North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Worm Probes
I had 482 infected hosts scanning my server. Anyone want to see a list so they can look for their hosts send me an email and I will be happy to forward you my infected file ----- Original Message ----- From: "Bill Becker" <[email protected]> To: "Roeland Meyer" <[email protected]> Cc: "NANOG (E-mail)" <[email protected]> Sent: Tuesday, September 18, 2001 1:13 PM Subject: Re: Worm Probes > > > > BC-Internet Attack, 1st Ld-Writethru, a0628,540 > FBI investigating new Internet worm, thousands of > computers targeted > Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted > "FBY" By D. IAN HOPPER= AP Technology Writer= > > WASHINGTON (AP) _ Anti-virus researchers were > fighting a new Internet attacker Tuesday similar to the > "Code Red" worm that infected hundreds of thousands of > computers several months ago. > > The worm, known as "W32.Nimda," had affected > "thousands, possibly tens of thousands" of targets by > midday Tuesday, according to Vincent Gullotto, head virus > fighter at McAfee.com, a software company. > > Even when the attack isn't successful, the worm's > scanning process can slow down the Internet for many > users and can have the effect of knocking Web sites or > entire company networks offline. > > The FBI is investigating the worm, said spokeswoman > Debbie Weierman. The agency has not indicated whether > the worm is connected to last week's terrorism attacks. > > On security e-mail lists, system administrators nationwide > reported unprecedented activity related to the worm, > which tries to break into Microsoft's Internet Information > Services software. That software was the same targeted > by Code Red, and is typically found on computers running > Microsoft Windows NT or 2000. > > Most home users, including those running Windows 95, > 98 or ME, are not affected. > > Ken Van Wyk, chief technology officer at ParaProtect, > said the worm tries to wriggle in through 16 known > vulnerabilities in Microsoft's IIS, including the security > hole left in some computers by the "Code Red II" worm, > which followed Code Red in August. > > Code Red, by comparison, attacked through only one > hole, which could be patched by downloading a program > from Microsoft's Web site. > > "It's causing enormous pain because it is at least an > order of magnitude more aggressive than Code Red," said > Alan Paller, director of research at the nonprofit Sans > Institute. "It's a pretty vigorous attacker." > > In addition to direct Internet attacks, the worm can also > travel via e-mail. The e-mail message is typically blank, > and contains an attachment called "README.EXE." > Antivirus experts warn that users shouldn't open > unexpected attachments. > > Efforts to isolate and track the worm were hampered by > the swiftness of the attack. Gullotto said the first report > came at about 9 a.m. EDT, from a site in Norway. > > "It's taken down entire sites," Gullotto said. "I can't > even get to the Internet right now." > > On Monday, the FBI's National Infrastructure Protection > Center warned that a hacker group called the > "Dispatchers" said they would attack "communications > and finance infrastructures" on or about Tuesday. > > "There is the opportunity for significant collateral > damage to any computer network and telecommunications > infrastructure that does not have current countermeasures > in place," officials said in a warning on the NIPC Web site. > > Last week, the FBI warned that there could be an > increase in hacking incidents after the twin attacks in New > York and Washington. They advised computer users to > update their antivirus software, get all possible security > updates for their other software, and be extra careful > online. > > ___= > > On the Net: > > McAfee.com: http://www.mcafee.com > > Sans: http://www.sans.org > > National Infrastructure Protection Center: > http://www.nipc.gov > > > > (Copyright 2001 by The Associated Press. All Rights > Reserved.) > > APTV-09-18-01 1243EDT > > On Tue, 18 Sep 2001, Roeland Meyer wrote: > > > > > The damned thing continues to burn bandwidth here. My IIS systems were > > patched long ago and my Apache servers are inherently immune. But, that does > > not prevent vulnerability scans and it's those scans that are burning the > > pipe. Firewalling the scans sort of blocks those services too. So, that > > isn't the answer. > > > > Fortunately, I have long been a fan of having really huge boxen sip their > > internet through straws (any single box can saturate the uplink (100baseTX), > > at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my > > servers are just loafing. Still, this comes real close to being a DDOS > > attack because the WAN port is showing almost 40% usage from scans right > > now. I'm real glad that I have another set of zone servers, piggy-backed in > > AboveNet. > > > > Has anyone made any progress towards locating origination of these worms? > > They seem to be steadily mutating. This means that a/some programmer(s) > > is/are behind this somewhere. I'm sure that I'm not the only one that wants > > to know. > >
|