1 Year Anniversary of Nimda Outbreak

dots and loops writes "Today marks one year to the date that the nimda worm began making its way across the Internet." Hey, speaking of hilarious worms, I'm still getting 5-10 klez virus's a day! Yay Security!

NIMDA the sysadmins friend :-s a little anecdote

[fruey]

Oh... first of all, it's viruses. Not virus's... what the hell is that?

I was working on a project to set up a proxy (Squid, in fact) for an education institution here in Morocco. If you think US sysadmins could get some clue, think again. I noted they were running NT workstation service pack 3 (lol) and I was already sweating. I set the proxy up as the gateway, to make it transparent, and started the service. Within 10 minutes the log file had grown massive. I tweaked a few params, and then left it running, saying I'd come back the next day.

The client calls me first thing, saying my proxy is shit, doesn't work, etc. I turn up in a panic, thinking I'd messed something simple up. Then it dawned on me... seems like most of the hosts on the network were infected with Nimda (amongst other things). The logfile had exceeded 2Gb and had crashed the service (it had filled the /var partition completely). It was logging 100 Nimda scans a second.

This was just about 3 months ago. The sysadmin didn't even really know how her DHCP server worked, and had no service packs anywhere. The only reason sp3 was some places was because the NT CD had been bought just before Win2K came out, and SP3 was bundled with a sticker "make sure you install this too".

Explaining to the client that all the hosts were infected, that they seriously needed an antivirus solution, and that all machines would have to be taken offline (they had public IPs for chrissakes) until the disinfection was finished was a tough thing to do without just flaming that person, I assure you. We did get them sorted out in the end, but somehow they still think my proxy isn't worth shit :-(

The most long-lived virus/worm/trojan?

[burgburgburg]

CmdrTaco writes that he's still getting multiple Klez viruses after all this time. That begs the question: what has been the most long-lived virus/worm/trojan so far?

That question should probably be broken down into two parts:a) What virus/worm/trojan, as originally written, has been present in the wild for the longest? b) What virus/worm/trojan, through slight adjustment, has been able to keep coming back infecting and reinfecting for the longest?

Re:Nimda

[Mandi+Walls]

See F-Secure for the current infection of the slapper worm, 5 days after discovery. Infected servers: < 14,000 total, according to them.

Now. this report from Sep. 21, 2001 reports 1.3 million infected NIMDA servers.

Help me out here.

Where is the comparison? I'm still wading through NIMDA/Code Red requests on my webservers, looking for any sign that those servers have been poked by slapper infected servers. No dice so far.

Slapper is generating panic because it's got a peer to peer network on the backend, not because it's actually been able to infect a lot of servers. can you imagine what would happen if someone wanted to start a p2p network on the NIMDA/Code Red infected servers that are still online now? to say NOTHING of the 1.3 million and up that were infected originally.

slapper is a silly excuse for some "Open Source Sucks" journalism, not a reason to head for the hills and unplug the router.

So here you go:
[chastise]
Oh, you lazy stupid 14,000 linux/apache admins! patch your servers!
[/chastise]
[screaming rant]
it's been a year! get that "guy who knows computers" who put that shiatty NT server on the net for you to get back in your office and put some patches on it! give him a beer for pete's sake!
[/screaming rant]

Thank you.
--mandi