North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Worm Probes

  • From: Bill Becker
  • Date: Tue Sep 18 14:54:34 2001

BC-Internet Attack, 1st Ld-Writethru, a0628,540
 FBI investigating new Internet worm, thousands of 
computers targeted
 Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted 
"FBY" By D. IAN HOPPER= AP Technology Writer=

 WASHINGTON (AP) _ Anti-virus researchers were 
fighting a new Internet attacker Tuesday similar to the 
"Code Red" worm that infected hundreds of thousands of 
computers several months ago.

 The worm, known as "W32.Nimda," had affected 
"thousands, possibly tens of thousands" of targets by 
midday Tuesday, according to Vincent Gullotto, head virus 
fighter at, a software company.

 Even when the attack isn't successful, the worm's 
scanning process can slow down the Internet for many 
users and can have the effect of knocking Web sites or 
entire company networks offline.

 The FBI is investigating the worm, said spokeswoman 
Debbie Weierman. The agency has not indicated whether 
the worm is connected to last week's terrorism attacks.

 On security e-mail lists, system administrators nationwide 
reported unprecedented activity related to the worm, 
which tries to break into Microsoft's Internet Information 
Services software. That software was the same targeted 
by Code Red, and is typically found on computers running 
Microsoft Windows NT or 2000.

 Most home users, including those running Windows 95, 
98 or ME, are not affected.

 Ken Van Wyk, chief technology officer at ParaProtect, 
said the worm tries to wriggle in through 16 known 
vulnerabilities in Microsoft's IIS, including the security 
hole left in some computers by the "Code Red II" worm, 
which followed Code Red in August.

 Code Red, by comparison, attacked through only one 
hole, which could be patched by downloading a program 
from Microsoft's Web site.

 "It's causing enormous pain because it is at least an 
order of magnitude more aggressive than Code Red," said 
Alan Paller, director of research at the nonprofit Sans 
Institute. "It's a pretty vigorous attacker."

 In addition to direct Internet attacks, the worm can also 
travel via e-mail. The e-mail message is typically blank, 
and contains an attachment called "README.EXE." 
Antivirus experts warn that users shouldn't open 
unexpected attachments.

 Efforts to isolate and track the worm were hampered by 
the swiftness of the attack. Gullotto said the first report 
came at about 9 a.m. EDT, from a site in Norway.

 "It's taken down entire sites," Gullotto said. "I can't 
even get to the Internet right now."

 On Monday, the FBI's National Infrastructure Protection 
Center warned that a hacker group called the 
"Dispatchers" said they would attack "communications 
and finance infrastructures" on or about Tuesday.

 "There is the opportunity for significant collateral 
damage to any computer network and telecommunications 
infrastructure that does not have current countermeasures 
in place," officials said in a warning on the NIPC Web site.

 Last week, the FBI warned that there could be an 
increase in hacking incidents after the twin attacks in New 
York and Washington. They advised computer users to 
update their antivirus software, get all possible security 
updates for their other software, and be extra careful 


 On the Net:


 National Infrastructure Protection Center:


 (Copyright 2001 by The Associated Press. All Rights 

 APTV-09-18-01 1243EDT

On Tue, 18 Sep 2001, Roeland Meyer wrote:

> The damned thing continues to burn bandwidth here. My IIS systems were
> patched long ago and my Apache servers are inherently immune. But, that does
> not prevent vulnerability scans and it's those scans that are burning the
> pipe. Firewalling the scans sort of blocks those services too. So, that
> isn't the answer.
> Fortunately, I have long been a fan of having really huge boxen sip their
> internet through straws (any single box can saturate the uplink (100baseTX),
> at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my
> servers are  just loafing. Still, this comes real close to being a DDOS
> attack because the WAN port is showing almost 40% usage from scans right
> now. I'm real glad that I have another set of zone servers, piggy-backed in
> AboveNet.
> Has anyone made any progress towards locating origination of these worms?
> They seem to be steadily mutating. This means that a/some programmer(s)
> is/are behind this somewhere. I'm sure that I'm not the only one that wants
> to know.