Security Incidents mailing list archives
Massive Internet Worm Attack Timed to Match Terrorist Bombing One Week Ago
From: "Internet Security Bulletin" <soc () farm9 com>
Date: Tue, 18 Sep 2001 19:34:47 -0700
FOR IMMEDIATE RELEASE farm9 Security Warning Contact for more info: International Worm attack Guy Morgan Nimda Worm Alert info () farm9 com 106 Linden Street #106 Oakland, CA 95607 510-835-3276 x262 www.farm9.com Tuesday, September 18, 2001 8:03 AM Oakland, California USA -- farm9s Security Operations Center is tracking a new Internet worm named W32/Nimda-A (known aliases are Nimda, CV-5, Minda, Concept Virus and Code Rainbow). At 0800 PST we detected a simultaneous attack on our customers in the United States and India. Multiple sites reporting similar attacks were corroborated on CERT and other security sites. By 1018 PST farm9 detected massive worm penetration attempts. Each infected site was propagating rapidly, including multiple IIS vulnerabilities, web based java scripts, file transfers and email. Linux and Apache servers seem to be unaffected. By 1117 PST farm9 detected an impact on bandwidth availability. Low bandwidth sites we monitor began to go down. Customer sites unable to implement syn limiting also began to experience bandwidth outages. The worm uses three distinct vectors to spread: 1) Email attachment 2) Web-based java script download via browser 3) Direct IIS attack similar to Code Red The worm leverages multiple IIS vulnerabilities and spreads using port 80 (i.e. the web). Furthermore, this variant also uses Outlook and Outlook Express vulnerabilities to distribute itself through email. There have been several reports of small ISPs being overwhelmed with traffic and going down. John Silva, Senior Security Engineer/CCIE at farm9.com, Inc. a San Francisco Bay Area managed security provider says, "More mature routing infrastructures can handle this sort of assault through syn rate limiting. Unfortunately, many corporate IT shops, as well as ISPs, do not have the funding, staff or inclination to keep up with current threats..." Multiple sources have confirmed that this worm consumes a large amount of bandwidth and impaired performance on web servers is a result. Although rumored that this may be the related to Osama Bin Laden, it is more likely coincidental timing. However the timing must concern some because this latest cyber attack began almost exactly one week (down to the minute) after terrorist activities in New York and Washington DC. farm9 Chief Operating Officer Guy Morgan urges caution. While the extent of this disruption exceeds the recent Code Red Worm, it isnt the beginning of the end of the Internet. People need to monitor their systems and patch them to plug the holes; be defensive and dont hack back. Firewalls, such as Cisco PIX or Checkpoints Firewall-1, cannot stop this attack because it looks like legitimate email and web traffic. Many popular intrusion detection software (IDS) programs, such as Dragon by Enterasys, do detect this attack. However, most IDS programs will require specific fingerprint updates for this problem. For information on the latest steps to protect yourself from this attack or to recover from a compromise, go to: http://farm9.com/content/0918worm Many ISPs have blocked web traffic (port 80) in order to limit the spread of the worm. If your ISP blocks your web traffic, try this alternate URL http://farm9.com:8080/content/0918worm For information on getting early warning notification, visit our farm9 Harvester at http://farm9.com:8080/content/Company_Info/Harvester farm9.com 106 Linden Street #106 Oakland, CA 95607 510-835-3276 x253 www.farm9.com Companies mentioned: Microsoft Enterasys Cisco Checkpoint farm9 ### ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Massive Internet Worm Attack Timed to Match Terrorist Bombing One Week Ago Internet Security Bulletin (Sep 18)