Massive Internet Worm Attack Timed to Match Terrorist Bombing One Week Ago

["Internet Security Bulletin" <soc () farm9 com>]

FOR IMMEDIATE RELEASE


farm9 Security Warning                          Contact for more info:
International Worm attack                       Guy Morgan
Nimda Worm Alert                                        info () farm9 com
106 Linden Street #106
Oakland, CA  95607
510-835-3276 x262
www.farm9.com


Tuesday, September 18, 2001 8:03 AM Oakland, California USA --
farm9’s Security Operations Center is tracking a new Internet worm named
W32/Nimda-A (known aliases are Nimda, CV-5, Minda, Concept Virus and Code
Rainbow). At 0800 PST we detected a simultaneous attack on our customers in
the United States and India. Multiple sites reporting similar attacks were
corroborated on CERT and other security sites.

By 1018 PST farm9 detected massive worm penetration attempts. Each infected
site was propagating rapidly, including multiple IIS vulnerabilities, web
based java scripts, file transfers and email. Linux and Apache servers seem
to be unaffected.

By 1117 PST farm9 detected an impact on bandwidth availability. Low
bandwidth sites we monitor began to go down. Customer sites unable to
implement syn limiting also began to experience bandwidth outages.

The worm uses three distinct vectors to spread:

    1) Email attachment
    2) Web-based java script download via browser
    3) Direct IIS attack similar to Code Red

The worm leverages multiple IIS vulnerabilities and spreads using port 80
(i.e. the web). Furthermore, this variant also uses Outlook and Outlook
Express vulnerabilities to distribute itself through email.

There have been several reports of small ISPs being overwhelmed with traffic
and going down. John Silva, Senior Security Engineer/CCIE at farm9.com, Inc.
a San Francisco Bay Area managed security provider says, "More mature
routing infrastructures can handle this sort of assault through syn rate
limiting. Unfortunately, many corporate IT shops, as well as ISPs, do not
have the funding, staff or inclination to keep up with current threats..."

Multiple sources have confirmed that this worm consumes a large amount of
bandwidth and impaired performance on web servers is a result. Although
rumored that this may be the related to Osama Bin Laden, it is more likely
coincidental timing. However the timing must concern some because this
latest cyber attack began almost exactly one week (down to the minute) after
terrorist activities in New York and Washington DC.

farm9 Chief Operating Officer Guy Morgan urges caution. “While the extent of
this disruption exceeds the recent Code Red Worm, it isn’t the beginning of
the end of the Internet. People need to monitor their systems and patch them
to plug the holes; be defensive and don’t hack back.”

Firewalls, such as Cisco PIX or Checkpoint’s Firewall-1, cannot stop this
attack because it looks like legitimate email and web traffic. Many popular
intrusion detection software (IDS) programs, such as Dragon by Enterasys, do
detect this attack.  However, most IDS programs will require specific
fingerprint updates for this problem.

For information on the latest steps to protect yourself from this attack or
to recover from a compromise, go to: http://farm9.com/content/0918worm

Many ISPs have blocked web traffic (port 80) in order to limit the spread of
the worm. If your ISP blocks your web traffic, try this alternate URL
http://farm9.com:8080/content/0918worm

For information on getting early warning notification, visit our farm9
Harvester at http://farm9.com:8080/content/Company_Info/Harvester

farm9.com
106 Linden Street #106
Oakland, CA  95607
510-835-3276 x253
www.farm9.com


Companies mentioned:

Microsoft  Enterasys  Cisco  Checkpoint  farm9


###


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com