Call for co-operation to battle 'Nimda' worm
By Aimie Pardas
24th September 2001 (Computimes)

THE National Information and Communications Technology Security and Emergency Response Centre (Niser) is calling on all Internet service providers/application service providers (ISPs/ASPs) and enterprise network managers to filter their gateways.

Its director Major Husin Jazri said this is in anticipation of the Nimda Internet worm, which started infecting servers and personal computers (PCs) in the United States last Tuesday, and has since spread worldwide.

According to him, since the Nimda worm was detected, Niser has received eight reports from local organisations and detected 105 unique Internet protocol (IP) addresses infected with the worm.

"If we can get the co-operation from major ISPs/ASPs and enterprise network managers in filtering the gateway, it will help prevent more widespread attacks," Husin told Computimes last week.

Internet security solutions provider Symantec Corp, meanwhile, has classified the Nimda worm as "Level Four" threat, which is more dangerous than Code Red or Code Blue worms, classified as "Level Two" and "Level Three" threat respectively.

Its country manager for Malaysia Gun Suk Ling said the worm is definitely more threatening as it impacts desktops and servers, and can bring both down.

Users who merely preview the attachment without opening will get infected as well.

Gun said infected electronic mail will be sent out to users in the infected computer's address book or infect other computers through open share on Windows networks.

According to her, Nimda also attempts to change Web pages on infected servers, and infect other servers by scanning the network and Internet for vulnerable Web servers.

Gun said infected servers and desktops will see tremendous slowdown in performance due to the increase in network traffic.

The duration that it will last depends on how quickly they get the patch files and how quickly they can download the updated virus definition list and distribute it to the whole company, she added.

"Performance of the network will be affected. Company productivity will be affected. We can't deny that most work is done through the personal computer (PC) and the Internet," she added.

Meanwhile, Surveillance Sdn Bhd's chief executive officer Alan See said the company noticed the Nimda worm last Tuesday and determined that there were a lot of Internet information servers scanning its customer network, trying to gain control of the host.

"There was a sudden increase of alerts from Port 80 - the peak was on Sept 19, where the number of denied Port 80 incidents was almost eight times more than usual. No matter how much our security analysts cleared this, the alerts kept coming in," he said.

Although the number of alerts is increasing, See said the company has successfully blocked the worm, hence there are no reports of attacks from any of its clients.

"Our Global Command Centre in Hong Kong first detected the worm last Tuesday night and within two to three hours, it has spread to our GCC in Singapore and Malaysia. Since the US is a day behind Asia, the spreading can easily be on the same day," he said.

See said the Nimda worm is propagating with unprecedented speed across the Internet, and is reputedly more threatening than the Code Red or Code Red II worms.

"The reason is Nimda is the first worm that can modify existing Web sites for downloads. Also, it is the first worm to use normal end user machines to scan for vulnerable Web sites. This technique enables Nimda to easily reach intranet Web sites located behind firewalls - something worms such as Code Red could not directly do," he said.