Slashdot Mirror
RPC DCOM Cleanup Worm Appears
UnderAttack writes "This morning, the SANS Internet Storm Center posted a note about an increase in ICMP traffic, including a quick initial analysis. As it turns out, yet another worm, this time the W32/Nachi.worm, is going around taking advantage of the RPC DCOM vulnerability. The twist this time: the worm will actually clean up machines. It tries to download the correct patches from Windows Update and remove the Blaster worm."
Now they just need to release a worm that cleans up the blaster virus by formatting the machine and installing linux
The only thing better than a clean up worm... is a gummi worm!
'Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?'
What happens when someone releases an anti-anti-Blaster-worm-worm-worm?
dinner: it's what's for beer
Oh wow! This is the internet equivilent of white blood cells! First there was white-hat hackers. Now white-hat virus writers? Makes a damn good change!
I'm taking bets on how long till the first lawsuit comes out against the person or persons who wrote this helpful worm. I say it will happend before the people who wrote the destructive worms are even arrested.
Space for rent, inquire within
now as much as this is a good idea it is bad because it reduces the internet bandwidth and creates users who don't know how to run windows update, if someone else keeps fixing the problem it will never be fixed.
For The Best Jazz/Hip-hop fusion > COlD DUCK
Heh, if this turned into a trend, it could spell the end of an industry - the virus-removal industry. Imagine: Open Sourced, hunter-seeker virus removal worms, out in the wild nearly as fast as the original, cleaning up the mess some scridiot created in a fit of juvinle mischief. Somehow, I don't think the virus writer/scanner cartel will not let this become a trend.
People who think they know everything are a great annoyance to those of us who do.
Because Mom and Pop can't be bothered to figure out this internet thingie ("can I talk on the phone at the same time? Will it turn on in the middle of the night and download spam?") It seems some avenging white-hat (aka Sysadmin who is tired of encountering so many damn infected machines) has coded up a viral solution!
An even better twist of fate would be for that individual to get arrested for creating a worm! (its a DMCA violation to use that hack...)
In the future, I would want to not be isolated from my friends in the Space Station.
I wonder if MS is h4x0r1ng themselves... maybe they figured the best way to get out a patch is to use their own vulnerability. ;-)
"It worked for the hackers, maybe it'll work for us!"
I've had this idea for quite awhile now. All these people that find exploits should just write a virus to patch the vulnerability.
Bravo.
I just got done scanning all my users to check for the patch install. About 1/4 have the patch so far, that are publicly accessable and not behind a firewall. Using the tool on Microsoft's website, and it seems to work well for us ISPs. I set up the router to block that port on my core router but if some gets inside the network with it, we might still get hit. This thing is bad.
No.
Wow, a worm to do the work that the sysadmin should have done in the first place. That'll encourage those lazy sysadmins to just sit back and continue to do nothing.
Prevent email address forgery. Publish SPF records for y
Instead of quickly cleaning mblast last week from my network, I could have just sat around on my ass and played video games . . . and let this worm do all the work for me. Damn.
I have wondered for a while when this sorta thing would start happening, anti-virus coders that go after the virus coders.
This could be something we see more of in the future, almost like a battle between the two groups, taking place on machines throughout the world while the majority of users are completly unaware.
It could be pretty interesting to see the whole thing unfold!
turning over my network to a well-meaning worm. I trust that it will properly protect my network. I believe that the teeth I put under my pillow magically are turned into quarters. I am confident that Microsoft has resolved this RPC implementation problem. I have faith that Microsoft's security initiatives are on track. I am sure that elves fix my shoes when I fall behind on my work.
I think on numerous occasions it was debated here and in other places whether this was something that should be done or not. I think some people raised privacy concerns and other ethical things like that. Basically saying "a virus is a virus" (yeah, yeah it's a worm :)) However it can be sort of viewed in the way vaccines are. Harmless strains of virii used to boost the immune system. That's just what this worm does. It's a harmless strain that clears up an "infection"
I think this is a worm I wouldn't mind my parents having on their computer. I'm almost positive they haven't patched their machine and now that DSL is in their rural area they're all the more vulnerable to it. If this can clean it up for them without me pulling my hair out while going over the update process then so be it :)
This is probaly the best internet virus news I've heard in a long time. Unfortunately, it's only a matter of time before the creator is tracked down and prosecuted for violation of internet security laws.
D
The first, last, and only tech news site on the net
Something about this seems like a global scale Core Wars game. How scary, horrible and cool at the same time.
someone makes a worm that downloads and installs a Linux distro?
No good deed goes unpunished. Who's going to give odds that the writer(s) of the 'good' worm will get caught and strung up by the short hairs under the DMCA? As long as it only affects machines that haven't already been patched- great. But what if it's flawed and actually causes unintentional damage? And if the original authors of the Blaster worm's intent was to teach people who ignore warnings a lesson, might this not start a virus war, of sorts? Sounds cool, but I'm not convinced this is an entirely good thing.
666-607: 6th floor apartment of the beast
Last week we were discussing the MSBlast worm here in the office and I commented, rather offhandly, "I wonder how long it will take before someone writes a phage worm that uses the same hole, but eats MSBlast?"
Apparently the answer is 'Four days at most...'
The extent to which the Internet recapitulates evolution and biological systems is astounding!
- -
Are you an SF Fan? Are you a Tru-Fan?
a sensibile worm, although, it will be interesting to see how many anti-virus companies will classify this as a "threat" or not, don't you think?
;).
- It is a worm by nature, but it also does good but without the user's authorization... Sounds a bit like automatic windows update gone postal
"See? See?!! We don't need to patch our systems because Microsoft is doing it for us by mailing us the fix in e-mail! See?! I'm not afraid of worms because eventually someone will fix it for me!"
Un-news
You know all those annoying car alarms that go off in the middle of the night waking everybody up?
I've made a better car alarm: it makes an even LOUDER sound, thus drowning out the original car alarm for everybody's protection.
Its the first time I see a car alarm that actually does something good!
"Old man yells at systemd"
But does this new worm try and download the update from www.windowsupdate.com?
P.S. If you didn't know, Microsoft took down windowsupdate.com, the correct site name is windowsupdate.microsoft.com
This article might answer your question.
Basically, No. Nothing happened.
No, Microsoft killed the windowsupdate.com domain.
Begun, this worm war has.
Basically someone has given you a week to fix it yourself, or they fix it for you.
This rocks.
should provide a great test of the security savvy of university IT departments, as students return to the dorms and plug in their unpatched computers, the vast majority of which probably haven't been connected to the Internet in several months.
Unsecured university networks could unleash a new wave of worm-infected machines on the Net. This could be fun to watch, for those of us who aren't uni sysadmins...
--joedoe
2 weeks ago, I receve a call from one of my customer telling me that he have done nothing but our application was no more working: he got a message server is unavailable or smthg like that.
You know when customer says:I did nothing, he lies not allways by intention but he lies. In fact , by asking some question, he told me that they just used Microsoft Auto upadte.
Now the point: HotFix 823980 fix well the problem of RPC overflow but cause an impossibility to access a COM+ object that we need (In fact our server is a com+ object). So if you fix the bug our software dont run if you don't...
Are we the only company that got this problem? Are we the only using a COM+ object server instantiate on client?
"Use cases are fairy tales..." I. S. 2005
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply release wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
The Cheese worm did this on compromised Linux systems a few years back. The antivirus industry, in accordance with Linux sysadmins everywhere, added detection for the worm. A virus is a virus, and any unauthorized access to a computer is a Bad Thing.
NAI report that this is a self-removing worm after 1st January 2004.
Never email donotemail@WeAreSpammers.com
The thing about the "white-hat" worm is that it'll eventually kill itself - as it runs around patching machines, there are less vulnerable machines out there, so it will lose its ability to spread.
Or, put another way, if there were no "white-hat" worm that might also up traffic for a while, there will probably be a black-hat one that WILL up traffic for a while, AND format a few hard drives to boot. Erm, not boot.
paintball
And you will know enough to either get rid of it or not get it in the first place. Think of how many people have things like Gator on their machine...which they in a way installed (kazaa, etc)...and have not a clue why they get so many popups.
For the rest of the people out there who would never even know they have this, I'd much rather have them infected with this version.
I would hope after a certain amount of time, it stops trying to find other infected machines. My previous post is based on this assumption.
-Pete
Soccer Goal Plans
People who think this is a good idea, are you for real??? Do you know how much work goes into protecting large corporate networks, rigorous testing of each and every patch before it goes into production, reacting to IDS alerts, identifying potentially vulnerable environments, etc... The fact remains the same, both worms exploit the same vulnerability, both worms modify system data without user's consent, and both are potentially "lethal" because of unpredicted errors and patch compatibility issues. Let's not pee our pants trying to cheer. This is not white hacking. White hacking is identifying the vulnerability, and advising the user on how to protect themselves, but what do I know, feel free to flame, cause that seems to be the common trend on /. these days...
I've been getting a lot of firewalled ping activity today, must be that cleanup worm. Machines that the Blaster worm never even tried to hit. I wouldn't trust a cleanup worm one bit more than I would Blaster. Everyone knows (or should know) you can't count on good intentions on the Internet!
"By running this infected program, you agree to abide by these terms & conditions..."
"W32/Nachi.worm"...sounds like a new spinoff group from Japan's pop-idol Hello! Project
There are two kinds of people: 1) those who start arrays with one and 1) those who start them with zero.
it patches the rpc hole and installs a tftp server on the saved machine. it then propogates to other machines, infecting them and patching the vulnerability so a later variant of the same worm won't be able to uninstall it.
If a such as this was written whenever a large vulnerability was discovered, and designed to be limited to a specific block of IP addresses, it could be a handy thing to have on hand for someone who admins a large private network. If your network doesn't get hit, then great, but if it does, just let this loose to clean things up.
- W32/Webster.Worm: Opens a command shell using the RPC VNC OpenHole ActiveX/rootsploit featurebug. Opens all MSWord and Works documents, fixes spelling and grammar, saves without a backup, then writes a polite "echo" line to AUTOEXEC.BAT gently chiding you to learn to read at a fourth grade level.
- W32/PSCheezRemove.AutoTrojanMurderWorm: Attaches to exposed port 5555, downloads GOODTASTE.EXE from a predefined HTTP server, which it then executes. Scans Hard discs for PSD files that employ garish glows, drop shadows, and procedural 2D fire effects, and replaces those layers with a text layer containing the URLs of several reputable visual arts schools.
- Existence/DrawerClean.Intruder: Waits until you leave for work, jimmies your bedroom window, and illegally enters your home. If he/she finds an underwear drawer, he/she folds and neatly stacks the contents of the drawer, quicksorting by color, then leaves. Symantec is reporting a variant, DrawerClean/FourStar, which leaves a mint on your pillow on the 16th of each month.
Microsoft killed the windowsupdate.com domain.
Did anyone else read this with the tune of "video killed the radio star" playing in their head?
You now have a worm that people are being led to believe that is a "trustworthy" worm.
Sure it is. But wait. As it moves around, it will be hijacked and mutated into something bad.
It will pickup a package along the way and drop it in your box, and because you are led to believe that it's a "good" worm you'll welcome it.
This is NOT smart computing. It's not responsible, by any means. If you don't take action of your own accord, you are lazy and stupid and you deserve whatever bad things happen to you because of it.
Fix your own problems or pull the plug. If you can't handle it, you have no business using a computer..
I feel there's only one possible author of this antiworm: Microsoft.
Think about it. No average sysadmin would do it to clean up his systems - there's too much liability under DMCA. Idiot home users don't care. Non-Microsoft people are glad that they were to be attacked on Saturday. Who's left? The punk kids who write all the viruses? Why would they care about this? The only other possiblity would be some security company like eEye trying to gain reputation - but again, the DMCA issues would prevent them from disclosing that they ever wrote it.
Hm... whoever wrote it cares a lot about Microsoft and isn't worried about the DMCA. Microsoft is the only possibility!
# Erik
Discreet, makers of 3dsmax, was also affected in a major way by this hot"fix" more info can be found here .max files they have been making, crash older un-patched windows, I myself spent a day figuring this one out, and getting everyone in my company up to speed.
Discreet Info
Its really a bummer for all those people who stay up to date to find that the
Windows is listening on about 6 ports. What services can I safely turn off so that those 6 ports are closed? These machines are simple TCP/IP client machines that do not need/want/use any Microsoft "innovations". I just need to be able to get to www and pop servers.
Any help would be appreciated.
These worms are child's play; it is only a matter of time before someone decides to do something *really* nasty with a well thought out worm.
There are probably thousands of programmers out there that could have written the blaster worm. Most did not want to do it. Of those that would, most seem to be content to write prankster-style worms. One individual decided to write an anti-worm-worm.
What if one had decided to write a *really* malicious worm? In my mind, it is a 99% certainty that eventually some pissed off malcontent will do so. And they do not even have to be in the country.
Imagine a malicious government, with 100 dedicated programmers.
Or a well funded terrorist or anarchist.
Imagine, multiple simultaneously spreading worms, helping each other by opening backdoors, targeting Windows systems, Apache web servers, hardware routers, telephone switchboards, and whatever else they can find. And the payload? Designed to inflict the most economical damage. Perhaps even a smokescreen to illicitly gain access to systems that manage power, water, electricity, and actually cause physical damage too.
Governments need to sit up and take notice, this is serious stuff.
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
What, that takes longer than a week? The "cure" may turn out to be no better then msblaster if it generates massive network traffic looking for new hosts.
No, this cure is no better than the dissease. When a machine is comprimised, it must be rebuilt. What makes you think your particular copy of Nachi is doing your work for you? There's no telling what the damn thing has done and the box is screwed.
The real cure it to get rid of insecure software like Microsoft makes. Companies that don't start moving toward secure platforms deserve to die.
If you can't get rid of it because you are enslaved by AutoDesk or similar, blind Microsoft to the network and dual boot it or VMware Windblows. Free software network tools are obviously superior and should be used for moving information around. Hell, ProE on Mac OSX is better for both purposes than AutoCAD on windblows. Similar solutions can be found where free software does not exist yet.
Friends don't help friends install M$ junk.
If Blaster wasn't in the wild, Nachi would be abhorent. But the thing is, Blaster is in the wild. It's folly to pretend otherwise.
I can see the pragmatic value of this form of worm, as long as it follows the rule that it should under no circumstances do more damage than the worm that it blocks. Sure, I'd still like to kick the crap out of whoever released it, but I'd shake his hand first.
If you were blocking sigs, you wouldn't have to read this.
When you get right down to it, a worm or a virus is just a bit of code that updates your computer in some fashion. It allows your computer to perform some function it did not previously perform. In essence, it is no different than hitting windows update and hoping for the best.
Well, of course there is a slight difference. With windows update, you ask for the update to happen. That is not the same as knowing what is really being changed. For example, the most recent windows update broke EI when it tries to talk to Squid. Also, I do not really know what is being updated by windows update, I just have to hope for the best.
So, is leaving a port open any more of a security risk than pressing the "Windows Update" button? Either way I am giving people who I do not know and probably don't trust access to my computer.
On the flip side, does a worm that improves my computer in some way any better than one that degrades my computer? Would it be ok for MicroSoft to release a worm that automatically upgrades EI? I think more right thinking people would agree that it is wrong, even if its for the right reasons. The end does not justify the means.
Somewhere there is a line between right and wrong here. The problem of course is that there are so many people who do not understand what a worm or an update are, how can they possible do the right thing? Does a fix it worm make sysadmins lazy?
Maybe. Does it help the little old lady who just wants to find out about her genealogy and does not know or care how her computer work? Absolutely. It also help those of us who have to help this little old lady out because she is out mother.
Someday, the computer will be as easy to use as a microwave. Until then, I will take all the help I can get.
Your friend and well-wisher
m0smithslash
http://www.ferociousflirting.com
Worm's growth is exponential. It needs to reach a critical mass, then it unleashes itself. The problem with a worm that seals the vulnerability is that the growth will spiral downward exponentially. It's like a parasite that kills it's host too quickly. I'm not quite sure about the details, maybe a mathamatician can help me out, but my gut reaction is that this might not work.
IN SOVIET RUSSIA, worm fixes YOU! (I am not laughing, are you?)
GNU/Linux: for when it actually has to work!
Sig:Why copyright isn't a fundamental human right
I KNEW IT!!! I checked google and NACHI is (National Association of certified Home inspectors). Man. What a pro-active group! I wonder if NOT having this worm will lower my mortgage?
There was some talk on the Full Disclosure lists of releasing a worm such as this. Now it appears that someone has done it. Kudo's to them. Now the question becomes: Do we let this worm just run freely out there? Do we try to stop it?
Past worms haven't been able to load updates like this simply because the vulnerabilities weren't as big as the RPC/DCOM vulnerability that is being used on this exploit/patch.
The whole internet worm thing has become rather booring. The security community has already learned the lesson to be taught: patch your machines. It looks like there is now something new to take notice of with the Nachi worm.
Now we need to come up with phrases such as: Are you a good worm, or a bad worm? Or White worms vs. Black worms.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
...is how good a job this worm does of
- identifying susceptable machines without burning the network,
- fixing exactly what needs to be fixed, no more, no less,
and, most importantly, how does the quality of this unsolicited support per dollar compare with Windows Update or what private companies charge for this service?I've often thought that this is the proper way to clean up machines where sysadmins fail to do their own patching after a decent interval.
In fact, if I were MS, I'd have someone do this, but disclaim any and all connection, for the obvious reason of legal liability.
[But considering the extra powers authorities have in the case of human infection - witness the recent SARS outbreak - having a net Doctor authorized to release a vaccine for such a serious vulnerability as this RPC/DCOM, at some point after the general notification, seems reasonable to me.]
"Provided by the management for your protection."
Governments need to sit up and take notice, this is serious stuff.
The government warned people TWICE to install the patch last month.
"Sufferin' succotash."
After a while, these analogies become completely pointless. We all understand how these programs work, and we can talk about them specifically. Right or wrong on it's own merits, not because it's 'like' something both hypothetical and ridiculous in the real world.
autopr0n is like, down and stuff.
Why do slashdotters think they are so good at coming up with analogies? You see this in every single article. Someone creates a perfectly fine analogy and 8 people respond saying "actually, it would be more like your neighbor/daughter/lawn gnome..."
:: Rosie O'Donnell : Attractive
Slashdotter : Good Analogy
It's viral, so it's not really a vaccine. It's more like cow pox. Cow pox is contagious, but not severe. And, if you get cow pox, you become immune to small pox (and cow pox, of course) forever after.
Sometimes I worry that I'll develop Alzheimer's disease, but no one will notice.
Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could, and let it loose on just one of the networked machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for Acorn Archimedes/BBC micro's (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the lab was infected.
You have to remember that virii in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too". Of course, the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
We hadn't really counted on just how effective this was. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone had put the virus onto their floppy disk (by typing *. on the floppy rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit when found would be expelled. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended
So, everyone was happy. Infected with the counter-virus, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months
Anyway. I've never written anything remotely like a virus since [grin]
Simon.
Physicists get Hadrons!
It still runs code on a machine without the permission of the owner, and is therefore a virus.
Or Gator.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Although this looks like a great little worm, going after a nasty, poorly written worm, it effectively launches a DDOS attack against the real windowsupdate site, by downloading patches as it spreads at an exponentially increasing rate.
I'd sure like to see the source of this new worm. How is anyone to know for sure that it's only intentions are good until a full analysis has been done?
And if it is a "good virus" then why is it not open source? It should have nothing to hide, right?
In the case of Windoze, I do not mind. Windoze users gave up their freedom when they paid Big Brother Bill to lobby Washington to take away their freedom. But a few or even one individual controlling the entire Internet and, by extrapolation, most if not all world communication: That is frightening.
Sorry you have such contempt for others that don't choose the same OS as you do.
In response to your comments about super worms...
One thing that is coming from Microsoft is a Layer 7 filter with a simple user confirmation interface to augment the firewall for incoming and outgoing traffic.
It has the possibility to virtually remove any worm threat to Windows.
I hope other OSes will follow suit and make Layer 7 filtering a standard feature on the desktop and not just in server environments providing routing and caching.
More likely, Microsoft wrote the original MSBlaster worm, after all the code was amateurish and had serious bugs
Bodø community site
Seriously, this isn't the equivalent of popping a zit. A much better parallel would be an armed group, going around and popping the zits of everyone they encountered while holding them at gun/knife point.
The Seattle Post-Intelligencer, in an article on this, reports that "public safety systems in Seattle don't use Windows software." Talk about not recognizing a prophet in his home town....
"with their freedom lost all virtue lose" - Milton
1. When the pin is pulled, Mr. Grenade is no longer your friend.
2. Do not eat iPod shuffle.
This has the benefit of lowering the overall amount of traffic that is broadcast, and /.'ers would be happy to run these servers and eventually the viruses spread would logarithmically decay.
I am of assuming that there is some way to re-infect a already infected machine with new code. This may or may not be possible.
Spoiled sports!
Exactly what kind of cracker writes stuff like this?
If it did that, eventually it would self-kill all infected hosts until the few that remained can't find anyone else to infect.
Might make a good math exercise. As a host is cleaned and listens for attacks, it cleans other hosts, then those hosts also assume vigilante role. Eventually you'd have less and less infected hosts searching for victims and more and more former victims waiting to be found. I would expect the count of infected hosts to reach zero at some point, given that the method to find new hosts is random enough. Question is, how many events would have to occur to reach zero!
It Will be Back !
ICMP traffic -http://isc.sans.org/images/icmpfp.png FYI - that Source range the looks like it's generating the traffic seems to exist in the 141.211 - 141.213 range -- University of Michigan...
On my linux firewall guarding a company network I was seeing way over 1 million ping packets per minute at one point! I'd call that a DDoS attack! From the inside out.
For those with Linux firewalls, try the following iptables rules to rate limit those ping packets: