Nimda Opens Potential for Subsequent Back Doors

Have you recovered from the Nimda worm yet? As you know, the worm spread rapidly, and computer users felt its effects far more heavily across the Internet than they felt the Code Red worm and its subsequent variations. To add insult to injury, Nimda leaves an infected system wide open to anyone who wants to connect—it maps shares and enables the Guest account and makes the account a member of the Administrators group.

Just about every security-related company has released advice, tools, and updates that help remove and prevent the Nimda infection. But as Greg Francis pointed out on our Win2KsecAdvice mailing list on Monday, the Computer Emergency Response Team (CERT) is one of the few entities recommending that users perform a clean install of the OS to recover from infection.

CERT's recommendation stems from the fact that infected systems make their IP addresses known by trying to infect other systems, and wily intruders know this. So during the time when Nimda infected a system, anyone could have connected to that system and inserted back doors or obtained proprietary data from the network. If you don't have detailed system-auditing in place that tracks all changes so that you can reverse them, you might be wise to completely reinstall the OS to be certain you've reinstated some level of network integrity. You might also want to consider changing usernames and passwords.

Reinstalling OSs and reassigning resources can be a difficult job, especially if the system is a domain controller (DC) or Active Directory (AD) server. It's far easier and cheaper to perform regular system maintenance and stay on top of the latest patches and configuration recommendations so that worms such as Nimda don't infect your systems.

Microsoft has a great Web page full of tools, checklists, and updates that help you make your systems more secure. The Web page contains six checklists, three security updates, and nine tools. The checklists cover Windows NT, Microsoft IIS, and DC configurations; the security updates are for Microsoft Office and Outlook. The tools on the Web site are incredibly useful. I won't describe each one because you can learn about them at the Web page, but here are the available tools: IIS Lockdown, Microsoft Personal Security Advisory, Cleaner for Code Red II, Improved Cipher Security Tool, Qchain, Security Screen Savers, Windows 2000 Internet Server Security Tool, Security Planning Tool for IIS, and HFNetChk. Be sure to take a look at these resources.

As I mentioned last week, Microsoft announced that it has a beta version of HFNetChk 3.2 available for those who want to try the tool before Microsoft releases it (very soon). HFNetChk lets you inspect which hotfixes and patches are installed on any system. The tool works with an XML-based database that Microsoft provides and maintains. You can learn about the current version of HFNetChk in Paula Sharick's review on our Web site and you can try the beta. Log on with the username HFNetChk and a password of FooBar. But be aware that if Microsoft releases HFNetChk 3.2 this week, the beta will become unavailable. In that event, go to the Microsoft TechNet Web site to obtain the release version.

Because HFNetChk inspects system files based on an XML database, you can create XML databases to use with HFNetChk that perform other types of system checks (e.g., checking for the current strain of Nimda infection.) Russ Cooper, operator of the NTBugTraq Web site and mailing list, has made an XML file available for HFNetChk that checks a system for Nimda infection. You can learn about Cooper's tool at the NTBugTraq Web site. If you already have a copy of HFNetChk, use Cooper's XML database right away by using the following command:


Because Nimda leaves a system wide open, an attacker can use HFNetChk to determine what other security vulnerabilities an infected system might have. Be sure to apply all crucial system updates. You can find a list of Updates for Windows 2000 systems and the Microsoft Post-Service Pack 6a (SP6a) Security Rollup Package for Windows NT on the Microsoft Web sites.

Many sites that are immune to Nimda infection are experiencing network problems from the worm because of the large amount of traffic that infected sites generate. Worms such as Code Red and Nimda show us that lax security on one network quickly becomes the detriment of another network. These worms also show us that users remain unaware of the extreme need to stay on top of security matters daily.

Microsoft has a solution for IIS users that overlook security hotfixes. As you probably learned when you read Tim Huckaby's commentary from the September 25, 2001, issue of IIS Administrator UPDATE, the upcoming Microsoft Internet Information Services (IIS) 6.0 is a complete paradigm shift; it provides an infrastructure that installs security hotfixes by default. IIS 6.0 also lets you download hotfixes and apply them automatically as they become available. You can also find the article on our Security Administrator Web site.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.