Navy: Intranet hit by worm but still functioning

The U.S. Navy confirmed late Tuesday that its multibillion-dollar Navy/Marine Corps Intranet (N/MCI) was hit by a variant of the Blaster worm, but it said that earlier statements that the network had been taken off-line were inaccurate.

Nicolle Rose, a Navy spokeswoman, said the N/MCI was first affected by the Blaster variant, also known as W32.Welchia.Worm, Blast.D and Nachi, at 3:05 p.m. Monday. “The attack affected only the unclassified portion of the N/MCI network, has been contained, and cleanup is in progress,” Rose said.

According to an official Navy statement on the incident released this afternoon, the U.S. Naval Network Warfare Command, along with the Navy’s prime contractor on the program, Electronic Data Systems Corp., worked with antivirus vendor Symantec Corp. to develop and deploy fixes.

“Symantec released a signature file for Welchia late Monday, and EDS began installing the patch within minutes of its availability. However, by the time the patch became available, many N/MCI workstations had already been affected,” the Navy statement said. “Since then, new virus definitions have been inserted at all server farms.”

Kevin Clarke, a spokesman for Plano, Texas-based EDS, said early characterizations of the N/MCI “being down or broken (were) not accurate.”

“We successfully defended against Blaster, but we’re not sure how (Welchia) got into the system,” said Clarke, whose company recently characterized the N/MCI as the most secure network in all of government. “What we had was intermittent delays in e-mail getting out to the external Internet and access in getting to some of the shared drives on the network,” Clarke said. “But individual desktops still work. All of the protocols we have in place worked properly.”

N/MCI is a US$6.9 billion IT outsourcing contract, often referred to as seat management, that will give the Navy and Marine Corps secure, universal access to integrated voice, video and data communications. EDS won the contract in October 2000. However, technical difficulties, deployment delays and user complaints have hampered the program since its inception.

In other news related to the Blaster variant, Symantec Security Response upgraded it to a Level 4 threat rating; Level 5 is the highest.

Symantec upgraded the threat because of the nature of the worm and its effect on corporate networks. The worm exploits two vulnerabilities, Microsoft DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP Port 135, and Microsoft WebDav vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP Port 80.

The worm attempts to download the DCOM RPC vulnerability patch from Microsoft’s update site and then reboots the infected computer so the update can be installed. However, “once a system is infected, the worm aggressively searches for other machines to infect,” according to the Symantec warning. “This results in an increase in traffic that impacts the network performance.”

Meanwhile, the Sobig.F is arriving at NMCI user desktops, but the Navy’s anti-virus software is successfully stripping the infected e-mail attachments, a Navy spokesman Ken Jarvis said. However, the high volume of junk email stemming from the Sobig.F worm has been only a minor problem for users, Jarvis added.