The Cost of Worms?

-- Harold Esche, Associate Director, IT

On September 18th, 2001 at approximately 7:30am MDT, the Nimda worm began to infect computer systems around the world. This computer worm was particularly virulent and destructive and the fastest spreading infection yet seen. It has been estimated that Nimda infected 2.2 million computers within a 24-hour period and had an associated cleanup cost of $539 million.

A computer worm is a program that makes copies of itself using E-mail or some other transport mechanism. Nimda -- which is 'Admin' spelled backwards -- infects computers running any version of Microsoft Windows through a flaw in Internet Information Server (IIS), Outlook E-mail and file sharing.

When Nimda was initially released, the traffic it generated was so voluminous that many sites could not provide basic computing services such as Web and E-mail. Nimda also severely compromised the security of any infected computers, as it provided the remote attackers with full access to the victimUs machine. The infections were initially very difficult to clean due to the lack of information about the worm, plus the fact that the worm made numerous modifications to the computerUs system files and registry settings.

The Worm on Campus Unfortunately the University of Calgary was not immune. Nimda struck the UofC networks and systems within 15 minutes of being first reported on the Internet. Thus, when the unusual network activity was noticed there was no information available on the Internet to help combat this outbreak. However, having experienced a network-crippling CodeRed II outbreak within the previous months, there was in-house knowledge of computer worms and their potential impact on the campus networks and services.

At 7:45am on Tuesday Sept. 18th Information Technologies (IT) Network Services staff started receiving alerts of abnormal network traffic behavior. By 7:50am, symptoms similar to CodeRed II were identified. By 9:10am, a total of 24 subnets had been removed from the campus network and normal operations were restored. Nimda generated such a heavy load on the central campus router that some subnet connections had to be physically removed from the router in order to regain control of the campus networks.

At 9:14am, a note was sent to the comtech-l@ucalgary.ca mailing list informing UofC computing staff of the outbreak of the as-of-yet unidentified worm. By 10:30am, the infection was identified as the Nimda worm, and starting at 11:30am E-mails were sent to the mailing list providing Web links to Microsoft patches and information about how the technical staff should respond to this problem. Administrators of networks that had been removed from the campus network were contacted by phone with information about which systems were infected and how to clean up the infection.

In addition to providing a campus-wide response, IT also had to deal with infections in the IT managed computer labs and on Desktop Technology Program (DTP) systems. Problems were noted in the labs at about 8am.

It initially appeared to be a server problem, but soon it was realized that the lab problems were due to the worm. Once the primary lab server became infected the worm quickly spread to the lab PCs via a file share. When all lab PCs were infected, the systems and networks became very slow due to the fact that all of the machines were attempting to re-infect each other. Given the high rate of re-infection and the fact that there was little information available on how to combat the worm, the worm brought down the IT labs for the day. Worm removal software was not yet available so the lab server needed to be restored from a backup server.

On Wednesday and Thursday new disk images were made for the PCs in the 11 IT- managed labs and the 360 machines were cleaned and brought back into service. Most lab services were restored by Friday. Additional cleaning, installing of patches and updated anti-virus signatures were performed over the weekend and by Monday the worm was eradicated from the lab PCs and servers.

The worm also infected some DTP machines early Sept. 18th. Once new anti-virus signatures were available, the Systems Management Server (SMS) software was used to push out the new files to client machines. Systems that did not have SMS enabled were upgraded via a login scripts or were visited by a DTP technician. Some campus NT servers that are not directly managed by IT, but are heavily used by DTP clients, also became infected and, in turn, infected DTP client PCs across the campus.

The worm was also fought at the mail server and network levels. One infection vector of the worm, TFTP (Trivial File Transfer Protocol), was disabled within hours of the infections being discovered on campus. Filters for the Web vector of Nimda virus were developed and installed on the Internet connection within a day, thereby preventing any new infected Web pages from reaching the campus. E-mail filters were already in place for a previously known virus E-mail vector.

Within the various faculties, departments and units across campus the severity of the Nimda infections varied greatly. Units that primarily use UNIX-based systems tended to avoid significant infections, some units that are highly Microsoft-based were severely infected and took days to eradicate the virus from their servers and PCs.

Resources Consumed by the Worm The IT resources consumed by fighting Nimda within the first two weeks of the infection are estimated to be 16.5 people weeks. This equates to a total direct salary cost of $17,000 spent on fighting Nimda for the two weeks following the initial infection. The cost does not include time spent by end- users, delay of projects, loss of reputation and any other indirect costs of the infection.

The cost of loss of service is more difficult to estimate. Some networks were down for over a day, some labs were unavailable for teaching for 3 days, some faculty and staff PCs were unavailable for days and many people spent time patching and restoring PCs instead of doing their real jobs. The worm had a considerable impact on the ability of faculty, staff and students to perform their research, teaching, learning and administrative roles.

It should be noted that technical staff outside IT also spent time and effort combating this worm. It is difficult to quantify this effort, but likely it is in the order of the effort spent within IT.

Learning from the Worms While technology staff across the campus have, unfortunately, become well versed in fighting computer viruses, the Nimda worm signals a new era in infections. The speed and impact of this worm was unlike anything seen before. Instead of using just one method to spread, this worm used four independent methods. Since the infection spread so rapidly over the Internet, anti-virus software and cleanup software was not yet available when the infection became endemic on campus. Small vulnerabilities in some campus servers became the holes by which the worm penetrated the campus and rapidly spread across many systems and networks.

The worm targets Microsoft Internet Information Server (IIS), Internet Explorer (IE) browser, Outlook Express E-mail client and operating systems such as Windows 2000 and Windows XP, which have IIS and IE embedded in their code. This is a very effective attack strategy given the large number of Microsoft Windows systems, used as either individual personal systems or as file servers.

The Gartner Group, a major technology consulting firm, has recommended that organization with Web applications should consider using less-vulnerable Web server products such as Apache and iPlanet Web servers.

By now, most MS-Windows computers will by now have had patches installed and anti-virus software upgraded. Some computing systems, such as the labs managed by IT, have been re-evaluated from an architectural perspective and are being reinforced with more robust prevention techniques and disaster recovery methodologies.

There are four main lessons to be learned from Nimda:
1) The need to review technology architecture.
- What methods are in-place to minimize the impact of a widespread virus infection? How easy is it to update software or install patches?
- What are the plans for recovering from a disaster such as a loss of hard drive or corruption of data? How long will it take to recover? Have the procedures been tested?
2) The need for systematic scanning and monitoring of systems and services.
- What services are running on your desktop computers and servers?
- What information about your systems is accessible to outsiders?
- Do you have any known and easy-to-exploit security holes on your system?
3) The need to improve communications about security issues.
- How are faculty, staff and students informed of any computing problems?
- Do you know what you need to do to improve the security of your system?
- What should you do if you believe your machine has been attacked or is infected?
4) The need to increase effort and resources allocated to computer security, including disaster recovery.
- Does your unit/department have a computer security policy?
- Do you have a disaster recovery plan? Has it been tested?
- Who can help you if you have computer security problems?

Unfortunately many of the above 'lessons' are issues already well known to most computing professionals. The ever-increasing demand to install new equipment and services often prevents staff from attending to the more mundane, yet essential, tasks of applying patches to the operating system or applications or performing security audits. Nimda has shown the UofC that these new sophisticated worms can cause significant downtime to individual machines and servers. With our dependence on computers for teaching, learning and research, the loss due to these infections (and other computer catastrophes) can be very significant. But security is not easy and making systems invulnerable to this type of worm attack is a near impossible task. Software vulnerabilities and patches are announced daily. Improving security is a never-ending task. The simple, yet elusive, solution is that more effort needs to be spent on addressing security threats. The UofC is now likely safe from any Nimda infections, but how will we fare when faced with the next 'new-and-improved' virus that is faster spreading, multi-vectored and uses previously undiscovered security flaws?

  • For more information on current virus alerts plus software updates see www.ucalgary.ca/IT/virus

  • For more information on security issues see www.incidents.org/ and www.cert.org/


    • What do you need to do to protect your computer?
    While there are thousands of computer viruses, here are five simple questions you should ask to assess your virus exposure on your desktop computer:
    1) Is your software up-to-date? Look for the most recent version of McAfee anti-virus software at www.ucalgary.ca/it/virus/. Check www.microsoft.com for updates and security fixes for Windows and MS-Office. Check other vendor sites for other software updates.
    2) Do you know how to handle e-mail attachments? Treat all attachments with caution. Never open attachments that are executable files (e.g., files ending in .exe or .com).
    3) When did you last backup your system? Make periodic backups using diskettes, zip disks, CD-RW or whatever works for you. Software can always be reinstalled from the original CDs, your data may be irreplaceable.
    4) How secure is your network? When Nimda was detected on networks IT was sometimes forced to shut down the complete subnet. Other people’s infections can impact you! You may want to consider installing a firewall.
    5) Is your home machine or laptop secure and backed up too?


    By now you are either infected or safe from Nimda –
    but are you ready for the next virus attack?





    Back to InfoServe Vol.8, No.8 Table of Contents.