X

New worm slows some Internet operations

Lag times on parts of the Internet double as the Nimda worm attempts to spread to servers and PCs.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
4 min read
Many companies worldwide saw Internet bandwidth slow to a crawl Tuesday, as a new Internet worm flooded PCs and servers in its attempts to spread.

While many companies connected to the Internet seemed unaffected by the worm, known as Nimda, others said the damage ranged from nuisance to full-fledged outages.

"It seems to randomly be going through every IP (address) of my network," said Ian Neubert, director of information services for online telecom equipment seller TWAcomm.com, which found itself inundated with scans from infected machines. "This is ridiculous."

The worm, which appeared early Tuesday morning, spreads using a multipronged attack and infects both PCs and servers running Microsoft's Windows 95, 98, Me and 2000 operating systems.

To spread, the program sends an e-mail message with the worm in an attachment, scans for and then compromises vulnerable servers, jumps to shared hard drives on a network, and sends itself to any surfer whose browser requests a Web page from an infected server.

The multifaceted nature of the malicious program's infection is unprecedented, said experts.

"It's the Swiss Army knife of worms," said Greg Shipley, a security consultant with network protection firm Neohapsis. "It's friggin' amazing."

Yet Nimda's largest effect seems to be the amount of data it creates. The sheer volume produced by the worm's attempts to spread has caused grief for many companies.

Exodus Communications, a major Web hosting company, scrambled its Cyber Attack Tiger Team (CATT) this morning when the first intrusion detectors alerted the company to the worm around 5:30 a.m. PDT.

"This morning those things started going off like a Christmas tree," said Charles Neal, vice president of cyberterrorism detection and incident response for Exodus.

How the worm infects Some Exodus customers were affected, but CATT didn't yet know how many. In addition, about 10 computers in Exodus' 800-person consulting unit were affected and immediately patched, investigators said.

"All I can say is, in general, everyone who does business on the Web is going to be affected," said Bill Swallow, director of incident response at Exodus.

Network-protection service Counterpane Internet Security said most of its customers had seen their Internet bandwidth drop off as a result of the worm. The company, which monitors clients' networks and warns them of possible intrusions, would not divulge its customers' names.

"We have noticed a jump in terms of our alert volume between 1,000 and 10,000 times normal," said Tina Bird, architect of engineering for Counterpane.

The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University warned its members of the worm. Antivirus company Symantec gave the worm its second-highest "Level 4-severe" rating, and F-Secure gave the virus its highest rating.

While the worm infects computers running Microsoft Windows 98, Windows Me and Windows 2000, some reports have indicated that Unix machines running the popular Apache Web server software crashed when scanned by the worm.

That particular side effect crashed several servers at EarthLink's Web hosting business, according to Mel Lower, a customer of EarthLink. Lower, who hosts Web sites for small businesses through EarthLink, said two of his customers' sites were inaccessible for much of Tuesday.

The Davenport, Iowa, resident said he contacted EarthLink and was told that Nimda "crippled" two Unix server farms. EarthLink representatives could not immediately be reached for comment.

"We were told to shut down our e-mail for an hour while the company installed the virus-protection software," said Carol Snyder, spokeswoman for Lowestfare.com, based in Las Vegas. "After that there were no more problems."

Some sites unaffected
Not everyone was hampered by the worm, however.

Network-performance monitor Keynote Systems, which watches connectivity to 40 major Web sites, did not see any bandwidth problems Tuesday.

"We certainly aren't seeing" degradation, said Bill Jones, director of public services for the company. "When Code Red hit, we did see some elevation. I feel pretty comfortable that our numbers are an accurate representation."

A representative of online auction house eBay said the company had not been infected by the worm and had no indication of the reported Internet bandwidth problems. A Yahoo representative said some employees had been infected by the malicious program, but the worm did not affect company operations.

Representatives of Excite@Home, the nation's largest broadband service provider, said the company had not had any indication that it had been affected by the worm, nor had many of the nearly 4 million subscribers of Excite@Home's high-speed Internet service.

A spokesman for San Francisco-based BlueLight.com said the company had not experienced any virus-related problems. "The biggest problem I've got is from the e-mail from friends warning me not to open certain e-mail attachments," spokesman Dave Karraker said.

Both Sony and Texas Instruments said their networks had not been affected by the spread of the worm.

Though others may not have seen the worm, Counterpane's Bird said the infection is still going on and is still significant.

"It's just nuts that this might be a false alarm," she said. "We have had to take systems offline to clean the infection up."

Nimda continued to spread late in the afternoon, according to CERT.

"We are receiving a steady stream of reports of systems being affected by this," said Chad Dougherty, Internet security analyst for the Pittsburgh, Penn., security group. "We are looking on the order of tens of thousands of compromised machines."

Although the organization could not comment on reported widespread bandwidth problems, it did acknowledge that many of its members had encountered network slowdowns. "We got a number of reports from sites that had localized bandwidth denial of service," Dougherty said.

Staff writer Richard Shim and News.com's Gwendolyn Mariano, Corey Grice, Scott Ard and Sam Ames contributed to this report.