'Good' worm, new bug mean double trouble

Two new threats on the Internet are creating so much traffic that some networks are slowing to a crawl, security experts say.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read

special coverage
'MSBlast' echoes over Net
 Worm exploits widespread
 Windows flaw

A "good" Internet worm and a new malicious mass-mailing computer virus are creating an enormous amount of network traffic, slowing some corporate systems, security experts said Tuesday.

The Internet worm--called MSBlast.D, W32.Welchia or W32/Nachi--started compromising computers Monday and has overwhelmed some corporate networks with its aggressive scans for vulnerable hosts. Meanwhile, a new variant of the mass-mailing Sobig virus, called W32/SoBig.F, took off on Tuesday, swamping many companies' mail servers.

The double whammy caused problems on some corporate networks but not for the Internet at large. SoBig.F disrupted e-mail systems at the Massachusetts Institute of Technology, while the MSBlast variant, Nachi, disrupted the ticketing systems of Air Canada and the corporate networks at Lockheed Martin.

"This is local clogging as opposed to worldwide Internet clogging," said Jimmy Kuo, a research fellow at security software company Network Associates. "There are many areas of local pain."

The MSBlast variant, Nachi, infects computers using the same widespread vulnerability in Microsoft Windows that previous versions of the worm exploited. The program then downloads a patch to protect systems against future infections of the MSBlast worm. The worm's goal of patching systems resulted in some pundits labeling it a "good" worm.

While the intentions of the unknown worm writer seem to have been good, its aggressive spread has clogged many networks.

"It's faster," Kuo said. Previous versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail, if no computer was at that address. The Nachi variant tries to spread to 300 different addresses at a time and doesn't wait, letting it spread very fast.

Lockheed Martin and Air Canada were among the many companies that suddenly found their networks inundated with data, as the Nachi worm searched for vulnerable hosts to infect.

Although the worm infected less than one percent of the company's 110,000 desktops, Lockheed Martin had some disruptions, said Elaine Hinsdale, director of communications for the company.

"Lockheed Martin, like many others around, has had to deal with this worm," she said.

Air Canada had more serious issues. The Nachi virus disrupted the airline's reservation center, forcing the carrier to delay and cancel flights.

"As a result of the virus, the impact of which is not limited to Air Canada, a number of the airline's computer systems are affected, including its reservations and airport check-in systems," the company said in a statement it released Tuesday. "While the airline's on-time performance has been good up to (11 a.m. PDT), in addition to longer wait times customers should expect some flight delays and cancellations for the remainder of the day."

SoBig, so far
The latest version of the SoBig mass-mailing computer virus also caused headaches for network administrators. E-mail service provider MessageLabs stopped more than 100,000 messages carrying the latest virus in the first few hours of the attack.

"It is definitely a quick spread," said Brian Czarny, marketing director of MessageLabs.

Administrators at MIT had to deal with blocking the avalanche of copies of the SoBig.F worm.

"It is just causing long delays," said Jeffrey Schiller, manager of the university's network. Because so many messages had hit MIT's e-mail gateways, the computers had long queues of messages waiting to be processed by the antivirus filters. Combined with the effort of stomping out Nachi, the administrators had their hands full, Schiller said.

"There is a special section of hell reserved for the guys that write these things," Schiller said.

Rick Stratton, president of Web software company 1871 Media, said the virus hit his business and his clients' Web sites hard, because many sites had public e-mail addresses posted on their pages.

"Before I turned (the transmission of those e-mails) off, I probably got about 200 in an hour," he said. "The Web mail interface can't even process the volume."

The SoBig.F virus spreads by harvesting e-mails from Web pages and from the address book of an infected computer. It sends a copy of itself to the addresses in an e-mail message with a subject lines such as "Your Details" "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.

Stratton said he doesn't think his company nor his clients were infected with the virus, but the amount of e-mail generated by SoBig.F caused enough of a headache.

"Once I figured it out, I was fine. But I found our customers were getting killed with the number of e-mails created," he said.

The SoBig variant isn't all that different from previous versions of the worm. The family of viruses is thought to have been created so that spammers can use victims' computers to send bulk e-mails anonymously. Compromised systems connect to an Internet server specified by the virus and download a Trojan horse, Kuo said.

While the mass-mailing virus hasn't changed much, people still open the attachment and infect their computers, he said.

"The education is slow," Kuo said. "We would have figured that this mechanism should have died out a year ago, but people still do click on e-mail attachments."