Suche innerhalb des Archivs / Search the Archive All words Any words
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] Navy says intranet hit by worm but still functioning

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Die Vorgeschichte: 
Navy's Intranet crippled by worm outbreak
Computerworld, 19.8.2003
http://computerworld.com/securitytopics/security/story/0,10801,84150,00.html
RB



http://computerworld.com/securitytopics/security/story/0,10801,84158,00.html

Update: Navy says intranet hit by worm but still functioning

Officials reverse course on initial statement that intranet had 'gone
down'

Story by Dan Verton 

AUGUST 19, 2003 ( COMPUTERWORLD ) - WASHINGTON -- The Navy confirmed
late today that its multibillion-dollar Navy/Marine Corps Intranet
(N/MCI) was hit by a variant of the Blaster worm, but it said that
earlier statements that the network had been taken off-line were
inaccurate. 

Nicolle Rose, a Navy spokeswoman, said the N/MCI was first affected by
the Blaster variant, also known as W32.Welchia.Worm, Blast.D and Nachi,
at 3:05 p.m. yesterday. "The attack affected only the unclassified
portion of the N/MCI network, has been contained, and cleanup is in
progress," Rose said. 

According to an official Navy statement on the incident released this
afternoon, the U.S. Naval Network Warfare Command, along with the Navy's
prime contractor on the program, Electronic Data Systems Corp., worked
with antivirus vendor Symantec Corp. to develop and deploy fixes. 

"Symantec released a signature file for Welchia late Monday, and EDS
began installing the patch within minutes of its availability. However,
by the time the patch became available, many N/MCI workstations had
already been affected," the Navy statement said. "Since then, new virus
definitions have been inserted at all server farms." 

Kevin Clarke, a spokesman for Plano, Texas-based EDS, said early
characterizations of the N/MCI "being down or broken [were] not
accurate." 

"We successfully defended against Blaster, but we're not sure how
[Welchia] got into the system," said Clarke, whose company recently
characterized the N/MCI as the most secure network in all of government.
"What we had was intermittent delays in e-mail getting out to the
external Internet and access in getting to some of the shared drives on
the network," Clarke said. "But individual desktops still work. All of
the protocols we have in place worked properly." 

N/MCI is a $6.9 billion IT outsourcing contract, often referred to as
seat management, that will give the Navy and Marine Corps secure,
universal access to integrated voice, video and data communications. EDS
won the contract in October 2000. However, technical difficulties,
deployment delays and user complaints have hampered the program since
its inception. 

In other news related to the Blaster variant, Symantec Security Response
upgraded its rating of the worm to a Level 4 threat rating; Level 5 is
the highest. 

Symantec upgraded the threat because of the nature of the worm and its
effect on corporate networks. The worm exploits two vulnerabilities,
Microsoft DCOM RPC vulnerability (described in Microsoft Security
Bulletin MS03-026) using TCP Port 135, and Microsoft WebDav
vulnerability (described in Microsoft Security Bulletin MS03-007) using
TCP Port 80. 

The worm attempts to download the Distributed Component Object Model
remote procedure call (DCOM RPC) vulnerability patch from Microsoft's
update site and then reboots the infected computer so the update can be
installed. However, "once a system is infected, the worm aggressively
searches for other machines to infect," according to the Symantec
warning. "This results in an increase in traffic that impacts the
network performance." 

Meanwhile, the Sobig.F is arriving at NMCI user desktops, but the Navy's
anti-virus software is successfully stripping the infected e-mail
attachments, a Navy spokesman Ken Jarvis said. However, the high volume
of junk email stemming from the Sobig.F worm has been only a minor
problem for users, Jarvis added.

---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.