Worm continues its assault in Asia

The Nimda worm continues to breed across the Asia-Pacific region as more computer systems are infected on the second day of its pervasion into e-mails, servers, and browsers across the globe.

Computer Emergency Response Teams (CERTs) around Asia have seen an increased number of reports and many CERTs said this may not even come close to the actual number of infections.

"By noon today, we received about 60 calls and that does not include calls made to the anti-virus vendors or those who do not know that they are infected," said Roy Ko, center manager for Hong Kong's CERT coordination center. Having more calls reporting infections on the second day after a virus is first detected is a standard pattern that Asian CERTs face, he said.

When viruses hit the U.S. or Europe, it usually takes about 48 hours before similar effects are experienced in Asia, Ko said, adding that it usually takes that amount of time for a virus to propagate in Asia-Pacific.

Australia's CERT reported "a lot of activity," with the worm damaging hundreds of Web sites, said Kathryn Kerr, Threat Assessment manager at AusCERT. She declined to name the Web sites infected, but suggested that users disable the JavaScript on their browsers to reduce the risk of infection.

Since Nimda has the ability to maim systems with its three-pronged assault on e-mail, servers and browsers, having an updated anti-virus software might not be enough to exterminate it.

"Servers that are protected by anti-intrusion and anti-virus software could still be affected even though they are not infected," Ko said. The worm has such a heavy payload that it can flood bandwidth and cause denial of service even for protected sites, the only difference being that the worm cannot get into the "safe" system to infect it, he said. "But there will be persistent knocking on the door," he added.

Malaysia's emergency response unit has identified at least 100 unique ports that have been infected over the last two days, although authorities are quick to caution that this number does not reflect the real number of infected cases.

"We expect more damage than Code Red," said Malaysia CERT (MyCert) manager, Raja Azrina Raja Othman. The worm has also been found to infect local area networks with folder-sharing capabilities, especially among users without passwords, she said.

Raja Othman said MyCert is working in collaboration with other CERTs in the region to combat Nimda and to find out more about its behavioral patterns.

"We've observed a few different behaviors, like how it reacts with random and sequential IPs. It's not clear if it is simply acting out its random nature, or the difference (in behavior) is caused by a variant virus," she said.

According to Hong Kong CERT, another potentially damaging effect is the backdoor access Nimda opens up to third parties. "Anti-virus software can prevent the worm from infecting the system, but once the system is infected, you need to spend effort to clean and patch the system," Ko said, adding that the time and money spent to rid the virus counts towards the cost of damage caused.

Unfortunately, the measures taken to fight viruses are still very much reactive. "Until we set up proactive steps, it will be hard to protect ourselves from all viruses," Ko said, adding that anti-virus technology is not up-to-speed with the skills of virus writers.

While there are intelligent programs that can weed out certain virus patterns and detect them before an infection can take place, such programs are too large to run on ordinary commercial systems, he said.

In Singapore, only two cases were reported were reported on Thursday, compared to zero reports on Wednesday, a SingCert spokeswoman said, once again proving that the number is not indicative of those infected. "We will continue to monitor the situation closely," she said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AusCertCERT AustraliaIPS

Show Comments