[ISN] New worm slows some Internet operations

From: InfoSec News (isnat_private)
Date: Wed Sep 19 2001 - 11:40:34 PDT

  • Next message: InfoSec News: "Re: [ISN] New York Red Cross Needs Tech assistance!"

    [Sorry that the ISN mail is going out 13 hours past the usual time it
    goes out, Internet worm traffic for us made it impossible to send
    out anything via a dial-up.  - WK]
    By Robert Lemos
    Special to CNET News.com 
    September 18, 2001, 4:30 p.m. PT 
    Many companies worldwide saw Internet bandwidth slow to a crawl
    Tuesday, as a new Internet worm flooded PCs and servers with its
    attempts to spread.
    While many companies connected to the Internet seemed unaffected by
    the worm, others said the damage ranged from nuisance to full-fledged
    "It seems to randomly be going through every IP (address) of my
    network," said Ian Neubert, director of information services for
    online telecom equipment seller TWAcomm.com, which found itself
    inundated with scans from infected machines. "This is ridiculous."  
    The worm, which appeared early Tuesday morning, spreads using a
    multipronged attack and infects both PCs and servers running
    Microsoft's Windows 95, 98, Me and 2000 operating systems.
    To spread, the program sends an e-mail message with the worm in an
    attachment, scans for and then compromises vulnerable servers, jumps
    to shared hard drives on a network, and sends itself to any surfer
    whose browser requests a Web page from an infected server.
    The multifaceted nature of the malicious program's infection is
    unprecedented, said experts.
    "It's the Swiss Army knife of worms," said Greg Shipley, a security
    consultant with network protection firm Neohapsis. "It's friggin'
    Yet the largest effect of the worm seems to be the amount of data it
    creates. The sheer volume produced by the worm's attempts to spread
    has caused grief for many companies.
    Exodus Communications, a major Web hosting company, scrambled its
    Cyber Attack Tiger Team (CATT) this morning when the first intrusion
    detectors alerted the company to the worm around 5:30 a.m. PDT.
    "This morning those things started going off like a Christmas tree,"
    said Charles Neal, vice president of cyberterrorism detection and
    incident response for Exodus.
     Some Exodus customers were affected, but CATT didn't yet know how
    many. In addition, about 10 computers in Exodus' 800-person consulting
    unit were affected and immediately patched, investigators said.
    "All I can say is, in general, everyone who does business on the Web
    is going to be affected," said Bill Swallow, director of incident
    response at Exodus.
    Network-protection service Counterpane Internet Security said most of
    its customers had seen their Internet bandwidth drop off as a result
    of the worm. The company, which monitors clients' networks and warns
    them of possible intrusions, would not divulge its customers' names.
    "We have noticed a jump in terms of our alert volume between 1,000 and
    10,000 times normal," said Tina Bird, architect of engineering for
    The Computer Emergency Response Team (CERT) Coordination Center at
    Carnegie Mellon University warned its members of the worm. Antivirus
    company Symantec gave the worm its second-highest "Level 4-severe"
    rating, and F-Secure gave the virus its highest rating.
    While the worm infects computers running Microsoft Windows 98, Windows
    Me and Windows 2000, some reports have indicated that Unix machines
    running the popular Apache Web server software crashed when scanned by
    the worm.
    That particular side effect crashed several servers at EarthLink's Web
    hosting business, according to Mel Lower, a customer of EarthLink.
    Lower, who hosts Web sites for small businesses through EarthLink,
    said two of his customers' sites were inaccessible for much of
    The Davenport, Iowa, resident said he contacted EarthLink and was told
    that the worm "crippled" two Unix server farms. EarthLink
    representatives could not immediately be reached for comment.
    "We were told to shut down our e-mail for an hour while the company
    installed the virus-protection software," said Carol Snyder,
    spokeswoman for Lowestfare.com, based in Las Vegas. "After that there
    were no more problems."
    Not everyone was hampered by the worm, however.
    Network-performance monitor Keynote Systems, which watches
    connectivity to 40 major Web sites, did not see any bandwidth problems
    "We certainly aren't seeing" degradation, said Bill Jones, director of
    public services for the company. "When Code Red hit, we did see some
    elevation. I feel pretty comfortable that our numbers are an accurate
    A representative of online auction house eBay said the company had not
    been infected by the worm and had no indication of the reported
    Internet bandwidth problems. A Yahoo representative said some
    employees had been infected by the malicious program, but the worm did
    not affect company operations.
    Representatives of Excite@Home, the nation's largest broadband service
    provider, said the company had not had any indication that it had been
    affected by the worm, nor had many of the nearly 4 million subscribers
    of Excite@Home's high-speed Internet service.
    A spokesman for San Francisco-based BlueLight.com said the company had
    not experienced any virus-related problems. "The biggest problem I've
    got is from the e-mail from friends warning me not to open certain
    e-mail attachments," spokesman Dave Karraker said.
    Both Sony and Texas Instruments said their networks had not been
    affected by the spread of the worm.
    Though others may not have seen the worm, Counterpane's Bird said the
    infection is still going on and is still significant.
    "It's just nuts that this might be a false alarm," she said. "We have
    had to take systems offline to clean the infection up."
    The worm continued to spread late in the afternoon, according to CERT.
    "We are receiving a steady stream of reports of systems being affected
    by this," said Chad Dougherty, Internet security analyst for the
    Pittsburgh, Penn., security group. "We are looking on the order of
    tens of thousands of compromised machines."
    Although the organization could not comment on reported widespread
    bandwidth problems, it did acknowledge that many of its members had
    encountered network slowdowns. "We got a number of reports from sites
    that had localized bandwidth denial of service," Dougherty said.
    Staff writer Richard Shim and News.com's Gwendolyn Mariano, Corey
    Grice, Scott Ard and Sam Ames contributed to this report.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 19 2001 - 14:30:55 PDT