John Chamberlain
Developer Diary
 Developer Diary · You Heard It Here First · Sunday 25 January 2004
No Worms Here
I find it surprising that no worms have surfaced since the dreaded Nimda worm which struck September 18th, 2001. That's over two years sans worm. Nimda and its cousin, Code Red, are still doing damage though. Many machines are routinely infected with Nimda. My web server is constantly assaulted by Nimda-infected Windows 2000 boxes near to my network neighborhood. Here is a typical snippet from my logs: - - [17/Jan/2004:11:44:46 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 282 - - [17/Jan/2004:11:44:46 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 - - [17/Jan/2004:11:44:50 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 292 - - [17/Jan/2004:11:44:50 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 306 - - [17/Jan/2004:11:44:51 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323 - - [17/Jan/2004:11:44:54 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 323 - - [17/Jan/2004:11:44:54 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 

My logs are filled with these attacks repeatedly literally tens of thousands of times. The above particular attack is coming from some hapless ATT Broadband customer in Lakewood, California. Unbeknowst to this computer owner Code Red has taken over their machine and is using it to attack thousands and thousands of other computers. You would think the guy would notice his computer "has been acting kind of slow" recently but we are probably dealing with a totally clueless "consumer". I wish I could figure out this joker's email address so I could inform them what their equipment is doing.

The reason this happens is that older versions of Windows 2000 are vulnerable to Nimda/Code Red by default. The above user probably installed Windows 2000 a year or two ago and has been infected ever since. Many machines have been running Nimda for years. Two years ago I saw Nimda in action. My company installed brand new Windows 2000 on a machine. I used the machine and immediately sensed something was wrong. I examined the network status and it was incredible. It was like looking at the matrix. Our box was establishing and breaking connections hundreds of times a second. The status changes were just scrolling off the screen. It was scary.

The other piece of damage Nimda has done is to cause journalists to use the terms "worm" and "virus" interchangeably. In fact, a lot of journalists seem to have the idea that the term "worm" is a more up-to-date word for virus and have stopped using the word "virus" altogether. Of course, there is a huge difference. Viruses require human cooperation to spread, but worms are autonomous. Calling email viruses "worms" is totally wrong, but this does not stop CNN et al from describing every garden variety virus a "worm". Viruses are a lot less harmful because they only affect the lower stratum of users who are so foolish as to run an unsolicited binary on their machine. Worms are much more dangerous because they can strike anyone and cripple machines that are important to the functioning of the internet.

It is surprising there have been no significant worms in the last two years. I guess operating system software is getting tougher by experience. Still, it is eerie that the clock ticks on but no worms appear. Is a big one on the horizon? Makes me wonder...

return to John Chamberlain's home · diary index
Developer Diary · about · · bio · Revised 25 January 2004 · Pure Content