As the insidious Nimda worm continues to wreak havoc on Microsoft web servers worldwide, an analyst with an influential high-tech research firm said companies and school districts affected by the attacks should consider switching to a new product rather than battling to keep their Microsoft server software secure.

John Pescatore, research director for internet security at Gartner Group, told the Associated Press Sept. 24 that organizations whose web sites were shuttered more than once by the Nimda worm and other similar attacks might not be able to keep their servers safe from future attacks.

The attacks, including Code Red and last week’s Nimda, have knocked out thousands of web sites and briefly threatened to wreak havoc on the internet earlier this summer.

They work by wriggling in through vulnerabilities in Microsoft’s Internet Information Server (IIS). The glitches can be fixed by regularly downloading security patches from Microsoft web sites, but Pescatore said any organization hit by more than one attack clearly doesn’t have the technical staff to stay on top of the latest safeguards.

“If you were hit by Code Red and by Nimda, basically you can’t keep IIS secure, you’re not up to the task,” he said. “IIS has a lot more security vulnerabilities than other products and requires more care and feeding.”

Pescatore said Microsoft’s web server product is hard to safeguard because it is more often the target of hacker attacks. He recommended that users switch to rivals such as iPlanet or Apache, which he called more secure and less likely to be hit by hackers.

Microsoft Corp. denied that its IIS software is especially vulnerable to attacks.

“Gartner’s extreme recommendation ignores the fact that serious security vulnerabilities have been found in all web server products and platforms,” Microsoft spokesman Jim Desler said. “This is an industrywide challenge.”

Other analysts contend that Microsoft’s web servers aren’t significantly less secure than other products, but are simply targeted more often.

“IIS right now is so exposed … it is arguably the biggest target in that space,” said Rob Enderle, an analyst with the high-tech research firm Giga Information Group.

Enderle said he’d heard from clients who were switching from Microsoft server products, but he said security alone isn’t to blame. Many organizations also are angry about a change in Microsoft’s licensing agreements, which they contend will make it much more costly to run Microsoft products over the long term, he said.

Nimda’s wake

Nimda—which is “admin,” the shortened form of “system administrator,” spelled backwards—started spreading Sept. 17 and quickly infected PCs and servers across the internet.

Also known as readme.exe and W32.Nimda, the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, ME, and 2000, but also servers running Windows 2000.

The worm spreads by eMailing itself out as an attachment, scanning for—and then infecting—vulnerable web servers running Microsoft’s IIS software, copying itself to shared disk drives on school district or business intranets, and appending JavaScript to web pages that will download the worm to a user’s PC when the user views the page.

Although Nimda does not delete data, it does overwrite a number of files and spreads to shared computer hard disks, allowing it to wreak havoc on computer networks by slowing them to a halt.

School officials in Fort Wayne, Ind., said the program attacked and disabled library computers containing card catalog information. Though it had little effect on students and teachers, the district’s libraries and their staff members were without access to their electronic card catalogs Sept. 21.

The worm infected 53 library servers and two servers in the school district’s administration building. Computer technicians spent about 100 hours last week combating the virus, and the electronic card catalogs were expected to be running again a week later, said Jack Byrd, the district’s director of technology.

In Mitchell, S.D., Nimda caused problems in taking attendance and running the district’s food service software, and it also interrupted online exams. Technology director Dan Muck said technicians received a remedy for the problem the same night, and the system was back online Sept. 18.

Online technology news source CNET reported Sept. 24 that Nimda remains a threat to computer networks worldwide. Antivirus company Trend Micro’s World Virus Tracking Center reported at least 120,000 new infections in a 24-hour period that ended Sept. 24 at 3 p.m. Eastern Standard Time, according to CNET.

Every major antivirus company has updated software that can detect and remove Nimda, and Microsoft’s latest updates to its IIS software protect against the worm. Users who have not done so are encouraged to download the new software before the worm causes more damage. Despite the attacks, many school technology directors contacted by eSchool News said they disagree with Gartner Group’s advice to switch to a new web server product.

“Microsoft servers are attacked by virus creators because there are so many out there,” said Chris Mahoney, director of technology for the Lake Hamilton School District in Arkansas. “Getting rid of Microsoft servers would only shift the focus [of hackers] to other platforms.”

Links:

Gartner Group
http://www.gartner.com

Microsoft’s “Information on the ‘Nimda’ Worm”
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp

TechRepublic.com’s “Learn what Nimda worm does and how to combat it”
http://www.techrepublic.com/article.jhtml?id=r00220010920mco01.htm&fromtm=e101-4