Network Associates: solutions to combat Nimba worm
- 20 September, 2001 12:38
Network Associates on Wednesday released a group of utilities designed to help protect businesses from the rapidly spreading Nimda worm.
The company's McAfee Avert anti-virus research lab has created an online command-line scanner, known as NimdaScan, which lets users detect, clean, and delete the worm from their systems. The scanner can remove open shares, guest users, and registry keys that the worm creates. It can also scan the core route of an enterprise's network to clean out infections for users who are unaware whether they have been infected.
"NimdaScan is designed to clean up some of the things that customers are going to have to manually clean, like registry keys," said Vince Gullotto, senior director of McAfee's Avert division. "That saves them a lot of time and effort."
The scanner is a standalone utility that uses technology borrowed from McAfee's VirusScan product. Some of the new technologies built into NimdaScan might be incorporated in McAfee's next scanning engine, due sometime in March, according to Gullotto.
McAfee's ASaP online services division, which offers managed anti-virus solutions for small and midsized businesses, has also created an anti-Nimda update for its customers.
Meanwhile, the company's Sniffer Technologies unit released a new filter for its Sniffer protocol analyser, which monitors network traffic and delivers statistical data to network administrators. The filter looks for the precise HTTP requests that Nimda uses when it communicates, allowing users to fine-tune their existing Sniffer solutions to search specifically for Nimda traffic.
The main benefit is cost and time savings, according to Jeff Fanelli, lead systems engineer at Sniffer.
"If you're looking at a large network, you're going to have thousands of devices talking to each other, and perhaps only a handful of them are infected," he said.
In yet another move to combat Nimda, Network Associates' PGP Security division announced the upcoming release of Distributed CyberCop Scanner 2.0, a tool that probes systems and identifies machines with vulnerabilities. The new version lets enterprises perform distributed scans for some 850 openings that hackers could exploit and delivers comprehensive reports to network administrators. The product will be available in late September at $US23 per device.
CyberCop's new distributed scanning feature could be particularly helpful to companies with large, diverse networks, according to Jim Magdych, security research manager of Network Associates' PGP Security group.
"In very large enterprises, you might have separate network segments that are behind a firewall. So by placing an engine at those distributed locations, you can communicate with the engine, tell it what you want to scan, and then collect the results as it completes the process," Magdych said.
Michael Erbschloe, vice president of research at the Computer Economics consulting firm in Carlsbad, Calif., estimated that 2.2 million Nimda infections took place over one 24-hour period and placed the worldwide economic impact of the worm and $531 million in cleanup costs and downtime impact.
"A lot of machines have to be taken out of service until they're cleaned," Erbschloe said, referring both to servers and desktops. He estimated that, of the 2.2 million infections, 65 per cent were servers and 35 per cent were desktops.
Erbschloe marveled at Nimda's destructive power.
"It's the fastest worm I've seen," he said. "We still face another $200 million in inspecting systems and doing patching. In spite of the fact that we did a lot of patching during Code Red, a lot of machines haven't been patched."
US Attorney General John Ashcroft has denied speculation that the Nimda worm is related to last week's terrorist attacks on New York and Washington. But Erbschloe, author of the recently published book Information Warfare: How to Survive Cyber Attacks, suggested that because Nimda appeared on the same day of the terrorist attacks, a connection is possible.
"It's a new style of war," Erbschloe said. "It doesn't really matter what the source of Nimda is. You can have a variety of enemies that can attack you in a combination of physical and cyber events. They take advantage of circumstances."
Moreover, if America enters into a war with Afghanistan, as has been widely speculated, domestic enterprises will be significantly more vulnerable to cyber attacks, Erbschloe said.
"Terrorists will no longer focus on military targets, because commercial targets are so easy to get to and so easy to cause huge amounts of economic impact to," he said. "When you're tied to a network for communications and you start taking hits, you start losing money. And one of the key goals of 'information warfare' is to impact GDP, slow down industrial productivity, and hinder military activity."
Proof of a connection between the terrorist bombings and Nimda could come over the next few weeks, especially if more worms appear. That could suggest that terrorists are attempting to cripple America's communications and financial networks.
The Nimda worm, which can infect all 32-bit Windows systems, spreads via e-mail attachments, HTTP, and shared hard disks inside networks.