[iwar] [fc:NY.Times.laid.low.by.Nimda.offshoot]

From: Fred Cohen (fc@all.net)
Date: 2001-11-01 05:50:00


Return-Path: <sentto-279987-3740-1004622590-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 01 Nov 2001 05:51:07 -0800 (PST)
Received: (qmail 11546 invoked by uid 510); 1 Nov 2001 13:49:04 -0000
Received: from n9.groups.yahoo.com (216.115.96.59) by 204.181.12.215 with SMTP; 1 Nov 2001 13:49:04 -0000
X-eGroups-Return: sentto-279987-3740-1004622590-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.4.54] by n9.groups.yahoo.com with NNFMP; 01 Nov 2001 13:49:50 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 1 Nov 2001 13:49:49 -0000
Received: (qmail 77212 invoked from network); 1 Nov 2001 13:49:46 -0000
Received: from unknown (10.1.10.27) by l8.egroups.com with QMQP; 1 Nov 2001 13:49:46 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta2 with SMTP; 1 Nov 2001 13:49:46 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA1Do0227091 for iwar@onelist.com; Thu, 1 Nov 2001 05:50:00 -0800
Message-Id: <200111011350.fA1Do0227091@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 1 Nov 2001 05:50:00 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:NY.Times.laid.low.by.Nimda.offshoot]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

NY Times laid low by Nimda offshoot 
Reuters, 11/1/2001
<a href="http://news.cnet.com/news/0-1003-200-7739301.html?tag=mn_hd">http://news.cnet.com/news/0-1003-200-7739301.html?tag=mn_hd>

NEW YORK--The mysterious "storm of data" that swamped computers at The
New York Times was not caused by a malicious attack aimed at the paper
but rather by a reemergence of the Nimda worm, company officials said
Wednesday.

A New York Times network administrator said in an internal e-mail
Tuesday that the company's Internet connection was "interrupted by a
storm of data" and that the "denial-of-service" activity may have been a
deliberate attack.

In a denial-of-service attack, thousands of fake messages are sent to
server computers, tying up the recipient's network.

But the real culprit was Nimda.E, a permutation of the Nimda worm that
struck hundreds of thousands of computers worldwide beginning in
September, said New York Times Chief Information Officer Michael
Williams on Wednesday in a second inter-company e-mail obtained by
Reuters.

"We have secured a 'fix' for this virus which cleanses the infected
machines," Williams said in the e-mail. A company spokeswoman confirmed
that internal Internet access at the paper was up as of Wednesday
morning.

Nimda.E "is a new version that just appeared a few days ago," said Marc
Fossi, malicious-code analyst for the San Mateo, Calif.-based firm
SecurityFocus. "It's the same infection method, but it's been
recompiled, and the file names it uses have been changed to make it
harder for antivirus products to detect."

The symptoms of a denial-of-service attack and a Nimda strike are quite
similar, according to Russ Cooper of the computer security firm
TruSecure.

Nimda can quickly bog down internal networks as it generates Internet
traffic in the hunt for new hosts. Denial-of-service attacks work in a
similar way, overwhelming networks with requests.

"If you have a large number of affected machines, very quickly--within
five minutes--you're going to have a large portion of those machines
attacking, and that's going to douse your network," Cooper said.

The virus can be easily passed on via e-mail, infected Web pages or
company subsidiaries with access to the main network.

"It would be a heck of a lot easier to bring it in than anthrax, let's
put it that way," Cooper said.

Since Nimda relies on randomly generated Internet addresses, it is
unlikely that the New York Times was deliberately targeted for attack,
he added.

During the recent string of anthrax transmissions, there have been at
least two scares at the paper, including one letter filled with a white
powder that was mailed to a reporter who wrote a book on bioterrorism.
But tests at the paper have come up negative for the bacteria.

According to Williams' e-mail, the paper was in the process of
identifying the machines infected with Nimda and fixing them one by one,
and was also updating its virus protection software.

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:58 PST