NY Times laid low by Nimda offshoot

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7739301.html?tag=mn_hd

By Reuters 
October 31, 2001, 4:50 p.m. PT 

NEW YORK--The mysterious "storm of data" that swamped computers at The
New York Times was not caused by a malicious attack aimed at the paper
but rather by a reemergence of the Nimda worm, company officials said
Wednesday.

A New York Times network administrator said in an internal e-mail
Tuesday that the company's Internet connection was "interrupted by a
storm of data" and that the "denial-of-service" activity may have been
a deliberate attack.

In a denial-of-service attack, thousands of fake messages are sent to
server computers, tying up the recipient's network.

But the real culprit was Nimda.E, a permutation of the Nimda worm that
struck hundreds of thousands of computers worldwide beginning in
September, said New York Times Chief Information Officer Michael
Williams on Wednesday in a second inter-company e-mail obtained by
Reuters.

"We have secured a 'fix' for this virus which cleanses the infected
machines," Williams said in the e-mail. A company spokeswoman
confirmed that internal Internet access at the paper was up as of
Wednesday morning.

Nimda.E "is a new version that just appeared a few days ago," said
Marc Fossi, malicious-code analyst for the San Mateo, Calif.-based
firm SecurityFocus. "It's the same infection method, but it's been
recompiled, and the file names it uses have been changed to make it
harder for antivirus products to detect."

The symptoms of a denial-of-service attack and a Nimda strike are
quite similar, according to Russ Cooper of the computer security firm
TruSecure.

Nimda can quickly bog down internal networks as it generates Internet
traffic in the hunt for new hosts. Denial-of-service attacks work in a
similar way, overwhelming networks with requests.

"If you have a large number of affected machines, very quickly--within
five minutes--you're going to have a large portion of those machines
attacking, and that's going to douse your network," Cooper said.

The virus can be easily passed on via e-mail, infected Web pages or
company subsidiaries with access to the main network.

"It would be a heck of a lot easier to bring it in than anthrax, let's
put it that way," Cooper said.

Since Nimda relies on randomly generated Internet addresses, it is
unlikely that the New York Times was deliberately targeted for attack,
he added.

During the recent string of anthrax transmissions, there have been at
least two scares at the paper, including one letter filled with a
white powder that was mailed to a reporter who wrote a book on
bioterrorism. But tests at the paper have come up negative for the
bacteria.

According to Williams' e-mail, the paper was in the process of
identifying the machines infected with Nimda and fixing them one by
one, and was also updating its virus protection software.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.