Re: Worm Probes

["Bill Larson" <blarson () compu net>]

I had 482 infected hosts scanning my server.
Anyone want to see a list so they can look for their hosts send me an email
and I will be happy to forward you my infected file

----- Original Message -----
From: "Bill Becker" <bbecker () iconn net>
To: "Roeland Meyer" <rmeyer () mhsc com>
Cc: "NANOG (E-mail)" <nanog () merit edu>
Sent: Tuesday, September 18, 2001 1:13 PM
Subject: Re: Worm Probes


> BC-Internet Attack, 1st Ld-Writethru, a0628,540
>  FBI investigating new Internet worm, thousands of
> computers targeted
>  Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted
> "FBY" By D. IAN HOPPER= AP Technology Writer=
>
>  WASHINGTON (AP) _ Anti-virus researchers were
> fighting a new Internet attacker Tuesday similar to the
> "Code Red" worm that infected hundreds of thousands of
> computers several months ago.
>
>  The worm, known as "W32.Nimda," had affected
> "thousands, possibly tens of thousands" of targets by
> midday Tuesday, according to Vincent Gullotto, head virus
> fighter at McAfee.com, a software company.
>
>  Even when the attack isn't successful, the worm's
> scanning process can slow down the Internet for many
> users and can have the effect of knocking Web sites or
> entire company networks offline.
>
>  The FBI is investigating the worm, said spokeswoman
> Debbie Weierman. The agency has not indicated whether
> the worm is connected to last week's terrorism attacks.
>
>  On security e-mail lists, system administrators nationwide
> reported unprecedented activity related to the worm,
> which tries to break into Microsoft's Internet Information
> Services software. That software was the same targeted
> by Code Red, and is typically found on computers running
> Microsoft Windows NT or 2000.
>
>  Most home users, including those running Windows 95,
> 98 or ME, are not affected.
>
>  Ken Van Wyk, chief technology officer at ParaProtect,
> said the worm tries to wriggle in through 16 known
> vulnerabilities in Microsoft's IIS, including the security
> hole left in some computers by the "Code Red II" worm,
> which followed Code Red in August.
>
>  Code Red, by comparison, attacked through only one
> hole, which could be patched by downloading a program
> from Microsoft's Web site.
>
>  "It's causing enormous pain because it is at least an
> order of magnitude more aggressive than Code Red," said
> Alan Paller, director of research at the nonprofit Sans
> Institute. "It's a pretty vigorous attacker."
>
>  In addition to direct Internet attacks, the worm can also
> travel via e-mail. The e-mail message is typically blank,
> and contains an attachment called "README.EXE."
> Antivirus experts warn that users shouldn't open
> unexpected attachments.
>
>  Efforts to isolate and track the worm were hampered by
> the swiftness of the attack. Gullotto said the first report
> came at about 9 a.m. EDT, from a site in Norway.
>
>  "It's taken down entire sites," Gullotto said. "I can't
> even get to the Internet right now."
>
>  On Monday, the FBI's National Infrastructure Protection
> Center warned that a hacker group called the
> "Dispatchers" said they would attack "communications
> and finance infrastructures" on or about Tuesday.
>
>  "There is the opportunity for significant collateral
> damage to any computer network and telecommunications
> infrastructure that does not have current countermeasures
> in place," officials said in a warning on the NIPC Web site.
>
>  Last week, the FBI warned that there could be an
> increase in hacking incidents after the twin attacks in New
> York and Washington. They advised computer users to
> update their antivirus software, get all possible security
> updates for their other software, and be extra careful
> online.
>
>  ___=
>
>  On the Net:
>
>  McAfee.com: http://www.mcafee.com
>
>  Sans: http://www.sans.org
>
>  National Infrastructure Protection Center:
> http://www.nipc.gov
>
>
>
>  (Copyright 2001 by The Associated Press. All Rights
> Reserved.)
>
>  APTV-09-18-01 1243EDT
>
> On Tue, 18 Sep 2001, Roeland Meyer wrote:
>
> > The damned thing continues to burn bandwidth here. My IIS systems were
> > patched long ago and my Apache servers are inherently immune. But, that
does
> > not prevent vulnerability scans and it's those scans that are burning
the
> > pipe. Firewalling the scans sort of blocks those services too. So, that
> > isn't the answer.
> >
> > Fortunately, I have long been a fan of having really huge boxen sip
their
> > internet through straws (any single box can saturate the uplink
(100baseTX),
> > at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my
> > servers are  just loafing. Still, this comes real close to being a DDOS
> > attack because the WAN port is showing almost 40% usage from scans right
> > now. I'm real glad that I have another set of zone servers, piggy-backed
in
> > AboveNet.
> >
> > Has anyone made any progress towards locating origination of these
worms?
> > They seem to be steadily mutating. This means that a/some programmer(s)
> > is/are behind this somewhere. I'm sure that I'm not the only one that
wants
> > to know.