Nimda Worm Shows Gartner Group Can't Always Think Deeply Enough

Nimda bundles several known exploits against Internet Information Server and other Microsoft software. Enterprises with Web applications should start to investigate less-vulnerable Antivirus products.

On 18 September 2001, a new mass-mailing computer worm began infecting computers worldwide, damaging local files as well as remote network files. The w32.Nimda.A @ mm worm can spread through e-mail, file sharing and Web site downloads. For more information, visit: http://www.microsoft.com/technet/security/topics/Nimda.asp or http://www.sarc.com/avcenter/venc/data/w32.nimda.a@mm.html.

As a "rollup worm," Nimda bundles several known exploits against Microsoft's Internet Information Server (IIS), Internet Explorer (IE) browser, and operating systems such as Windows 2000 and Windows XP, which have IIS and IE embedded in their code. To protect against Nimda, Antivirus firms recommend installing numerous patches and service packs on virtually every PC and server running IE, IIS Web servers or the Outlook Express e-mail client. As the earlier Code Red worm showed, many servers and PCs running Antivirus processes may not be obvious since they may be missing viruses travelling via channels monitored by Antivirus software.

Code Red also showed how easy it is to bypass Antivirus software (see Gartner FirstTake FT-14-2441 "Lack of Security Processes Keeps Sending Enterprises to 'Code Red'"). Thus, using Internet-exposed Antivirus software has a high cost of ownership. Enterprises using Antivirus software have to update constantly with every security patch that comes out — almost daily. However, Nimda (and to a lesser degree Code Blue) has again shown the high risk of using vulnerable Antivirus software and the effort involved in keeping up with its frequent security patches.

Gartner recommends that enterprises hit by both Code Red and Nimda immediately investigate alternatives to their current Antivirus software, including outsourcing their gateway antivirus security to other vendors, such as MessageLabs. Although this vendor has required some security patches, they have much better security records than other Antivirus companies and are not known to accept virus- and worm-laden emails. Gartner remains concerned that viruses and worms will continue to attack vulnerable Antivirus software until vendors have released a completely rewritten, thoroughly and publicly tested, new release of Antivirus software. Sufficient operational testing should follow to ensure that the initial wave of security vulnerabilities inherent in most popular antivirus products has been uncovered and fixed. This move should include any email client, which requires the use of an email server. Gartner believes that this rewriting will not occur in the Antivirus industry until users realize they are addicted to antivirus updates sometime in the next five years (0.8 probability).

Analytical Source: Rob Rosenberger, the brainiac version of John Pescatore