Nimda virus riles up Microsoft users

The complex computer virus Nimda, which swept like a tornado across the Internet last week, attacked Microsoft servers and desktops with a ferocity unrivaled by previous worms and in its wake left many network executives questioning the growing chore of patching and repatching Microsoft's Web-based software.

The virus did its damage by exploiting dozens of known vulnerabilities in the Microsoft Web server, Outlook mail client and Internet Explorer browser. Nimda corrupted files. It added itself to Internet Information Server (IIS) Web pages, infecting PCs through vulnerable Internet Explorer browsers. Wherever it wormed in, Nimda scanned IP addresses for more victims, raising concerns about denial-of-service attacks and slowing Internet performance. By the end of last week, Nimda attacks in the U.S. had largely subsided, but Europe and Asia were still having problems.

"Nimda spreads with a ferociousness not yet seen," says Ed Skoudis, vice president of ethical hacking at security firm Predictive Systems in Herndon, Va.

While Nimda caused significant damage - so far infecting more than 2 million PCs and servers worldwide - it was but another mess IT professionals had to clean up in a procession of problems that seem to spread all too frequently across Microsoft-based servers and clients. There have been more than 26 patches issued for various Microsoft product vulnerabilities since May. The IIS server has had at least seven such patches. And for Nimda, there are some 15 different patches to apply to different systems. It can get oppressive, users say.

Almost every week brings another alert about vulnerabilities in Microsoft products, says systems administrator John Mckean with the Oregon State Lottery. "I spend a disproportionate amount of my time responding to these security threats to Microsoft Windows products in relation to the time I must spend securing either our Sun or Novell boxes."

Mckean's organization has five Sun Solaris Servers, 12 Novell NetWare servers and five Windows 2000 servers. But 80% of his time is spent on patching Microsoft, he says. "With the Novell and Sun operating systems, the need to patch the servers has not been problematic," he says.

Others seem resigned to the constant patching.

"It has gotten to the point where we have to identify a single administrator to keep up with the Microsoft patches. It can get a bit ridiculous, but if it keeps us safe from attack and closes security holes, in the long run it's worth the effort," says Carl Fries, the network manager for NCI Building Systems in Houston. The company has nearly 50 NT 4.0 servers. "When a new patch comes out, we drop everything and we do what we need to do. We inform all the technicians at our sites around the U.S. that a patch will be installed on their servers," he says.

Donald Woeltje, a network manager with St. Elizabeth's Hospital in Belleview, Ill., thinks Microsoft is making a good-faith effort to address security, but needs to try even harder. The hospital was forced to shut down its Internet e-mail connection, as were several financial institutions.

"I do get tired of having to apply the available patches," he says. "[But] my responsibility is to protect the hospital's systems." After installing the Network Associates Inc. (NAI) Total Virus Defense virus update against Nimda on Microsoft servers, he reopened e-mail access.

"Nimda has been driving me crazy," Woeltje says. The NAI WebShield Simple Mail Transfer Protocol Server was sending large numbers of alerts reporting e-mail infected with the Nimda worm. "So far, as best I can tell, we've been able to prevent infection," he says.

Although Microsoft seems to be the main target of virus writers, Woeltje says he's not yet ready to switch to alternate vendor products.

But the need to continually patch Microsoft software - and the growing security risk associated with not doing it - is driving up the cost of ownership, says John Pescatore, a Gartner security analyst.

"If you were hit by Nimda and Code Red, it means you can't keep up with the patches on Microsoft and your boat is leaking," Pescatore says. "You should change your server to iPlanet or Apache."

It seems the worst computer viruses only target Microsoft. That, even though 19% of the 18 million Web sites on the Internet are based on Microsoft software vs. 62% based on Apache, according to Netcraft. Microsoft has had so many vulnerabilities to exploit, it "represents low-hanging fruit" for virus writers and hackers, Pescatore says.

Organizations not using Microsoft Web servers, such as the Internet weather site Weather.com, watched Nimda pound away with IP scans but weren't too worried about it. "We don't use IIS, we use Apache, so we're safe as far as our Web server is concerned," says Dan Agronow, vice president of quality control and site operation at Weather.com. "Of course we have IT staff running around to make sure we have the right antivirus updates, too."

Some analysts say Microsoft, as the dominant software company, needs to help its customers better cope with managing the software patch challenge as the security risk grows with the new generation of powerful worms. "Microsoft needs to help customers better understand when to apply patches or not," says Predictive's Skoudis.

But some security experts disagree. Microsoft is doing all it can by having the Windows Update feature in all its software since Windows 98, and last month it posted free tools to help analyze vulnerabilities with its applications (see story), says Roger Thompson, TruSecure's technical director of malicious code. "There's not much else they can do.

"If you had patched your Web servers, you would have been OK," Skoudis says. "We recommend updating the browser in general every three months."

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Contact Senior Editor John Fontana

Other recent articles by Fontana