Last week's Nimda worm, which burrowed its way into thousands of computers, foreshadows future computer attacks, experts say. But fortunately there are a lot of common-sense approaches to preventing infection.
Nimda, which is "admin" backwards, is a hybrid worm able to infect both servers and desktop computers. The worm can infect Windows 2000 servers plus PCs running various versions of Windows. Nimda spreads in several ways, including via an e-mail attachment and scanning for vulnerable Web servers running Microsoft's IIS. The worm can also copy itself to shared drives on intranets and even add itself to a Web page. Just looking at the page is enough to get infected.
Last week, Windows administrators had their hands full as they needed to essentially should down desktops and servers to install the necessary patches. Nimda, also known as readme.exe and W32.Nimda, causes systems to slow down but doesn't destroy data. It is also fairly visible to users.
Yet future worms may have more sinister consequences, according to Joel Scambray, author of the book "Hacking Windows 2000 Exposed" and managing principal with Foundstone Inc., a security consulting organization.
"You are going to see more hybrid worms attacking both Windows and Unix Web servers," Scambray said.
Preventing infections from worms such as Nimda requires a mixture of technology and policy. Keeping anti-virus software up to date is a given. Keeping tabs on patches from Microsoft is another vital step. System vulnerabilities can be plugged before infection if the staff is well informed. For example, Nimda exploits long-known vulnerabilities in IIS.
E-mail leaves companies open to infection, as end-users tend not to be tech savvy. "I see e-mail attachments as the future of hacking. Companies can't really block e-mail," Scambray said.
However, companies can ensure employees don't open attachments unless the file and sender are recognizable. There are also ways to configure e-mail programs to screen some kinds of attachments.
Resisting infection from surfing the Web is not as straightforward, said Frank Prince, an analyst with Forrester Research of Cambridge, Mass. The kind of content on a site doesn't translate into how secure it is. For example, a site that sells home goods may be a big security risk while a gambling site may be very secure, he said.
"There is no way of telling if a site is the equivalent of walking down a dark alley," Prince said.
Keeping Web browsers up to date prevents infection from the worm, Prince said. Nimda appears to be a sound file to browsers. Newer browsers would recognize the file is not a sound file and not open it. Older browsers may open the file and allow the worm to infect the system.
Another useful step is to monitor normal CPU usage. Such data serve as a baseline so administrators can tell if CPU is spiking while nothing is running. A good sign of Nimda infection is increased CPU usage while nothing is running, said Mark Edmead, an independent Internet security consultant.
FOR MORE INFORMATION:
Got a security question? Try to stump our expert (good luck!) in searchWin2000's Ask the Expert section.