Massive Internet Worm Attack Timed to Match Terrorist Bombing One Week Ago

From: Internet Security Bulletin (soc@farm9.com)
Date: 09/19/01


From: "Internet Security Bulletin" <soc@farm9.com>
To: <soc@farm9.com>
Subject: Massive Internet Worm Attack Timed to Match Terrorist Bombing One Week Ago
Date: Tue, 18 Sep 2001 19:34:47 -0700
Message-ID: <NFBBIHEDEKGKIEDFMMMBKEHKCAAA.soc@farm9.com>

FOR IMMEDIATE RELEASE

farm9 Security Warning Contact for more info:
International Worm attack Guy Morgan
Nimda Worm Alert info@farm9.com
106 Linden Street #106
Oakland, CA 95607
510-835-3276 x262
www.farm9.com

Tuesday, September 18, 2001 8:03 AM Oakland, California USA --
farm9ís Security Operations Center is tracking a new Internet worm named
W32/Nimda-A (known aliases are Nimda, CV-5, Minda, Concept Virus and Code
Rainbow). At 0800 PST we detected a simultaneous attack on our customers in
the United States and India. Multiple sites reporting similar attacks were
corroborated on CERT and other security sites.

By 1018 PST farm9 detected massive worm penetration attempts. Each infected
site was propagating rapidly, including multiple IIS vulnerabilities, web
based java scripts, file transfers and email. Linux and Apache servers seem
to be unaffected.

By 1117 PST farm9 detected an impact on bandwidth availability. Low
bandwidth sites we monitor began to go down. Customer sites unable to
implement syn limiting also began to experience bandwidth outages.

The worm uses three distinct vectors to spread:

    1) Email attachment
    2) Web-based java script download via browser
    3) Direct IIS attack similar to Code Red

The worm leverages multiple IIS vulnerabilities and spreads using port 80
(i.e. the web). Furthermore, this variant also uses Outlook and Outlook
Express vulnerabilities to distribute itself through email.

There have been several reports of small ISPs being overwhelmed with traffic
and going down. John Silva, Senior Security Engineer/CCIE at farm9.com, Inc.
a San Francisco Bay Area managed security provider says, "More mature
routing infrastructures can handle this sort of assault through syn rate
limiting. Unfortunately, many corporate IT shops, as well as ISPs, do not
have the funding, staff or inclination to keep up with current threats..."

Multiple sources have confirmed that this worm consumes a large amount of
bandwidth and impaired performance on web servers is a result. Although
rumored that this may be the related to Osama Bin Laden, it is more likely
coincidental timing. However the timing must concern some because this
latest cyber attack began almost exactly one week (down to the minute) after
terrorist activities in New York and Washington DC.

farm9 Chief Operating Officer Guy Morgan urges caution. ďWhile the extent of
this disruption exceeds the recent Code Red Worm, it isnít the beginning of
the end of the Internet. People need to monitor their systems and patch them
to plug the holes; be defensive and donít hack back.Ē

Firewalls, such as Cisco PIX or Checkpointís Firewall-1, cannot stop this
attack because it looks like legitimate email and web traffic. Many popular
intrusion detection software (IDS) programs, such as Dragon by Enterasys, do
detect this attack. However, most IDS programs will require specific
fingerprint updates for this problem.

For information on the latest steps to protect yourself from this attack or
to recover from a compromise, go to: http://farm9.com/content/0918worm

Many ISPs have blocked web traffic (port 80) in order to limit the spread of
the worm. If your ISP blocks your web traffic, try this alternate URL
http://farm9.com:8080/content/0918worm

For information on getting early warning notification, visit our farm9
Harvester at http://farm9.com:8080/content/Company_Info/Harvester

farm9.com
106 Linden Street #106
Oakland, CA 95607
510-835-3276 x253
www.farm9.com

Companies mentioned:

Microsoft Enterasys Cisco Checkpoint farm9

###

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ...
    (microsoft.public.win2000.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ...
    (microsoft.public.security)
  • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
    ... machines, then they'd be yelled at, and it seems if they _don't_ reboot ... > security by default or to make it simpler for an end-user to enable ... >>> From what I can see the worm needs unrestricted access to the TCP/UDP ...
    (microsoft.public.inetserver.iis.security)
  • [Full-disclosure] Raising Robot Criminals
    ... identity theft and robot-driven attack propagation. ... security as well as on Sql Injection, this text is not yet another one. ... security numbers - are opened for remote penetration. ...
    (Full-Disclosure)