|
A New Tripple-Threat Worm Strikes The Net
|
19 September 2001 Edition
Previous Edition
|
|
At last,
the contents of Aardvark's "million-dollar ideas" notebook
are revealed for all to see!
|
|
Just when you thought it was safe to go back on the Net, in the wake of
the Love Bug, SirCam, Code Red, Code Red II, etc, reports are surfacing
of a decidedly evil new worm that will try and wreck your day using a
number of exploits.
Although information is pretty sketchy at the moment, this new worm, known
so far as "Nimda" or "readme.exe" appears to take advantage of a number of
flaws in Microsoft Windows-based software.
It is spreading like wildfire through a number of mechanisms.
As with many of its predecessors, the worm is being delivered as an email
attachment -- but with the twist that, according to some reports, it can
execute automatically on PCs using MS Outlook, rather than requiring the
user to open that attachment.
It is very network-aware and once a single machine on a LAN or WAN becomes
infected, it tries to exploit any open shares to spread throughout that
network.
And, it also infects any unpatched IIS webservers it can find using direct
probes across the Net in a manner similar to the now infamous Code Red.
Need Cutting-Edge Copy?
As NZ's longest-running online commentator, I'm looking for
extra syndication opportunities for this daily publication -- or I'm happy
to write casual or regular material specifically to order for print or
Net-based publications. If you're
interested, drop me a line
|
|
But wait -- there's more!
If it manages to compromise an IIS webserver, the default.asp page is altered
so that it automatically tries to serve a file called readme.eml containing
a bogus MIME header that sees it pretending to be an innocuous .wav file --
but which actually spawns a new Javascript window and does goodness knows what.
But wait -- there's even more!
As a result of all the port 80 probes being generated by IIS servers infected
by this worm, the Net is once again being flooded with masses of bogus
HTTP requests that are starting to waste enormous amounts of bandwidth.
One estimate suggests that there are over a million IIS servers on the Net
still vulnerable to this kind of exploit.
There has been some speculation that this little demon is somehow related
to the terrorist bombings in the USA (what isn't these days) -- mainly
because it first appeared exactly a week (to the hour) after the first airliner
hit the World Trade Center.
The FBI are investigating possible links.
So, what are you going to do to avoid getting hosed by this worm?
All the usual recommendations apply -- get the latest bug/security patches
from Microsoft (aren't you getting tired of that now?), update your
anti-virus software and remain vigilant.
However, at least one user claims that their IIS server was hit even though
it had all the latest security patches installed and other supposedly "hard"
systems have also reported to have been compromised.
If you're running Internet Explorer you might also want to
use the Tools -> Internet Options -> Advanced menu selections and uncheck the
"Play sounds in web pages" option so that if you hit a compromised website
you're less likely to have the "readme.eml" file explode in your face.
Although I can't confirm it, Netscape and Opera users should be safe since
the .eml file is an outlook-specific type. Perhaps some smart Aardvark
reader can comment?
One way reducing the risk of being hit by an infected webpage will be to
disable Javascript, since the file is delivered by this piece of code:
<script language="JavaScript">window.open("readme.eml", null,
"resizable=no,top=6000,left=6000 ")
</script>
Wouldn't it be nice if we could just all get along together without feeling
the need to ruin other people's days?
Here are some links for more information on this worm:
Save The Aardvark Fund
Yes, I have had several donations to the Aardvark fund and I thank those
who put their money where their mouse is :-)
If guilt is gnawing away inside you then there's still time to donate.
Just drop by and
hand over your loot.
Add Aardvark To Your Own Website!
Got a moment? Want a little extra fresh content for your own website or
page?
Just add a
couple of lines of JavaScript
to your pages and you can get
a free summary of Aardvark's daily commentary -- automatically updated
each and every week-day.
Aardvark also makes a summary of this daily column available via XML using
the RSS format. More details can be found
here.
Contact me if you decide to use either of these feeds and
have any problems.
|
Did you tell someone else about Aardvark today? If not then do it
now!
|
|
There is/are 0 Vacancies Last added 2 July In The Job Centre
There are 14 Domain Names for sale
| 
= open in new window