War in Cyberspace
New Internet worm on loose.
US Attorney General John Ashcroft held a press conference 9/18/01
to announce the most dangerous Internet worm yet, dubbed variously
Code Blue and Nimda. It attacks through an email attachment (the
attachment is "readme.exe"), by infecting
Explorer browsers, propagating through netbios shares, and
by directly attacking web servers. More
on this story --->>
We and many other Internet sites are presently experiencing two
types of attacks:
1. Infected email The subject line on email sent to you is variable.
The attachment is "readme.exe" and has a MIME type of
"Content-Type: audio/x-wav;". This virus is "network
aware", which means it spread through open, unpassworded
NetBIOS shares. This is called the W32/Nimda.a@mm
2. A browser based attack that seeks to infect the targets web
server. This attack is now termed Code Blue.
From: Davis, Matt [mailto:email@example.com]
Sent: Tuesday, September 18, 2001 11:44 AM
To: Davis, Matt
Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM; firstname.lastname@example.org;
Subject: Some more details on the worm
When pages are served up by an infected server, it looks as though
readme.eml is 'attached' to them. The server attempts to get the
client to open them through the following bit of code (from the
According to Slashdot, this causes the file to be automatically
opened and executed by the client. I haven't been able to confirm
or deny that (but if someone can, please do).
Matt Davis, MCP
Intermediate Client Server Business Support Analyst
COUNTRY(SM) Insurance & Financial Services
How your web browser
can get infected by Nimda. From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Alert: Check your IIS boxes now!
-----BEGIN PGP SIGNED MESSAGE-----
Numerous people have reported that on IIS servers infected with
w32.nimda.amm, when visitors browse to their website the visitor
offered up README.EML, which in turn downloads README.EXE to the
Please, check your IIS boxes now to see if you are infected.
reports of IIS servers with more than 10,000 .eml files present
(mostly as a result of nimda).
While we don't have any conclusive disinfecting procedures yet,
IIS box that has been infected definitely shouldn't be available
clients until we do.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
Is hacktivism the
answer? In the aftermath of the terrorist attacks of
Sept. 11, some hackers are trying to organize strikes
against Middle Eastern nations. This is a very bad idea.
Almost all Middle Eastern nations hate terrorist
leader Osama bin Laden and are our allies in bringing
him to justice. The only government on the side of the terrorists
is Afghanistan. Most of the people
of Afghanistan also hate bin Laden and their Taliban oppressors.
We need to leave Afghanistan's Internet access up so US
cyberwarfare experts can use them for their own
rather, ahem, interesting uses.
NIPC (US National
Infrastructure Protection Center) has "already received
reports of individuals encouraging vigilante hacking activity.
Those individuals who believe they are doing a service to this
nation by engaging in acts of vigilantism should know that they
are actually doing a disservice to the country," their advisory
stated. See "It sucks
to be me" for details on how these hacktivists are actually
harming the war against terrorism.
Us folks at Happy hacker wish to thank those hackers who have
helped quiet down over-eager volunteers. Responding to the attacks
on America is an extremely delicate operation. If you want to
play a role in defending us in time of cyberwar, here are some
concrete steps you can take.
First, President Bush will let you know if he needs hacker vigilantes
to help. Right now he does NOT WANT VIGILANTE HELP. He probably
NEVER will want vigilante help. The kind of baloney that went
on with the US/China hacker war of April-May 2001 was an unfortunate
holdover from Clinton Administration policies. The Oct. issue
of Scientific American carries Carolyn Meinel's analysis
of this unfortunate fubar of foreign policy.