's the end of November now, and Nimda is still alive and kicking on the UIC campus.]

The most annoying and regrettable thing about Code Red and Nimda is that Microsoft released fixes for the security holes they use before the worms appeared. The patches for the security holes that Code Red uses were released in July 2000 and June 2001. The patch for the IIS hole that Nimda uses was released in October 2000 -- yes, almost a year before Nimda -- and patch for the email MIME exploit it uses was released in March 2001. Nimda, at least, shouldn't have happened.

Nor should the vast majority of SirCam infections have occurred; Symantec released a virus definition for Norton AntiVirus that detected SirCam on July 17, the same day that SirCam was first detected. In spite of that, SirCam was still going strong at the beginning of September. (NAV is the antivirus software that anyone at UIC can use on any of their computers, even at home, at no cost, under a UIC site license; see Norton AntiVirus.)

A REACH representative put together these suggestions for people running Windows. Her department's subnet was one of the ones the ACCC filtered for Nimda; its major offender was not a "computer"; it was a Cisco switch with a vulnerable IIS Web interface. Who would have guessed?

"You may have heard of the Nimda worm which brought down [our department's] network (and many, many others) Tuesday morning. Ed Zawacki and other heroes at the ACCC work hard to protect us from such disasters, but without our help they can't keep the network free of threats. I am asking all of you who use Microsoft Windows to do the following:

"1) Run LiveUpdate in Norton Antivirus: Double click on the yellow shield in the lower right corner of your monitor and click on the LiveUpdate button. Make sure you have selected the option to update using files found on the Internet, then click the Next button. Click Finish when LiveUpdate completes the download and Exit to close the Norton AntiVirus window.

"2) Upgrade your version of Microsoft Internet Explorer. If you have Internet Explorer on your computer,please visit the Web site: http://www.microsoft.com/windows/ie/downloads/ie6/download.asp to upgrade to the latest version of Internet Explorer. [Or install IE 6 from the NSKit Version 5 CD.] Unpatched versions of IE up to IE 5.5 service pack 2 and any version earlier than 5.01 have bad security problems.

"3) Don't trust email attachments. [And don't use preview panes - you can get Nimda just by having an infected message opened in a preview pane.] If you don't need to open an attachment, don't. If you must open email attachments, make sure Norton AntiVirus is running on your computer and that you run LiveUpdate regularly.

"4) If you are using Microsoft Outlook to read your email, please try to switch to Eudora, Webmail, or any other email client. The worst of the recent viruses and worms have spread themselves through insecure Outlook email clients, using Outlook address books to find new hosts to infect." [Many people who know say Outlook is inherently insecure and would have to be rewritten from the ground up to have a semblance of security. It certainly is true that as soon as one Outlook security problem is fixed another one appears.]

The almost universal point of view of all (Mac, Windows, and UNIX)operating system and software manufacturers is to turn everything on by default and to depend on the user to turn off what they don't need. That needs to change, but in the meantime you need to keep up your end of the bargain. And you also need to stay up-to-date with your operating system and the other software you run.

Sound overwhelming? It isn't. The FBI and the SANS Institute (see Read More About Nimda) have put together SANS Resources - The Twenty Most Critical Internet Security Vulnerabilities, the Expert's Consensus, at http://66.129.1.101/top20.htm. That's the twenty most important of the hundreds of security vulnerabilities that have been identified; keep up-to-date with these twenty and you'll go a long way toward doing your part in keeping your machines, and the Internet, secure.

The list includes seven security problems that affect all types of systems (including running software that you don't need), six specific to Windows, and seven specific to various flavors of UNIX, including Linux and Solaris. It includes the security exploits that allowed Code Red and Nimda to spread so rapidly.

The SANS top twenty is a "living document" that will change as needed and includes instructions on how to fix the problems. Everything you'll need to secure your machines is there.

Comments are welcome; please send them
to Ed Zawacki, security@uic.edu