Probably the most widespread worm ever, Sobig.F continues to inundate the Internet. Fortunately for us, we've been blocking the worm at our e-mail server since Tuesday morning at 5:40 when we saw our first occurrence. Nevertheless, the worm has had a significant impact on our network.
We have been blocking viruses and worms at the e-mail server for approximately one year and keeping detailed statistics during that time. On average, we process between 10,000 and 20,000 e-mail messages per day. Monday (8/18/2003), we processed 15,577 messages, 58 of which were viruses that were blocked.
Tuesday, Sobig.F was released and we saw a significant increase in e-mail and virus activity. We processed 22,015 messages on Tuesday. 3,725 of these messages were blocked viruses, of which the vast majority were the Sobig.F worm (3,682).
On Wednesday, the worm activity intensified. We processed 32,030 total messages. More than a third of these messages (12,005) were viruses; 11,886 of them were Sobig.F. This made Wednesday, August 20, 2003, the fourth busiest day ever in the history of Earlham e-mail.
Thursday kept up the activity, with 28,800 total messages, 11,118 of which were Sobig.F. During Wednesday and Thursday, we were receiving Sobig.F messages at the rate of approximately one every seven seconds. As of mid-morning on Friday, the rate seems to be remaining at the same level as the previous days.
In addition to the statistics kept by the mail server itself, the worm's impact can be seen by the PacketShaper on our Internet connection. The following graph shows the inbound e-mail traffic (including POP and IMAP retrievals) on our Internet connection for the period of the two weeks prior to Friday, August 22, 2003. It shows a noticeable increase in traffic starting on August 19.
Update (Sep 11, 2003):
We started keeping detailed records of the number and kinds of viruses dropped at the mail server in February of this year. This graph shows both the total number of messages processed each day and the number of viruses dropped. The number of messages shows a strong weekly cycle, while viruses have only made up a small portion of the traffic until recently. This week we have dropped more viruses than the peak number of messages processed in some previous weeks.
While we had few, if any, incidents of the now infamous Blaster worm, we just experienced the effects of the ill-conceived Nachi worm. This worm supposedly cleans up and patches systems that are vulnerable to the same exploit. This is a striking example of how vigilante justice and the desire to write "cleanup" worms is, if anything, worse than the original worms.
The Nachi worm exploits the same vulnerability that the Blaster worm uses, however its aims are to cure the affected computer. It attempts to download system patches from Microsoft, apply them, and then spread to other vulnerable computers, fixing them. Unfortunately, its method of spreading uses ICMP "ping" packets to map out the network. This causes severe congestion on local area networks and renders completely unusable wide area networks such as the college's T1 line. Thanks to an emergency firewall device, we were able to isolate the infected network and block these ping packets, using both the firewall and the campus core routers. We are currently in the process of cleaning up the systems infected with the "cleanup" worm.
[Note: "Lovsan" is an alternate name for the Blaster worm.]
We've seen a lot of Windows RPC traffic recently, probably as a result of exploit code published on the net to attack the vulnerability.
This graph shows the inbound traffic for Windows RPC protocols as recorded at our network border (the main campus PacketShaper) for the last week:
Scanning has increased radically over the last day. All of these connections were dropped or ignored; as of this morning, the PacketShapers are configured to block all inbound and outbound Windows RPC protocols.
The latest Vexira virus definitions should detect viruses that search for this vulnerability.
We upgraded the main campus PacketShaper to a 10 Mbps link size capability and upgraded the dorm network shaper to version 6.0.1 of the PacketWise software.
The 10 Mbps upgrade will allow us to use our planned bonded T1 lines (two total, for a 3 Mbps link size). Previously we were limited to 2 Mbps - sufficient for a single T1.
The new PacketWise software includes more sophisticated traffic shaping and a number of management enhancements. We will be installing it on the main campus shaper early next week at a low usage time (it will take only a couple of minutes to upgrade the software).
The main campus PacketShaper is now running the latest PacketWise software as well. In addition, I adjusted the rules to completely block all Windows file sharing protocols in response to the W32/Blaster worm and MS RPC calls.
Sometime during July another drive failed on the CD server. Apparently the cooling went out again and the drives heated up. A new drive is on overnight delivery and should be ready by the weekend.
We got a drive shipped to us and it's currently rebuilding the RAID set. All should be good soon.