New worm slows some Internet operations

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-7219541.html?tag=tp_pr

[Sorry that the ISN mail is going out 13 hours past the usual time it
goes out, Internet worm traffic for us made it impossible to send
out anything via a dial-up.  - WK]


By Robert Lemos
Special to CNET News.com 
September 18, 2001, 4:30 p.m. PT 

Many companies worldwide saw Internet bandwidth slow to a crawl
Tuesday, as a new Internet worm flooded PCs and servers with its
attempts to spread.

While many companies connected to the Internet seemed unaffected by
the worm, others said the damage ranged from nuisance to full-fledged
outages.

"It seems to randomly be going through every IP (address) of my
network," said Ian Neubert, director of information services for
online telecom equipment seller TWAcomm.com, which found itself
inundated with scans from infected machines. "This is ridiculous."  
The worm, which appeared early Tuesday morning, spreads using a
multipronged attack and infects both PCs and servers running
Microsoft's Windows 95, 98, Me and 2000 operating systems.

To spread, the program sends an e-mail message with the worm in an
attachment, scans for and then compromises vulnerable servers, jumps
to shared hard drives on a network, and sends itself to any surfer
whose browser requests a Web page from an infected server.

The multifaceted nature of the malicious program's infection is
unprecedented, said experts.

"It's the Swiss Army knife of worms," said Greg Shipley, a security
consultant with network protection firm Neohapsis. "It's friggin'
amazing."

Yet the largest effect of the worm seems to be the amount of data it
creates. The sheer volume produced by the worm's attempts to spread
has caused grief for many companies.

Exodus Communications, a major Web hosting company, scrambled its
Cyber Attack Tiger Team (CATT) this morning when the first intrusion
detectors alerted the company to the worm around 5:30 a.m. PDT.

"This morning those things started going off like a Christmas tree,"
said Charles Neal, vice president of cyberterrorism detection and
incident response for Exodus.

 Some Exodus customers were affected, but CATT didn't yet know how
many. In addition, about 10 computers in Exodus' 800-person consulting
unit were affected and immediately patched, investigators said.

"All I can say is, in general, everyone who does business on the Web
is going to be affected," said Bill Swallow, director of incident
response at Exodus.

Network-protection service Counterpane Internet Security said most of
its customers had seen their Internet bandwidth drop off as a result
of the worm. The company, which monitors clients' networks and warns
them of possible intrusions, would not divulge its customers' names.

"We have noticed a jump in terms of our alert volume between 1,000 and
10,000 times normal," said Tina Bird, architect of engineering for
Counterpane.

The Computer Emergency Response Team (CERT) Coordination Center at
Carnegie Mellon University warned its members of the worm. Antivirus
company Symantec gave the worm its second-highest "Level 4-severe"
rating, and F-Secure gave the virus its highest rating.

While the worm infects computers running Microsoft Windows 98, Windows
Me and Windows 2000, some reports have indicated that Unix machines
running the popular Apache Web server software crashed when scanned by
the worm.

That particular side effect crashed several servers at EarthLink's Web
hosting business, according to Mel Lower, a customer of EarthLink.
Lower, who hosts Web sites for small businesses through EarthLink,
said two of his customers' sites were inaccessible for much of
Tuesday.

The Davenport, Iowa, resident said he contacted EarthLink and was told
that the worm "crippled" two Unix server farms. EarthLink
representatives could not immediately be reached for comment.

"We were told to shut down our e-mail for an hour while the company
installed the virus-protection software," said Carol Snyder,
spokeswoman for Lowestfare.com, based in Las Vegas. "After that there
were no more problems."

Not everyone was hampered by the worm, however.

Network-performance monitor Keynote Systems, which watches
connectivity to 40 major Web sites, did not see any bandwidth problems
Tuesday.

"We certainly aren't seeing" degradation, said Bill Jones, director of
public services for the company. "When Code Red hit, we did see some
elevation. I feel pretty comfortable that our numbers are an accurate
representation."

A representative of online auction house eBay said the company had not
been infected by the worm and had no indication of the reported
Internet bandwidth problems. A Yahoo representative said some
employees had been infected by the malicious program, but the worm did
not affect company operations.

Representatives of Excite@Home, the nation's largest broadband service
provider, said the company had not had any indication that it had been
affected by the worm, nor had many of the nearly 4 million subscribers
of Excite@Home's high-speed Internet service.

A spokesman for San Francisco-based BlueLight.com said the company had
not experienced any virus-related problems. "The biggest problem I've
got is from the e-mail from friends warning me not to open certain
e-mail attachments," spokesman Dave Karraker said.

Both Sony and Texas Instruments said their networks had not been
affected by the spread of the worm.

Though others may not have seen the worm, Counterpane's Bird said the
infection is still going on and is still significant.

"It's just nuts that this might be a false alarm," she said. "We have
had to take systems offline to clean the infection up."

The worm continued to spread late in the afternoon, according to CERT.

"We are receiving a steady stream of reports of systems being affected
by this," said Chad Dougherty, Internet security analyst for the
Pittsburgh, Penn., security group. "We are looking on the order of
tens of thousands of compromised machines."

Although the organization could not comment on reported widespread
bandwidth problems, it did acknowledge that many of its members had
encountered network slowdowns. "We got a number of reports from sites
that had localized bandwidth denial of service," Dougherty said.

Staff writer Richard Shim and News.com's Gwendolyn Mariano, Corey
Grice, Scott Ard and Sam Ames contributed to this report.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.