The Next Worm Could Disable U.S. Communications and Computers

In case you missed it, there is a very good aricle about Al Qaeda cyber attacks, including specific evidence found, in a June 2002 article in the Washington Post:

http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26

I don't know if the worms are the work of AQ (I doubt it) or the creation of some little punk in a basement with a computer and too much time on his hands, but these worms and the variants caused havoc around here.

No data loss, but several sites blocked incoming traffic. If fact, certain protocols are still blocked.

MAJOR pain in the rear. But that's about it.

Slammer worm crashed Ohio nuke plant network (Still Think The Blackout Wasn't A Cyber Attack???)
http://www.freerepublic.com/focus/f-news/968478/posts

Report warned power vulnerable to terror
http://www.freerepublic.com/focus/f-news/968487/posts

MICROSOFT WORKING WITH THE FEDS, VIRUS ATTACKS MAY BE TERRORISM
http://www.freerepublic.com/focus/f-news/968431/posts

Evidence gathered by Microsoft, the FBI, and the Secret Service on the worldwide attacks made against the computers running the Windows operating system fits the profile of 'terrorist activity.'

Industry sources citing Mirosoft officials told World Tribune.com that the recent attacks from the 'Blaster' worm and its variants, coupled with an email virus called 'SoBig-F' show signs of a coordinated attack by an entity wanting to disrupt world commerce.

Microsoft is cooperating with both the FBI and the Secret Service and will report their findings in the next few days.

ping

I don't know if the worms are the work of AQ (I doubt it) or the creation of some little punk in a basement with a computer and too much time on his hands, but these worms and the variants caused havoc around here.

My site's server is stopping about 22 a day. My wife's has stopped about a thousand.

Perhaps an alternate internet with no access for .cn,.kr,.sp,.hk,.tw would be a good start..kins of like a US only WAN?

I know Slammer is an exception, but almost every major Windows virus has exploited a hole for which the vulnerability was known and a patch was available, in many cases, for months before the attack.

Administrators of critical systems nned to be doing better jobs of keeping their systems patched in a timely manner. Of course, truly critical systems should have a backup that runs a different OS than the primary system.

Al Qaeda doesn't have the skill. This is more likely of chinese influence.

Question: Since last night, I've been deluged with email from addresses I've never heard of with the subject line starting" Worm SOBIG . . . I'm deleting these suckers as fast as I can. Has anyone else experienced this?

"Al Qaeda doesn't have the skill. This is more likely of chinese influence"

It could be either.

Al Qaeda can hire people too.

http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26

Officials said Osama bin Laden's operatives have nothing like the proficiency in information war of the most sophisticated nations. But al Qaeda is now judged to be considerably more capable than analysts believed a year ago. And its intentions are unrelentingly aimed at inflicting catastrophic harm.

One al Qaeda laptop found in Afghanistan, sources said, had made multiple visits to a French site run by the Societé Anonyme, or Anonymous Society. The site offers a two-volume online "Sabotage Handbook" with sections on tools of the trade, planning a hit, switch gear and instrumentation, anti-surveillance methods and advanced techniques. In Islamic chat rooms, other computers linked to al Qaeda had access to "cracking" tools used to search out networked computers, scan for security flaws and exploit them to gain entry -- or full command.

Most significantly, perhaps, U.S. investigators have found evidence in the logs that mark a browser's path through the Internet that al Qaeda operators spent time on sites that offer software and programming instructions for the digital switches that run power, water, transport and communications grids. In some interrogations, the most recent of which was reported to policymakers last week, al Qaeda prisoners have described intentions, in general terms, to use those tools.

http://www.globetechnology.com/servlet/story/RTGAM.20030822.gtsobigaug22/BNStory/Technology/

Sobig's second attack due at 3 p.m. today

By JACK KAPICA
Globe and Mail Update

Another surprise is in store for computers infected with the Sobig virus, security experts are warning.

The virus, the world's most widespread worm which has caused extensive damage to e-mail systems, is set to enter a second phase today (Friday, Aug. 22) at 1900 UTC or 3:00 p.m. EDT.

Co-ordinated by atomic clocks, consultants at CGI CIRT in Ottawa say, computers infected by Sobig will connect to 20 machines in the United States, Canada and South Korea. The list is encrypted in the virus body.

The machines, CGI CIRT says, appear to be home computers connected by broadband to the Internet.

Infected machines will then download a program from a certain Web address and run it.

Currently, that Web address doesn't go anywhere, the security people said. They speculate that the address will become active only seconds before the 20 computers start the download, which gives analysts no time to examine the program to defuse it.

As a result, no one knows what the program does or how much damage it is capable of doing.

Previous versions of Sobig (there have been six in all) have downloaded programs that erase the virus but install a password-stealing program, and install an e-mail proxy that can send spam, without the owner's knowledge.

Researchers were able to break into Sobig far enough to gather all the information except the source of the Web address.

The spamming feature, CGI CIRT said, suggests commercial interests have created the virus, and not a "typical teenage virus writer."

Meanwhile, an antivirus company is warning that a worm similar to the destructive Sobig.F virus, which was programmed to deactivate on Sept. 10, could follow on or near Sept. 11, an antivirus company has warned.

If the Sobig virus creators continue their usual pattern, then Internet users should brace themselves on that day, warned Central Command, the Medina, Ohio-based maker of antivirus software and services.

The Sobig.F worm, the sixth variant of a worm first seen in January, was discovered on

Aug. 19, and is estimated to have infected-millions of systems worldwide.

A new variant might draw on all the infected computers to create "a cyber army focusing a digital assault against major on-line services," Central Command said today.

When particular conditions are met, the company explained, Sobig.F will attempt to download additional components of the attackers' choice. The conditions include performing tests to determine if the current day is Friday or Sunday between the hours of 19:00 (7 p.m.) and 22:00 (10 p.m.) UTC time.

When these conditions are met, the worm will attempt to retrieve further instructions that may include the downloading and execution a back-door hacker program.

Called "Trojan" programs, these back-door programs turn computers into zombies doing the bidding of the virus maker, including full control of the infected computer.

"The virus authors of Sobig have developed a predictable pattern of releasing new variants soon after the current version deactivates itself," Central Command vice-president Steven Sundermeier said.

"If the past repeats itself we could be looking at a newly constructed creation shortly after Sept. 10."

Mr. Sundermeier said he feared that the massive army created by Sobig.F could be used to launch an attack on large Internet infrastructures by means of a denial-of-service attack (DoS).

Sobig.F has been declared the fastest-spreading e-mail plague of all time.

MessageLabs Inc., a company that filters e-mail for corporate clients around the world, said Wednesday it had intercepted more than a-million copies of the Sobig.F virus the previous day, the most it has ever intercepted in a single day. That was one in every 17 e-mail messages the firm scanned.

"That's just a number we've never seen before," said Brian Czarny, MessageLabs' marketing director. The most widespread virus of all time, Klez, at its peak accounted for one in 125 messages scanned.

Sobig.F continued to spread aggressively on Wednesday, though the pace eased off a bit to about one in 60 messages, he said.

The virus spreads through Windows PCs via e-mail and corporate networks. It clogs e-mail systems with messages carrying subject lines like "Re: Details" and "Re: Wicked screensaver."

"It's a seeding," Mr. Czarny said. "All they're looking to do is plant that Trojan."

With a report from Associated Press

I know I will probably be "flamed" for what I am about to say, but here goes anyway......

Before Y2K, we listened to the tech community cry to the nation that we had to spend massive amounts of money to protect our computers from what was about to happen. No doubt that there was a thread of concern, but the techies took advantage of this mild concern and grew it to massive porportions, which then spread to enclude panics in buying food, supplies and even had some hiding out in caves in the mountains.

Now, reminded by the fable of the "boy crying WOLF", we are now told that our computers are about to be all shut down by massive worms and viruses. Can you blame us for doubting that this threat will be all that dangerous?

On the other hand, let's for a moment say that there IS a real danger..... we do not exactly make it easy for "newbies" and non-tech sorts to protect their computers from viruses. New PC owners are told that they were given a "free" anti-virus program... only in the fine print, they can't understand, does it explain that they need to now pay $65 for that anti-virus to update regularly and be of any use at all. Then we all know that anti-virus programs are NOT cheap, even to seasoned PC users who know to buy them. Then there is much miss-information going around....when I switched to cable connection I asked the installer, "do I need do do anything different for virus protection?" He said, "no". I was testing him. I said, "what about those firewall thingys? Do I need one of those?" He said, "no need, you are safe." I pulled out some literature and showed him why PC's on cable connections need firewalls (unless they are connected to a router), but that didn't faze him a bit. He said, "well then go ahead and waste your money lady."

A vast portion of the PC-using public has no idea that they need anti-virus protection or much less how to go about getting it. Computers are sold to people and then they are "thrown to the sharks" so-to-speak.... tossed into the waters to sink or swim alone. Perhaps if protecting the Internet is so vital, anti-virus programs should be built into ALL ISP packages and the charges for them encluded in ISP fees. Better yet, hand out anti-virus programs much the same way free browsers are handed out! Somehow I doubt that will happen as those same techies that made so much money crying wolf before Y2K are now making too much money repairing computers afer they inevidably get a virus!

MAJOR pain in the rear. But that's about it.

But it's only dumb luck that's all it was. The SoBig.F virus installed an FTP server that would have allowed access to computers it infected. Apparently nothing was done with that access.. yet... this time. It may have been a "dry run" for doing some real damage. Whoever did it has shown that in any organization of any size, there will be some dumb schmuck that will open such an email, and once past the organizational firewalls, a worm can exploit vulnerabilities in the operating system to do pretty much whatever it's author wants.

It is interesting that the worm and it's "payload" were said to go dormant on Sept. 10th. Perhaps clearing the way for the real nasty to come on September 11th? At least we don't have long to wait to find out.

"..... we do not exactly make it easy for "newbies" and non-tech sorts to protect their computers from viruses.

A vast portion of the PC-using public has no idea that they need anti-virus protection or much less how to go about getting it. Computers are sold to people and then they are "thrown to the sharks" so-to-speak.... tossed into the waters to sink or swim alone"

---

I completely agree with you. Also, firewalls are only useful if configured properly, yet nobody is teaching people how to do that, usually the default is not good enough.

On one hand we have the problem that apparently even computer administrators, who should know better aren't applying patches, screening out viruses, etc., and probably 80-90% of the public are just sitting ducks for such attacks. Most people aren't even aware how important it it to have up to date firewall and virus programs and how to configure them.

You are right -- this problem needs to be addressed.

Read my article in my post 13 -- long, but very illuminating.

Question to you, since you seem to know of what you speak ..... am I right that I do not need a firewall if all computers are connected through a router? All sources seem to assure me of that, but I am always open to further information.

I don't think it's coincidence that many individuals connected to terrorists are in this country teaching/taking computer science/engineering courses.

>> It is interesting that the worm and it's "payload" were said to go dormant on Sept. 10th. Perhaps clearing the way for the real nasty to come on September 11th? At least we don't have long to wait to find out. <<

Alas, good point. There's a tread just started in breaking news about another one that's suppose to go today. Haven't hit the thread yet. Going there now.