[ISN] Internet Worm Hits Airline, Banks

From: InfoSec News (isnat_private)
Date: Mon Jan 27 2003 - 03:04:13 PST

  • Next message: InfoSec News: "[ISN] '40-50 Indian sites hacked by Pak cyber criminals monthly'"

    http://www.washingtonpost.com/wp-dyn/articles/A46928-2003Jan26.html
    
    By Brian Krebs
    washingtonpost.com Staff Writer
    January 26, 2003
    
    An Internet worm unleashed on Saturday impaired key systems in the 
    U.S. government and private sector, delaying operations at one major 
    airline and several media organizations, and knocking banks' cash 
    machines offline. 
    
    At least 160,000 computers worldwide have been infected since the worm 
    debuted early Saturday morning, said Peter Allor, operations director 
    of the Information Technology Information Sharing and Analysis Center. 
    
    "That's really a conservative estimate," Allor said. "We'll know about 
    the extent of this attack in a few days." 
    
    The effects of the worm -- known variously as "Sapphire," "Slammer" 
    and "SQ-Hell" -- have diminished in many parts of the world since 
    Saturday. Major Internet service providers were able to block traffic 
    destined for servers running a vulnerable Microsoft Corp. database 
    program called SQL Server 2000. 
    
    The FBI is investigating the attack, a spokesman for the bureau's 
    National Infrastructure Protection Center said. 
    
    Bank of America Corp. said Saturday that most of its 13,000 automatic 
    teller machines could not process customer transactions for part of 
    the day because of the bug. 
    
    Other banks also struggled this weekend with the effects of the worm, 
    said Suzanne Gorman, chairman of the Financial Services Information 
    Sharing and Analysis Center, which represents some of the nation's 
    largest financial services companies. 
    
    "There were a lot of our members affected by this," said Gorman, who 
    declined to give more details. 
    
    The worm caused flight delays and cancellations for Houston-based 
    Continental Airlines after it overwhelmed the company's online 
    ticketing systems and electronic kiosks that travelers use to check 
    in, said company spokesman Jeff Awalt. 
    
    Continental brought the ticketing and kiosk stations back online by 
    mid-afternoon Saturday, but the airline's Web site was down for most 
    of Sunday, causing wait times on its reservations hotline to soar to 
    more than 140 minutes. 
    
    The attack also interfered with computer networks at the Atlanta 
    Journal-Constitution, which had to delay the publication of its Sunday 
    first edition, the newspaper said. News updates to the paper's Web 
    site also were delayed by the worm. The Associated Press and the 
    Philadelphia Inquirer also experienced publishing problems as a result 
    of the worm. 
    
    E-mail and Web traffic move around the Internet using a standard that 
    breaks the data up into tiny packets of information before sending 
    them on to their destinations. The data flood produced by a worm or 
    virus often crowds out some of these packets, resulting in returned -- 
    or "bounced" -- e-mails, and slowed Internet traffic. 
    
    The average packet loss at the height of Saturday's attack was a 
    debilitating 20 percent, according to a senior executive at Matrix 
    NetSystems, a Web monitoring firm based in Austin, Texas. 
    
    "When routers are dropping one-fifth of their packets, you're going to 
    see mail servers hammered, and in many cases (e-mail) attachments will 
    be lost in the sending," said Tom Ohlsson, vice president of marketing 
    and business development. 
    
    Major Web site delays occurred at more than 45 times the normal level 
    at numerous government sites Saturday, including the Departments of 
    Agriculture and Commerce, the firm reported. Several Defense 
    Department sites were particularly hard hit, including the Defense 
    Logistics Agency, the DoD Teleprocessing Center and the Defense 
    Information Systems Agency, which acts as the computer network 
    operations center for military Web sites. 
    
    A spokeswoman for the Defense Department's Strategic Command in Omaha 
    declined to discuss the affected Web sites, or provide details on what 
    action the department is taking against the worm, but said there was 
    "minimal impact on the DoD domain." 
    
    The worm, in its structure and method, resembled Code Red, a worm 
    released on the Internet in the summer of 2001 that attacked the White 
    House Web site. 
    
    The worm unleashed Saturday did not delete files or harm computers, 
    but overwhelmed systems with huge numbers of requests for information. 
    
    The speed and efficiency with which the worm randomly scanned Internet 
    addresses for other vulnerable systems caused network degradation over 
    much of the Internet, said Alfred Huger, senior director of 
    engineering at Symantec Security Response. 
    
    Many businesses that blocked access to Microsoft SQL servers likely 
    will experience a few problems adjusting their firewalls to allow 
    legitimate traffic from affiliates and off-site offices that need to 
    draw information from their parent company's database servers, Allor 
    said. 
    
    "It's probably not going to be business as usual, as companies work 
    through patching their systems and figuring out exactly which parts of 
    their business needs to have access to these servers," he said. 
    
    South Korea sustained the most damage from the worm, losing almost all 
    of its Internet service. With 70 percent of its households connected 
    to the Internet, South Korea is one of the world's most wired nations. 
    
    Businesses in South Korea are among the first to open for business in 
    the new work week, and could face complications caused by lingering 
    infections, experts said. Overall, however, network traffic associated 
    with the worm has dropped off nearly 90 percent, according to 
    Symantec. 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 05:46:45 PST