- The Washington Times - Wednesday, September 19, 2001

A vicious computer worm, seen as even more threatening than the Code Red Worm that slowed Internet traffic by half in July, began spreading across the Internet yesterday precisely one week after terrorist attacks on New York and Washington.

Computer security specialists from the government and businesses scrambled to stop the spread of the worm, which reproduces rapidly and caused a noticeable and immediate slowdown of the Internet.

Attorney General John Ashcroft said there is "no evidence" linking the worm to last week's attacks, but computer security specialists said some sort of relationship is likely, given the timing of the worm's release at just before 8:50 a.m. The first airplane crashed into 1 World Trade Center at 8:48 a.m.

"It's likely related somehow," said Dion Stempfley, principal security adviser for Riptech, an Alexandria computer security firm. "But what the relation is, we don't know. As far as I know, there's no note in there that says 'we did this, because.'" Mr. Stempfley is a former security analyst for the Pentagon.

The National Infrastructure Protection Center (NIPC), a division of the FBI, warned Monday of threatened hacking activity against Palestinian and Afghan groups.

A day after the terror attacks, a group of hackers named the Dispatchers claimed they had begun work on targeting the communications and finance infrastructures. They also predicted that they would be prepared to release a virus or worm yesterday, but there is no evidence to suggest any one area of the Internet was targeted.

The worm, referred to as "Nimda" because of the piece of Microsoft code that it exploits, is considered a bigger threat to Internet infrastructure than the Code Red Worm, which slowed Internet traffic by as much as 50 percent during its first wave of attacks in July.

"It's much bigger and much more aggressive" than Code Red, said Roger Thompson, director of Malware Research at TruSecure Corp. "I would say this is much worse. Basically, it comes at you from all different ways. This is happening so fast. This is just a biggie."

The worm reproduces quickly, just like Code Red, but it attacks more software vulnerabilities and does so in more ways. All computers running Microsoft operating systems, including Windows 95, 98 and ME are vulnerable, but the main target of the worm are servers running Microsoft's Internet Information Server Software.

Home PC users may be vulnerable but do not face the same risk as those on local area networks (LANs).

The worm is also spread via e-mail, when users open an attachment reading "README.EXE." It also can spread on its own across computers that are file-sharing, like on a company network, and post itself on Web pages. It then can download itself automatically.

The quick reproduction of the worm is a bigger threat than the worm itself, which can issue denial of service attacks, which flood servers with so much information that they crash. Most servers with updated anti-virus software are protected from such threats

There were no reports of significant server crashes due to the worm, but the danger to the Internet backbone from increased traffic remains. Any new vulnerabilities created by the Nimda worm can be exploited by other agents down the road, security specialists said.

"It's kind of a 'several different front' kind of problem," Mr. Stempfley said. "Most worms and viruses tend to exploit one vulnerability. This actually is doing a lot of different things." The Nimda virus attempts to exploit two different vulnerabilities in essentially four different ways.

The global traffic index, which rates Internet speed based on a 100-point scale, backed up claims that the worm was slowing Internet traffic considerably. The index in North America was as low as 20 early yesterday. Any number under 50 is considered troublesome.

"In terms of impact, it's been much more widespread" than Code Red, said Ken Van Wyk, chief technology officer for ParaProtect, a Centreville computer security firm. "From a data congestion standpoint, it's worse."

The NIPC was investigating the worm, which security experts say appeared just before 8:50 a.m. yesterday and spread rapidly.

More information on the worm is expected to come forth quickly, as specialists from the Computer Emergency Response Team (CERT) at Carnegie Mellon University work with those from the NIPC and software firms to analyze it.

"Our government together with the private sector which is, incidentally, a very strong and powerful partnership when we work together is assessing the problem," Mr. Ashcroft said.

Sign up for Daily Newsletters

Manage Newsletters

Copyright © 2020 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide