thedrifter
08-20-03, 06:43 PM
Navy says intranet hit by worm but still functioning
Officials reverse course on initial statement that intranet had 'gone down'
Story by Dan Verton
AUGUST 19, 2003 ( COMPUTERWORLD ) - WASHINGTON -- The Navy confirmed late today that its multibillion-dollar Navy/Marine Corps Intranet (N/MCI) was hit by a variant of the Blaster worm.
Earlier in the day, the Navy had said the network had been taken off-line possibly by a combined onslaught of the Blaster worm variant and Sobig.F Internet worms, which were spreading fast on the Internet (see story). But the impact was apparently much less severe.
Nicolle Rose, a Navy spokeswoman, said the N/MCI was first affected by the Blaster variant, also known as W32.Welchia.Worm, Blast.D and Nachi, at 3:05 p.m. yesterday. "The attack affected only the unclassified portion of the N/MCI network, has been contained, and cleanup is in progress," Rose said.
According to an official Navy statement on the incident released this afternoon, the U.S. Naval Network Warfare Command, along with the Navy's prime contractor on the program, Electronic Data Systems Corp., worked with antivirus vendor Symantec Corp. to develop and deploy fixes.
"Symantec released a signature file for Welchia late Monday, and EDS began installing the patch within minutes of its availability. However, by the time the patch became available, many N/MCI workstations had already been affected," the Navy statement said. "Since then, new virus definitions have been inserted at all server farms."
Kevin Clarke, a spokesman for Plano, Texas-based EDS, said early characterizations of the N/MCI "being down or broken [were] not accurate."
"We successfully defended against Blaster, but we're not sure how [Welchia] got into the system," said Clarke, whose company recently characterized the N/MCI as the most secure network in all of government. "What we had was intermittent delays in e-mail getting out to the external Internet and access in getting to some of the shared drives on the network," Clarke said. "But individual desktops still work. All of the protocols we have in place worked properly."
The Sobig.F worm also arrived at NMCI user desktops, but the Navy's antivirus software successfully stripping the infected e-mail attachments, Navy spokesman Ken Jarvis said. However, the high volume of junk e-mail stemming from the Sobig.F worm has been only a minor problem for users, he said.
N/MCI is a $6.9 billion IT outsourcing contract, often referred to as seat management, that will give the Navy and Marine Corps secure, universal access to integrated voice, video and data communications. EDS won the contract in October 2000. However, technical difficulties, deployment delays and user complaints have hampered the program since its inception.
In other news related to the Blaster variant, Symantec Security Response upgraded its rating of the worm to a Level 4 threat rating; Level 5 is the highest.
Symantec upgraded the threat because of the nature of the worm and its effect on corporate networks. The worm exploits two vulnerabilities, Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP Port 135, and Microsoft WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP Port 80.
The worm attempts to download the Distributed Component Object Model remote procedure call (DCOM RPC) vulnerability patch from Microsoft's update site and then reboots the infected computer so the update can be installed. However, "once a system is infected, the worm aggressively searches for other machines to infect," according to the Symantec warning. "This results in an increase in traffic that impacts the network performance."
Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Navy's Intranet crippled by worm outbreak
http://www.computerworld.com/securitytopics/security/story/0,10801,84150,00.html
http://www.computerworld.com/securitytopics/security/story/0,10801,84158,00.html
Sempers,
Roger
:marine:
Officials reverse course on initial statement that intranet had 'gone down'
Story by Dan Verton
AUGUST 19, 2003 ( COMPUTERWORLD ) - WASHINGTON -- The Navy confirmed late today that its multibillion-dollar Navy/Marine Corps Intranet (N/MCI) was hit by a variant of the Blaster worm.
Earlier in the day, the Navy had said the network had been taken off-line possibly by a combined onslaught of the Blaster worm variant and Sobig.F Internet worms, which were spreading fast on the Internet (see story). But the impact was apparently much less severe.
Nicolle Rose, a Navy spokeswoman, said the N/MCI was first affected by the Blaster variant, also known as W32.Welchia.Worm, Blast.D and Nachi, at 3:05 p.m. yesterday. "The attack affected only the unclassified portion of the N/MCI network, has been contained, and cleanup is in progress," Rose said.
According to an official Navy statement on the incident released this afternoon, the U.S. Naval Network Warfare Command, along with the Navy's prime contractor on the program, Electronic Data Systems Corp., worked with antivirus vendor Symantec Corp. to develop and deploy fixes.
"Symantec released a signature file for Welchia late Monday, and EDS began installing the patch within minutes of its availability. However, by the time the patch became available, many N/MCI workstations had already been affected," the Navy statement said. "Since then, new virus definitions have been inserted at all server farms."
Kevin Clarke, a spokesman for Plano, Texas-based EDS, said early characterizations of the N/MCI "being down or broken [were] not accurate."
"We successfully defended against Blaster, but we're not sure how [Welchia] got into the system," said Clarke, whose company recently characterized the N/MCI as the most secure network in all of government. "What we had was intermittent delays in e-mail getting out to the external Internet and access in getting to some of the shared drives on the network," Clarke said. "But individual desktops still work. All of the protocols we have in place worked properly."
The Sobig.F worm also arrived at NMCI user desktops, but the Navy's antivirus software successfully stripping the infected e-mail attachments, Navy spokesman Ken Jarvis said. However, the high volume of junk e-mail stemming from the Sobig.F worm has been only a minor problem for users, he said.
N/MCI is a $6.9 billion IT outsourcing contract, often referred to as seat management, that will give the Navy and Marine Corps secure, universal access to integrated voice, video and data communications. EDS won the contract in October 2000. However, technical difficulties, deployment delays and user complaints have hampered the program since its inception.
In other news related to the Blaster variant, Symantec Security Response upgraded its rating of the worm to a Level 4 threat rating; Level 5 is the highest.
Symantec upgraded the threat because of the nature of the worm and its effect on corporate networks. The worm exploits two vulnerabilities, Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP Port 135, and Microsoft WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP Port 80.
The worm attempts to download the Distributed Component Object Model remote procedure call (DCOM RPC) vulnerability patch from Microsoft's update site and then reboots the infected computer so the update can be installed. However, "once a system is infected, the worm aggressively searches for other machines to infect," according to the Symantec warning. "This results in an increase in traffic that impacts the network performance."
Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
Navy's Intranet crippled by worm outbreak
http://www.computerworld.com/securitytopics/security/story/0,10801,84150,00.html
http://www.computerworld.com/securitytopics/security/story/0,10801,84158,00.html
Sempers,
Roger
:marine: