As the insidious Nimda worm continued to wreak havoc on Microsoft web servers worldwide in late September, an analyst with an influential high-tech research firm said companies and school districts affected by the attacks should consider switching to a new product rather than battling to keep their Microsoft server software secure.

John Pescatore, research director for internet security at Gartner Group, told the Associated Press Sept. 24 that organizations whose web sites were shuttered more than once by the Nimda worm and other similar attacks might not be able to keep their servers safe from future attacks.

The attacks, including Code Red and Nimda, have knocked out thousands of web sites and briefly threatened to wreak havoc on the internet earlier this summer.

They work by wriggling in through vulnerabilities in Microsoft’s Internet Information Server (IIS). The glitches can be fixed by regularly downloading security patches from Microsoft web sites, but Pescatore said any organization hit by more than one attack clearly doesn’t have the technical staff to stay on top of the latest safeguards.

“If you were hit by Code Red and by Nimda, basically you can’t keep IIS secure, you’re not up to the task,” he said. “IIS has a lot more security vulnerabilities than other products and requires more care and feeding.”

Pescatore said Microsoft’s web server product is hard to safeguard because it is more often the target of hacker attacks. He recommended that users switch to rivals such as iPlanet or Apache, which he called more secure and less likely to be hit by hackers.

Microsoft Corp. denied that its IIS software is especially vulnerable to attacks.

“Gartner’s extreme recommendation ignores the fact that serious security vulnerabilities have been found in all web server products and platforms,” Microsoft spokesman Jim Desler said. “This is an industrywide challenge.”

Other analysts contend that Microsoft’s web servers aren’t significantly less secure than other products, but are simply targeted more often.

“IIS right now is so exposed … it is arguably the biggest target in that space,” said Rob Enderle, an analyst with the high-tech research firm Giga Information Group.

Enderle said he’d heard from clients who were switching from Microsoft server products, but he said security alone isn’t to blame.

Many organizations also are angry about a change in Microsoft’s licensing agreements, which they contend will make it much more costly to run Microsoft products over the long term, he said.

Nimda’s wake

Nimda—which is “admin,” the shortened form of “system administrator,” spelled backwards—started spreading Sept. 17 and quickly infected PCs and servers across the internet.

Also known as readme.exe and W32.Nimda, the worm is the first to use four different methods to infect not only PCs running Windows 95, 98, ME, and 2000, but also servers running Windows 2000.

The worm spread by eMailing itself out as an attachment, scanning for—and then infecting—vulnerable web servers running Microsoft’s IIS software, copying itself to shared disk drives on school district or business intranets, and appending JavaScript to web pages that would download the worm to a user’s PC when the user viewed the page.

Although Nimda did not delete data, it did overwrite a number of files and spread to shared computer hard disks, allowing it to wreak havoc on computer networks by slowing them to a halt.

School officials in Fort Wayne, Ind., said the program attacked and disabled library computers containing card catalog information. Though it had little effect on students and teachers, the district’s libraries and their staff members were without access to their electronic card catalogs Sept. 21.

The worm infected 53 library servers and two servers in the school district’s administration building. Computer technicians spent about 100 hours combating the virus, and the electronic card catalogs were knocked offline for about a week, said Jack Byrd, the district’s director of technology.

In Mitchell, S.D., Nimda caused problems in taking attendance and running the district’s food service software, and it also interrupted online exams. Technology director Dan Muck said technicians received a remedy for the problem the same night, and the system was back online Sept. 18.

Other districts reportedly affected by the worm included Pittsburgh, Pa.; New Orleans, La.; Providence, R.I.; and Columbia County, Ga.

Despite the attacks, many school technology directors contacted by eSchool News said they disagreed with Gartner Group’s advice to switch to a new web server product.

“Microsoft servers are attacked by virus creators because there are so many out there,” said Chris Mahoney, director of technology for the Lake Hamilton School District in Arkansas. “Getting rid of Microsoft servers would only shift the focus [of hackers] to other platforms.”

Microsoft responds

In light of the damage Nimda caused and the resulting security concerns about its server software, Microsoft said Oct. 3 that it would offer free customer support to combat computer viruses and streamline the way users can download current software patches.

Previously, large-scale customers had to pay Microsoft to get their virus-related questions answered and were required to check the company’s web sites regularly for any updates.

Beginning in late October, however, Microsoft said it would let customers running the company’s Windows 2000 and NT operating systems, web server products, and Internet Explorer browser download all-in-one patches that fix security flaws the company knows about.

Microsoft also said it would help users shut down unused functions, such as internet printing, that could make their systems more vulnerable to attack.

Customers will have the option of getting future patches automatically downloaded to their computers from Microsoft’s servers.

Brian Valentine, senior vice president for Microsoft’s Windows division, acknowledged that the process for updating virus protection was confusing and may have kept some customers from keeping their systems safe.

“It is a situation where we just have to make it simpler,” he said.

Links:

Gartner Group
http://www.gartner.com

Microsoft’s “Information on the ‘Nimda’ Worm”
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/Nimda.asp