The Next Worm Could Disable U.S. Communications and Computers

Yahoo Business News ^ | Aug. 22, 2003 | John Mariotti

[FairOpinion]

OAK RIDGE, Tenn., Aug. 21 /PRNewswire/ -- "If you think the recent blackout in the Northeastern US wreaked havoc, watch out for the attack of the 'Worms,'" says executive and author John Mariotti. "The Sobig F and Blaster worms are just warm-ups for the real attack," states Mariotti a noted corporate executive, business writer and novelist. "Nobody paid attention to the warnings before 9/11, and nobody is listening to the warnings now."

"When I wrote 'THE SILENCE,' I knew the technology existed to plant 'back doors and Trojan Horses' in millions of computers. When an evil force takes control of all those computers, the US's entire communications and computer infrastructure is vulnerable," warns Mariotti. "The gaps in Microsoft's widely used software worsen the risk, but the real tragedy is the total inability of Homeland Security to deal with cyber-security. It is bogged down in a morass of indecision and confusion."

When asked why warnings like "THE SILENCE" are being ignored, Mariotti said, "There is no central authority in communications and information technology, therefore a sort of technological anarchy exists. With no central organizing body, there is no coordination. The US government agencies, the FBI, CIA, et. al. have difficulty just coordinating their own systems and are ill-equipped to solve a crisis of massive proportions in this field."

The government is fighting wars on too many fronts to worry about a hypothetical cyber-attack. But no one believed the gruesome ending Tom Clancy's novel "Debt of Honor" could be a prophecy of future terrorist attacks -- but sadly, it was. Mariotti's reaction to this, "I hope this is 'much ado about nothing,' but I fear it isn't. A cyber-terrorist attack in the near future is a virtual certainty. All that's uncertain is when and whether it will end like 'THE SILENCE.'"

Well-known technology writers have written about the risks recently, including George Hulme in Information Week, Simson Garfinkel in MIT Technology Review and Dan Verton of ComputerWorld, in his book entitled "Black Ice." Garfinkel called the recent plethora of worm attacks "proofs of concept" for a cyber-attack. Verton's novel draws on prior crisis simulations that are chillingly close to reality.

"THE SILENCE." Writers Showcase Press. www.thesilence.info.

[FairOpinion]

In case you missed it, there is a very good aricle about Al Qaeda cyber attacks, including specific evidence found, in a June 2002 article in the Washington Post:

http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26

[appalachian_dweller]

I don't know if the worms are the work of AQ (I doubt it) or the creation of some little punk in a basement with a computer and too much time on his hands, but these worms and the variants caused havoc around here.

No data loss, but several sites blocked incoming traffic. If fact, certain protocols are still blocked.

MAJOR pain in the rear. But that's about it.

[jimkress]

[FairOpinion]

Slammer worm crashed Ohio nuke plant network (Still Think The Blackout Wasn't A Cyber Attack???)
http://www.freerepublic.com/focus/f-news/968478/posts



Report warned power vulnerable to terror
http://www.freerepublic.com/focus/f-news/968487/posts

[FairOpinion]

MICROSOFT WORKING WITH THE FEDS, VIRUS ATTACKS MAY BE TERRORISM
http://www.freerepublic.com/focus/f-news/968431/posts

Evidence gathered by Microsoft, the FBI, and the Secret Service on the worldwide attacks made against the computers running the Windows operating system fits the profile of 'terrorist activity.'

Industry sources citing Mirosoft officials told World Tribune.com that the recent attacks from the 'Blaster' worm and its variants, coupled with an email virus called 'SoBig-F' show signs of a coordinated attack by an entity wanting to disrupt world commerce.

Microsoft is cooperating with both the FBI and the Secret Service and will report their findings in the next few days.

[FairOpinion]

ping

[Gorzaloon]

I don't know if the worms are the work of AQ (I doubt it) or the creation of some little punk in a basement with a computer and too much time on his hands, but these worms and the variants caused havoc around here.

My site's server is stopping about 22 a day. My wife's has stopped about a thousand.

Perhaps an alternate internet with no access for .cn,.kr,.sp,.hk,.tw would be a good start..kins of like a US only WAN?

[kevkrom]

I know Slammer is an exception, but almost every major Windows virus has exploited a hole for which the vulnerability was known and a patch was available, in many cases, for months before the attack.

Administrators of critical systems nned to be doing better jobs of keeping their systems patched in a timely manner. Of course, truly critical systems should have a backup that runs a different OS than the primary system.

[Bikers4Bush]

Al Qaeda doesn't have the skill. This is more likely of chinese influence.

[lilylangtree]

Question: Since last night, I've been deluged with email from addresses I've never heard of with the subject line starting" Worm SOBIG . . . I'm deleting these suckers as fast as I can. Has anyone else experienced this?

[FairOpinion]

"Al Qaeda doesn't have the skill. This is more likely of chinese influence"

It could be either.

Al Qaeda can hire people too.


http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26

Officials said Osama bin Laden's operatives have nothing like the proficiency in information war of the most sophisticated nations. But al Qaeda is now judged to be considerably more capable than analysts believed a year ago. And its intentions are unrelentingly aimed at inflicting catastrophic harm.

One al Qaeda laptop found in Afghanistan, sources said, had made multiple visits to a French site run by the Societé Anonyme, or Anonymous Society. The site offers a two-volume online "Sabotage Handbook" with sections on tools of the trade, planning a hit, switch gear and instrumentation, anti-surveillance methods and advanced techniques. In Islamic chat rooms, other computers linked to al Qaeda had access to "cracking" tools used to search out networked computers, scan for security flaws and exploit them to gain entry -- or full command.

Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids. In some interrogations, the most recent of which was reported to policymakers last week, al Qaeda prisoners have described intentions, in general terms, to use those tools.

[FairOpinion]

http://www.globetechnology.com/servlet/story/RTGAM.20030822.gtsobigaug22/BNStory/Technology/

Sobig's second attack due at 3 p.m. today


By JACK KAPICA
Globe and Mail Update

Another surprise is in store for computers infected with the Sobig virus, security experts are warning.

The virus, the world's most widespread worm which has caused extensive damage to e-mail systems, is set to enter a second phase today (Friday, Aug. 22) at 1900 UTC or 3:00 p.m. EDT.

Co-ordinated by atomic clocks, consultants at CGI CIRT in Ottawa say, computers infected by Sobig will connect to 20 machines in the United States, Canada and South Korea. The list is encrypted in the virus body.

The machines, CGI CIRT says, appear to be home computers connected by broadband to the Internet.

Infected machines will then download a program from a certain Web address and run it.

Currently, that Web address doesn't go anywhere, the security people said. They speculate that the address will become active only seconds before the 20 computers start the download, which gives analysts no time to examine the program to defuse it.

As a result, no one knows what the program does or how much damage it is capable of doing.

Previous versions of Sobig (there have been six in all) have downloaded programs that erase the virus but install a password-stealing program, and install an e-mail proxy that can send spam, without the owner's knowledge.

Researchers were able to break into Sobig far enough to gather all the information except the source of the Web address.

The spamming feature, CGI CIRT said, suggests commercial interests have created the virus, and not a "typical teenage virus writer."

Meanwhile, an antivirus company is warning that a worm similar to the destructive Sobig.F virus, which was programmed to deactivate on Sept. 10, could follow on or near Sept. 11, an antivirus company has warned.

If the Sobig virus creators continue their usual pattern, then Internet users should brace themselves on that day, warned Central Command, the Medina, Ohio-based maker of antivirus software and services.

The Sobig.F worm, the sixth variant of a worm first seen in January, was discovered on

Aug. 19, and is estimated to have infected-millions of systems worldwide.

A new variant might draw on all the infected computers to create "a cyber army focusing a digital assault against major on-line services," Central Command said today.

When particular conditions are met, the company explained, Sobig.F will attempt to download additional components of the attackers' choice. The conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7 p.m.) and 22:00 (10 p.m.) UTC time.

When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a back-door hacker program.

Called "Trojan" programs, these back-door programs turn computers into zombies doing the bidding of the virus maker, including full control of the infected computer.

"The virus authors of Sobig have developed a predictable pattern of releasing new variants soon after the current version deactivates itself," Central Command vice-president Steven Sundermeier said.

"If the past repeats itself we could be looking at a newly constructed creation shortly after Sept. 10."

Mr. Sundermeier said he feared that the massive army created by Sobig.F could be used to launch an attack on large Internet infrastructures by means of a denial-of-service attack (DoS).

Sobig.F has been declared the fastest-spreading e-mail plague of all time.

MessageLabs Inc., a company that filters e-mail for corporate clients around the world, said Wednesday it had intercepted more than a-million copies of the Sobig.F virus the previous day, the most it has ever intercepted in a single day. That was one in every 17 e-mail messages the firm scanned.

"That's just a number we've never seen before," said Brian Czarny, MessageLabs' marketing director. The most widespread virus of all time, Klez, at its peak accounted for one in 125 messages scanned.

Sobig.F continued to spread aggressively on Wednesday, though the pace eased off a bit to about one in 60 messages, he said.

The virus spreads through Windows PCs via e-mail and corporate networks. It clogs e-mail systems with messages carrying subject lines like "Re: Details" and "Re: Wicked screensaver."

"It's a seeding," Mr. Czarny said. "All they're looking to do is plant that Trojan."

With a report from Associated Press

[Apple Pan Dowdy]

I know I will probably be "flamed" for what I am about to say, but here goes anyway......

Before Y2K, we listened to the tech community cry to the nation that we had to spend massive amounts of money to protect our computers from what was about to happen. No doubt that there was a thread of concern, but the techies took advantage of this mild concern and grew it to massive porportions, which then spread to enclude panics in buying food, supplies and even had some hiding out in caves in the mountains.

Now, reminded by the fable of the "boy crying WOLF", we are now told that our computers are about to be all shut down by massive worms and viruses. Can you blame us for doubting that this threat will be all that dangerous?

On the other hand, let's for a moment say that there IS a real danger..... we do not exactly make it easy for "newbies" and non-tech sorts to protect their computers from viruses. New PC owners are told that they were given a "free" anti-virus program... only in the fine print, they can't understand, does it explain that they need to now pay $65 for that anti-virus to update regularly and be of any use at all. Then we all know that anti-virus programs are NOT cheap, even to seasoned PC users who know to buy them. Then there is much miss-information going around....when I switched to cable connection I asked the installer, "do I need do do anything different for virus protection?" He said, "no". I was testing him. I said, "what about those firewall thingys? Do I need one of those?" He said, "no need, you are safe." I pulled out some literature and showed him why PC's on cable connections need firewalls (unless they are connected to a router), but that didn't faze him a bit. He said, "well then go ahead and waste your money lady."

A vast portion of the PC-using public has no idea that they need anti-virus protection or much less how to go about getting it. Computers are sold to people and then they are "thrown to the sharks" so-to-speak.... tossed into the waters to sink or swim alone. Perhaps if protecting the Internet is so vital, anti-virus programs should be built into ALL ISP packages and the charges for them encluded in ISP fees. Better yet, hand out anti-virus programs much the same way free browsers are handed out! Somehow I doubt that will happen as those same techies that made so much money crying wolf before Y2K are now making too much money repairing computers afer they inevidably get a virus!

[El Gato]

MAJOR pain in the rear. But that's about it.

But it's only dumb luck that's all it was. The SoBig.F virus installed an FTP server that would have allowed access to computers it infected. Apparently nothing was done with that access.. yet... this time. It may have been a "dry run" for doing some real damage. Whoever did it has shown that in any organization of any size, there will be some dumb schmuck that will open such an email, and once past the organizational firewalls, a worm can exploit vulnerabilities in the operating system to do pretty much whatever it's author wants.

It is interesting that the worm and it's "payload" were said to go dormant on Sept. 10th. Perhaps clearing the way for the real nasty to come on September 11th? At least we don't have long to wait to find out.

[FairOpinion]

"..... we do not exactly make it easy for "newbies" and non-tech sorts to protect their computers from viruses.

A vast portion of the PC-using public has no idea that they need anti-virus protection or much less how to go about getting it. Computers are sold to people and then they are "thrown to the sharks" so-to-speak.... tossed into the waters to sink or swim alone"

---

I completely agree with you. Also, firewalls are only useful if configured properly, yet nobody is teaching people how to do that, usually the default is not good enough.

On one hand we have the problem that apparently even computer administrators, who should know better aren't applying patches, screening out viruses, etc., and probably 80-90% of the public are just sitting ducks for such attacks. Most people aren't even aware how important it it to have up to date firewall and virus programs and how to configure them.

You are right -- this problem needs to be addressed.

[FairOpinion]

Read my article in my post 13 -- long, but very illuminating.

[Apple Pan Dowdy]

Question to you, since you seem to know of what you speak ..... am I right that I do not need a firewall if all computers are connected through a router? All sources seem to assure me of that, but I am always open to further information.

[windchime]

I don't think it's coincidence that many individuals connected to terrorists are in this country teaching/taking computer science/engineering courses.

[appalachian_dweller]

>> It is interesting that the worm and it's "payload" were said to go dormant on Sept. 10th. Perhaps clearing the way for the real nasty to come on September 11th? At least we don't have long to wait to find out. <<

Alas, good point. There's a tread just started in breaking news about another one that's suppose to go today. Haven't hit the thread yet. Going there now.

[FairOpinion]

"am I right that I do not need a firewall if all computers are connected through a router?"

--

I only have a little knowledge, more than that average person, perhaps, but significantly less than people who really know what they are talking about.

My understanding is that you still need a firewall. Just think, all companies connect their computers through routers and even firewalls and get hacked into routinely.

I think if you have a computer directly connected to the router, to act as a server for your own network, then connect your other computers to that one, THEN, as long as you have a firewall on the first computer, to catch everything, then you don't need a firewall on the rest of the computers.

But to have a router with NO firewall anywhere, I don't think is adequate, in fact I think it leaves you very vulnerable.

As I said, I don't know a great deal, but just consider the logic. I would suggest you do a few google searches, read up on it and get a firewall.

[TechJunkYard]

The potential of Y2K problems was indeed huge -- at least to the business community. There was massive prep for it, software manufacturers went through their code and either certified it as "Y2K-Ready" or fixed it so it was, businesses tested their stuff and made corrections as necessary (our staff discarded hundreds of old machines and thousands of old software packages that couldn't be certified, spent many weekends in the server room setting system clocks so they would roll-over and then testing the apps, and all of us were on-hand on New Years Eve 1999)... that things went as smoothly as they did does NOT mean that the problem was overblown -- indeed, our overseas ops were hit hard because they didn't do the prep that we did -- we knew it was coming and we were prepared for it.

The current worm/virus situation requires at least as large an effort to get under control. Customers should demand bug-free certified and tested code from their vendors, as they demanded Y2K-Ready certifications. That is the only to stop these attacks -- remove the vulnerabilities.

The current system is designed so that everyone makes money and no one is responsible for anything. From throwing release after release of buggy code over the fence (which must be constantly updated), to AV companies insisting on subscription-based AV applications which will never be able to anticipate the next attack (and must ALSO be constantly updated).

Solving the root cause of these problems will require absolute acceptance of major change in/to the software industry. And that will never happen.

[appalachian_dweller]

>> Well, there -will- be more worms as long as Microsoft puts out horribly insecure products. So the solution is simple: abandon all Microsoft use. Get another OS (Macintosh, Linux, FreeBSD, VMS, Solaris, HPUX, IRIX, AIX, I don't care), and use it instead. None of them are as worm-ready as Microsoft. <<

EXACTLY! I'm partial to Solaris myself. Wouldn't it be GREAT if EVERYONE abandoned Microcrap software and started using a truly superior OS?

Hey Bill! Can you say chapter 11

[martin_fierro]

FREE PC PROTECTION: Spybot S&D: Removes lurking spyware. AdAware: Removes lurking spyware. Bayden Systems Popup Popper: Blocks popup ads well in MSIE MailWasher: Good for pre-screening & bouncing SPAM AVG Anti-Virus Free Edition: Free anti-viral protection Windows Update: At least install the critical ones ZoneAlarm: Excellent Firewall

[Diddle E. Squat]

Luckily he just oh so happens to have a book to sell...

[montag813]

My company has dozens of computers, and we havent had a single incidence of virus or worm in the last 3 years. NOT ONE. Ignorant and lazy consumers and network managers are to blame if they are infected.

[=Intervention=]

I agree completely. These worms do NOT threaten all computers and only threaten computers with insecure OS's! It's not rocket science guys...I suppose the zeitgeist is very strong...

[FourPeas]

Other than a few crackpots who liked the media coverage, I don't remember seeing the tech community going overboard on Y2K. Yes, many corporations needed to spend some bucks to protect legacy systems, but truly the need for that isn't in the slightest bit debatable. That some went off half-cocked isn't the fault of techies, IIRC I read that the same thing happened in 1900.

I do agree that many who own PCs don't have an inkling of a clue when it comes to security, anti-virus, etc. Most people don't have a clue how to rebuild a carburator either. When they have a problem with their car, they go to a technician. It's the same with PCs, except computers, at least as far as a personal appliance, aren't considered as necessary as an automobile. This will work itself out in the long run, but I think we'll see even more virus/worm attacks before it does.

Let's face it, other than lost productivity and one nuclear power plant that was already off-line, there really hasn't been any damage proven yet. We still have yet to see what comes out of the latest blackout.

Corporate networks definitely need to ramp-up their security. Mr. FourPeas works in IT security and there *still* isn't the emphasis there that I'd expect. Apparently when it comes to the bottom line, the various outages caused by Blaster, Sobig, et al. really aren't that worrisome to the decision makers in corporations. So be it.

There may be a call someday for good computer security. If so, we have all the resources necessary to provide it. Until then, apparently the consensus is the status quo is just fine.

[CyberCowboy777]

BFL

[FourPeas]

Ignorant and lazy consumers and network managers are to blame if they are infected.

Mr. FourPeas works for a company with thousands of computers in more countries than I care to count utilizing wireless, VPN, you-name-it. Almost every time, the virus or worm causes at least some problems. Ignorance and laziness is a part of it, but certainly not all. For the most part, even to large corporations, IT security is not that important. Budgets are small; influence is minimal; standards are a joke. Trying to design a complex network where everything works seemlessly is not a piece of cake. Verifying that current revs of anti-virus and firewalls are rolled out to thousands of computers in a timely fashion requires time, money, clout, sufficient policies, enforcement, etc. It's just not THAT simple.

[boxerblues]

lol join the group, some of us have been getting this for days now

[Knitebane]

Ignorant and lazy consumers and network managers are to blame if they are infected.

Lazy consumers? Perhaps.

Lazy network managers? Only the one's for very small sites.

Let's take Blaster, for example and a typical enterprise, say, about 1000 servers and 10,000 desktops.

Each of those servers runs applications. Not all the same application, sometimes a mix of different ones, sometimes single purpose apps, sometimes apps in standby for a disaster recovery situation.

Let's say that there are, conservatively, 1000 servers with 100 different apps running on them. Each server configuration must be patched and then tested before going into production. That requires that either you have an exact duplicate machine for each production machine (which is prohibitively expensive both in hardware and Windows licensing costs) or you have a few machines that you can format, install Windows, install and configure the software, install the patch and test.

That means formating, installing and testing around between 100 and 500 servers in order to test every configuration. And that doesn't include testing every desktop configuration too.

Considering that a typical install evolution consisting of Windows, application and system configuration can take around 2 hours per server, plus add on a 24 hour window to let the machine run (during which time the machine can't be formated and move on to the next test platform) it's not unusual to require 3 to 6 months to test all servers and then patch them once a patch has shipped.

Blaster gave them about three weeks.

[montag813]

Let's say that there are, conservatively, 1000 servers with 100 different apps running on them. Each server configuration must be patched and then tested before going into production

I dont get your estimates. Once the patch came out, it took us less than 36 hours days to write scripts and patch 450 servers and workstations.

[6ppc]

Can you blame us for doubting that this threat will be all that dangerous?

Yes I can considering I just spent all day killing off the Welchia worm after spending a full day last week killing off the Blaster worm. Our company is well protected compared to most and they still got in. This is starting to have real economic impact. Our company is small, but it cost several thousand dollars worth of lost productivity and man hours.

The threat is real and will wind up impacting all of us.

[FairOpinion]

"Lazy network managers? Only the one's for very small sites."

The NY Times was shut down, a while ago the computers at Edwards Air Force Station had to be shut down, I understand there was a problem with the trains, all because of the worm.

[VOA]

The Next Worm Could Disable U.S. Communications and Computers

After wasting three hours of my time and that of a technician in clearing
SoBig from some lab computers...I knew how Arnold could assure his election as governor
of California. He'd just have say:

"I will propose sentences of 25 years to life for writers and willful facilitators of
spam, viruses, worms and other sorts of Internet terrorism. That's 25 years to
life for each offense, with sentences to run consecutively."

At this point, such a rational proposal would be greated by me with a
"what? no death penalty?".

[JustPiper]

Bump!

[JustPiper]

I want to thank you! Since you first posted these likes I got and am using Popup Popper, it is GREAT! I am using Mail Washer, it is a JOY! Ad-Aware has found so many files of spyware on my two drives, unbelievable, I supposedly had an excellent spyware on my pc, NOT! What do I do with the quarantined files though? And is Zone Alarm better than MS firewall or comprable? Question what about replacing IE with Mozilla?

[FlyVet]

Al Qaeda doesn't have the skill. This is more likely of chinese influence.

And if it is, there are many thousands here who will see that as a challenge. I'll bet we'll learn to bounce a cyber bomb right back at them.

[martin_fierro]

• I want to thank you! Since you first posted these likes I got and am using Popup Popper, it is GREAT!

  You're welcome -- glad to hear you found the links useful.

• I am using Mail Washer, it is a JOY!

  Yeah, it IS nice, innit? <|:)~ It can "learn" as you use it, so its filters get better over time. It will also alert you to viruses that are attached to some e-mail/SPAM.

• Ad-Aware has found so many files of spyware on my two drives, unbelievable, I supposedly had an excellent spyware on my pc, NOT! What do I do with the quarantined files though?

  The AdAware instruction manual says that the Quarantine-files are used to isolate and backup items detected during the scan, giving you an option to reinstall them at a later time. Just open the instruction manual and do a search on "quarantine".

• And is Zone Alarm better than MS firewall or comprable?

  I'm not sure -- I've just always used ZA and have found it to be EXCELLENT.

• Question what about replacing IE with Mozilla?

  Mozilla gives you better control over popups and cookie/spyware management than MSIE. Another alternative browser that gives you similar control is Opera (also free, but with ads).

[lilylangtree]

Just this morning (Saturday) I rec'd 55 and several came in as I was bouncing/deleting those suckers. Tried to make sure they didn't hit my email first.

[stlnative]

I think just about everyone is... I am getting them at my web-based Yahoo Email Account (over 25 times now)... The SoBig virus file is around 100k, so really watch out for those file attachments that are around 100k in size.

[JustPiper]

Again Martin, excellent advice, thank you!

[Knitebane]

I dont get your estimates. Once the patch came out, it took us less than 36 hours days to write scripts and patch 450 servers and workstations.

And you tested every configuration on non-production machines first, right?