The damned thing continues to burn bandwidth here. My IIS systems were patched long ago and my Apache servers are inherently immune. But, that does not prevent vulnerability scans and it's those scans that are burning the pipe. Firewalling the scans sort of blocks those services too. So, that isn't the answer. Fortunately, I have long been a fan of having really huge boxen sip their internet through straws (any single box can saturate the uplink (100baseTX), at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my servers are just loafing. Still, this comes real close to being a DDOS attack because the WAN port is showing almost 40% usage from scans right now. I'm real glad that I have another set of zone servers, piggy-backed in AboveNet. Has anyone made any progress towards locating origination of these worms? They seem to be steadily mutating. This means that a/some programmer(s) is/are behind this somewhere. I'm sure that I'm not the only one that wants to know. -- R O E L A N D M J M E Y E R Managing Director Morgan Hill Software Company tel: +1 925 373 3954 cel: +1 925 352 3615 fax: +1 925 373 9781 http://www.mhsc.com
BC-Internet Attack, 1st Ld-Writethru, a0628,540 FBI investigating new Internet worm, thousands of computers targeted Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted "FBY" By D. IAN HOPPER= AP Technology Writer= WASHINGTON (AP) _ Anti-virus researchers were fighting a new Internet attacker Tuesday similar to the "Code Red" worm that infected hundreds of thousands of computers several months ago. The worm, known as "W32.Nimda," had affected "thousands, possibly tens of thousands" of targets by midday Tuesday, according to Vincent Gullotto, head virus fighter at McAfee.com, a software company. Even when the attack isn't successful, the worm's scanning process can slow down the Internet for many users and can have the effect of knocking Web sites or entire company networks offline. The FBI is investigating the worm, said spokeswoman Debbie Weierman. The agency has not indicated whether the worm is connected to last week's terrorism attacks. On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft's Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000. Most home users, including those running Windows 95, 98 or ME, are not affected. Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft's IIS, including the security hole left in some computers by the "Code Red II" worm, which followed Code Red in August. Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft's Web site. "It's causing enormous pain because it is at least an order of magnitude more aggressive than Code Red," said Alan Paller, director of research at the nonprofit Sans Institute. "It's a pretty vigorous attacker." In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called "README.EXE." Antivirus experts warn that users shouldn't open unexpected attachments. Efforts to isolate and track the worm were hampered by the swiftness of the attack. Gullotto said the first report came at about 9 a.m. EDT, from a site in Norway. "It's taken down entire sites," Gullotto said. "I can't even get to the Internet right now." On Monday, the FBI's National Infrastructure Protection Center warned that a hacker group called the "Dispatchers" said they would attack "communications and finance infrastructures" on or about Tuesday. "There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place," officials said in a warning on the NIPC Web site. Last week, the FBI warned that there could be an increase in hacking incidents after the twin attacks in New York and Washington. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online. ___= On the Net: McAfee.com: http://www.mcafee.com Sans: http://www.sans.org National Infrastructure Protection Center: http://www.nipc.gov (Copyright 2001 by The Associated Press. All Rights Reserved.) APTV-09-18-01 1243EDT On Tue, 18 Sep 2001, Roeland Meyer wrote:
The damned thing continues to burn bandwidth here. My IIS systems were patched long ago and my Apache servers are inherently immune. But, that does not prevent vulnerability scans and it's those scans that are burning the pipe. Firewalling the scans sort of blocks those services too. So, that isn't the answer.
Fortunately, I have long been a fan of having really huge boxen sip their internet through straws (any single box can saturate the uplink (100baseTX), at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my servers are just loafing. Still, this comes real close to being a DDOS attack because the WAN port is showing almost 40% usage from scans right now. I'm real glad that I have another set of zone servers, piggy-backed in AboveNet.
Has anyone made any progress towards locating origination of these worms? They seem to be steadily mutating. This means that a/some programmer(s) is/are behind this somewhere. I'm sure that I'm not the only one that wants to know.
I had 482 infected hosts scanning my server. Anyone want to see a list so they can look for their hosts send me an email and I will be happy to forward you my infected file ----- Original Message ----- From: "Bill Becker" <bbecker@iconn.net> To: "Roeland Meyer" <rmeyer@mhsc.com> Cc: "NANOG (E-mail)" <nanog@merit.edu> Sent: Tuesday, September 18, 2001 1:13 PM Subject: Re: Worm Probes
BC-Internet Attack, 1st Ld-Writethru, a0628,540 FBI investigating new Internet worm, thousands of computers targeted Eds: SUBS 4th graf The FBY, to fix typo: "FBI" sted "FBY" By D. IAN HOPPER= AP Technology Writer=
WASHINGTON (AP) _ Anti-virus researchers were fighting a new Internet attacker Tuesday similar to the "Code Red" worm that infected hundreds of thousands of computers several months ago.
The worm, known as "W32.Nimda," had affected "thousands, possibly tens of thousands" of targets by midday Tuesday, according to Vincent Gullotto, head virus fighter at McAfee.com, a software company.
Even when the attack isn't successful, the worm's scanning process can slow down the Internet for many users and can have the effect of knocking Web sites or entire company networks offline.
The FBI is investigating the worm, said spokeswoman Debbie Weierman. The agency has not indicated whether the worm is connected to last week's terrorism attacks.
On security e-mail lists, system administrators nationwide reported unprecedented activity related to the worm, which tries to break into Microsoft's Internet Information Services software. That software was the same targeted by Code Red, and is typically found on computers running Microsoft Windows NT or 2000.
Most home users, including those running Windows 95, 98 or ME, are not affected.
Ken Van Wyk, chief technology officer at ParaProtect, said the worm tries to wriggle in through 16 known vulnerabilities in Microsoft's IIS, including the security hole left in some computers by the "Code Red II" worm, which followed Code Red in August.
Code Red, by comparison, attacked through only one hole, which could be patched by downloading a program from Microsoft's Web site.
"It's causing enormous pain because it is at least an order of magnitude more aggressive than Code Red," said Alan Paller, director of research at the nonprofit Sans Institute. "It's a pretty vigorous attacker."
In addition to direct Internet attacks, the worm can also travel via e-mail. The e-mail message is typically blank, and contains an attachment called "README.EXE." Antivirus experts warn that users shouldn't open unexpected attachments.
Efforts to isolate and track the worm were hampered by the swiftness of the attack. Gullotto said the first report came at about 9 a.m. EDT, from a site in Norway.
"It's taken down entire sites," Gullotto said. "I can't even get to the Internet right now."
On Monday, the FBI's National Infrastructure Protection Center warned that a hacker group called the "Dispatchers" said they would attack "communications and finance infrastructures" on or about Tuesday.
"There is the opportunity for significant collateral damage to any computer network and telecommunications infrastructure that does not have current countermeasures in place," officials said in a warning on the NIPC Web site.
Last week, the FBI warned that there could be an increase in hacking incidents after the twin attacks in New York and Washington. They advised computer users to update their antivirus software, get all possible security updates for their other software, and be extra careful online.
___=
On the Net:
McAfee.com: http://www.mcafee.com
Sans: http://www.sans.org
National Infrastructure Protection Center: http://www.nipc.gov
(Copyright 2001 by The Associated Press. All Rights Reserved.)
APTV-09-18-01 1243EDT
On Tue, 18 Sep 2001, Roeland Meyer wrote:
The damned thing continues to burn bandwidth here. My IIS systems were patched long ago and my Apache servers are inherently immune. But, that
not prevent vulnerability scans and it's those scans that are burning
pipe. Firewalling the scans sort of blocks those services too. So, that isn't the answer.
Fortunately, I have long been a fan of having really huge boxen sip
does the their
internet through straws (any single box can saturate the uplink (100baseTX), at <50% CPU utilization and the WAN:LAN link never exceeds 1:10. So, my servers are just loafing. Still, this comes real close to being a DDOS attack because the WAN port is showing almost 40% usage from scans right now. I'm real glad that I have another set of zone servers, piggy-backed in AboveNet.
Has anyone made any progress towards locating origination of these worms? They seem to be steadily mutating. This means that a/some programmer(s) is/are behind this somewhere. I'm sure that I'm not the only one that wants to know.
I had 482 infected hosts scanning my server. Anyone want to see a list so they can look for their hosts send me an email and I will be happy to forward you my infected file
Based on a sample of two, I'm guessing that there might be a small intersection between lists from different sites... at least at this early stage. I took a list I generated from traffic coming into a web server on my net and applied an ACL which then lit up as expected with many "hits". Then, I applied the same list to a circuit at a site I manage, off my net, and got very few hits. This site has a 10Mb/s jump in traffic today, so they are seeing this new virus, but it's not by the same set of 600+ IP addresses that I've seen. -mark
participants (4)
-
Bill Becker
-
Bill Larson
-
Mark Kent
-
Roeland Meyer