A new virus, which causes denial of service attacks on Web servers,
is spreading rapidly on the Internet through e-mail.
Richard Brain, technical director at anti-hacking specialist
ProCheckup, told CW360 that he had been seeing attacks on his own
Microsoft Internet Information Server and apache Web servers since
2pm on Tuesday afternoon. "We think it is trying to break through
to the file server and tries 16 different attack methods," he
said.
So far Brain said he has monitored attacks coming from the UK, US,
Germany, Poland and the Czech Republic. The new attack, he added is
far worse than Code Red, which struck in July. "We are getting an
attack every 30 seconds," said Brain.
The virus has the potential to cause a denial of service attack.
Brain said his multi-processor Compaq ProLiant server, which
normally runs at 2% utilisation, was running at 26% because of the
attack. The reason the servers were slowing down, he explained, was
because they had to expend processing power to examine malformed
URLs - in a similar way to what happened in the Code Red
attack.
Anti-virus vendor Sophos has issued a patch and a warning to users
on the virus that it has dubbed Nimda-A. Nimda-A is an e-mail-aware
virus that spreads using an attached filename of README.EXE. In the
warning Sophos stated, "researchers are continuing to examine the
virus and will be posting a more detailed description of the virus
on the Sophos Web site once the analysis is complete."
Graham Cluely, senior technical consultant at Sophos said, "We have
heard of hundreds of attacks in the last hour." He added: "It may
be trying to pump bad packets to the Web servers."
Russ Cooper who heads up NTBugTraq, the independent forum for
tracking bugs in Microsoft operating system software, sent out an
e-mail alert which warned, "This thing cares not whether you are an
ISS box or not; it tries regardless."
He advised users to ensure that their inbound and outbound router
rules were configured correctly and ideally, he said, users should
lock-down their Net connections to the individual IP addresses of
computers on the network that needed access.