[ISN] NY Times laid low by Nimda offshoot

From: InfoSec News (isnat_private)
Date: Thu Nov 01 2001 - 02:11:21 PST

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Doctor Nuker Indictment"

    http://news.cnet.com/news/0-1003-200-7739301.html?tag=mn_hd
    
    By Reuters 
    October 31, 2001, 4:50 p.m. PT 
    
    NEW YORK--The mysterious "storm of data" that swamped computers at The
    New York Times was not caused by a malicious attack aimed at the paper
    but rather by a reemergence of the Nimda worm, company officials said
    Wednesday.
    
    A New York Times network administrator said in an internal e-mail
    Tuesday that the company's Internet connection was "interrupted by a
    storm of data" and that the "denial-of-service" activity may have been
    a deliberate attack.
    
    In a denial-of-service attack, thousands of fake messages are sent to
    server computers, tying up the recipient's network.
    
    But the real culprit was Nimda.E, a permutation of the Nimda worm that
    struck hundreds of thousands of computers worldwide beginning in
    September, said New York Times Chief Information Officer Michael
    Williams on Wednesday in a second inter-company e-mail obtained by
    Reuters.
    
    "We have secured a 'fix' for this virus which cleanses the infected
    machines," Williams said in the e-mail. A company spokeswoman
    confirmed that internal Internet access at the paper was up as of
    Wednesday morning.
    
    Nimda.E "is a new version that just appeared a few days ago," said
    Marc Fossi, malicious-code analyst for the San Mateo, Calif.-based
    firm SecurityFocus. "It's the same infection method, but it's been
    recompiled, and the file names it uses have been changed to make it
    harder for antivirus products to detect."
    
    The symptoms of a denial-of-service attack and a Nimda strike are
    quite similar, according to Russ Cooper of the computer security firm
    TruSecure.
    
    Nimda can quickly bog down internal networks as it generates Internet
    traffic in the hunt for new hosts. Denial-of-service attacks work in a
    similar way, overwhelming networks with requests.
    
    "If you have a large number of affected machines, very quickly--within
    five minutes--you're going to have a large portion of those machines
    attacking, and that's going to douse your network," Cooper said.
    
    The virus can be easily passed on via e-mail, infected Web pages or
    company subsidiaries with access to the main network.
    
    "It would be a heck of a lot easier to bring it in than anthrax, let's
    put it that way," Cooper said.
    
    Since Nimda relies on randomly generated Internet addresses, it is
    unlikely that the New York Times was deliberately targeted for attack,
    he added.
    
    During the recent string of anthrax transmissions, there have been at
    least two scares at the paper, including one letter filled with a
    white powder that was mailed to a reporter who wrote a book on
    bioterrorism. But tests at the paper have come up negative for the
    bacteria.
    
    According to Williams' e-mail, the paper was in the process of
    identifying the machines infected with Nimda and fixing them one by
    one, and was also updating its virus protection software.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 01 2001 - 04:03:12 PST