Farm9 Alerts of Massive Internet Worm Attack

Tuesday, September 18, 2001 8:03 AM Oakland, California USA — farm9’s Security Operations Center is tracking a new Internet worm named W32/Nimda-A (known aliases are Nimda, CV-5, Minda, Concept Virus and Code Rainbow). At 0800 PST we detected a simultaneous attack on our customers in the United States and India. Multiple sites reporting similar attacks were corroborated on CERT and other security sites.

By 1018 PST farm9 detected massive worm penetration attempts. Each infected site was propagating rapidly, including multiple IIS vulnerabilities, web based java scripts, file transfers and email. Linux and Apache servers seem to be unaffected.

By 1117 PST farm9 detected an impact on bandwidth availability. Low bandwidth sites we monitor began to go down. Customer sites unable to implement syn limiting also began to experience bandwidth outages.

The worm uses three distinct vectors to spread:

1) Email attachment

2) Web-based java script download via browser

3) Direct IIS attack similar to Code Red

The worm leverages multiple IIS vulnerabilities and spreads using port 80 (i.e. the web). Furthermore, this variant also uses Outlook and Outlook Express vulnerabilities to distribute itself through email.

There have been several reports of small ISPs being overwhelmed with traffic and going down. John Silva, Senior Security Engineer/CCIE at farm9.com, Inc. a San Francisco Bay Area managed security provider says, “More mature routing infrastructures can handle this sort of assault through syn rate limiting. Unfortunately, many corporate IT shops, as well as ISPs, do not have the funding, staff or inclination to keep up with current threats…”

Multiple sources have confirmed that this worm consumes a large amount of bandwidth and impaired performance on web servers is a result. Although rumored that this may be the related to Osama Bin Laden, it is more likely coincidental timing. However the timing must concern some because this latest cyber attack began almost exactly one week (down to the minute) after terrorist activities in New York and Washington DC.

farm9 Chief Operating Officer Guy Morgan urges caution. “While the extent of this disruption exceeds the recent Code Red Worm, it isn’t the beginning of the end of the Internet. People need to monitor their systems and patch them to plug the holes; be defensive and don’t hack back.”

Firewalls, such as Cisco PIX or Checkpoint’s Firewall-1, cannot stop this attack because it looks like legitimate email and web traffic. Many popular intrusion detection software (IDS) programs, such as Dragon by Enterasys, do detect this attack. However, most IDS programs will require specific fingerprint updates for this problem.

For information on the latest steps to protect yourself from this attack or to recover from a compromise, go to: http://farm9.com/content/0918worm

Many ISPs have blocked web traffic (port 80) in order to limit the spread of the worm. If your ISP blocks your web traffic, try this alternate URL http://farm9.com:8080/content/0918worm

For information on getting early warning notification, visit our farm9 Harvester at http://farm9.com:8080/content/Company_Info/Harvester

farm9.com

106 Linden Street #106

Oakland, CA 95607

510-835-3276 x253

www.farm9.com