Slashdot Mirror
CAIDA Released Code-Red Worm Post Mortem
davidu writes "David Moore at CAIDA (The Cooperative Association for Internet Data Analysis) was monitoring an entire /8 network while the code-red worm traversed the net. His findings are really interesting and show just how swiftly code-red moved across the net and infected hosts. It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
note: Check the graphs, these pictures really do tell a thousand words."
You probably meant "surely arise", but there's something poetic about "surly arise" in this context.
That animation would look good projected on the screen of the War Room at NORAD!
"No, I want to play Global Thermonuclear War..."
Based on the willingness to "give up" that was coded into this worm, I suspect that the author desired it to be a troublesome but not lethal wake-up call. I do not condone or participate in such activity. I also doubt that I'd be likely to insist on strict punishment to the worm author were I the member of a jury. I do take a dim view of manufacturers that produce flawed and potentially dangerous products. Many other industries are held responsible for this kind of thing. What's so different about the software industry that it seems to be excluded from the equivalent responsibility?
Things like the Code Red worm and particulary the analysis of it's propagation do provide valuable lessons. It does seem to me that languages used to produce products like IIS and Outlook should be constructed so that programmers already up to their necks in complex code and company meetings can just specify a compile time option or the inclusion of a security library or something to provide for generation of bounds checking routines.
What's a little mode code bloat after all if it will stop these rascals?
My point is, not all bugs of this class are used in a worm. It is MS' fault for creating this bug, but, as far as this bug goes, it is no worse than, say, bind's last remote root-exploit (you'd think both of them would have learned from their past mistakes!) Granted, most people who run bind are more clued than those who run IIS. (I can hope, can't I?)
Remember, any remotely exploitable hole which allows the attacker to run arbitary code can be turned into a worm (don't necessarily need root/admin privs) We're simply fortunate that most holes have not yet been used in this manner. It's only a matter of time before another multi-attack, multi-platform worm is released (remember RTM?) but with a more dangerous payload written by someone who has no morals and is not looking for instant gratification (e.g., spread slowly, then unleash destruction all at once)
If, in the case of SirCam, files were posted to an unmoderated news group instead of e-mailed randomly then the authors could retrieve them anonymously
I was thinking it would also be possible to integrate Cain-like or LophtCrack-like functionality into something like SirCam, and post computer+username+passwords to something like unmoderated newsgroups. My password is VERY cryptic (mostly not even alphabetic characters), so I thought I was safe until I saw Cain take less than a second to crack that password which I'd used on some Windows shares) Or a hotmail account. perhaps a virus a little more low-profile than SirCam, so that its not as easily detected.
Exaggeration. While this was true in the past, the rate of such bulletins has been slowing. I've received three for the entire month of July so far.
This patch in question requires SP1 to be installed as well. If the IIS server was up withoug SP1 then that requires 2 reboots to get the server patched.
And, as others have said, any system administrator worth his salt has already installed SP1 for Windows 2000. Therefore, it's really only one restart.
In many cases, the admins are overworked and cannot get to every patch all the time.
Indeed. That's why you put in extra hours to fix things. MS may not be the best server software in the world, but any competent MS system administrator applies the patches as they come out, maintains a reasonable schedule, and tells the bosses flat-out, "I'm installing this patch at such-and-such a time, and that's all there is to it." Few employers are willing to fire a system administrator who's doing their job.
Personally, I had 1 of 3 IIS servers at my job vulnerable and it was 'ploited.
Yes. Imagine how you would have felt if you'd stayed on top of it. It's easy to say that you don't have time to install the patch, but on any reasonable server-level machine, the patch takes maybe five minutes to install, and most of that is spindown/startup time.
I have enough on my plate then to jump at every damn MS Security Bulletin.
If this is your attitude, you need to find another line of work. I wouldn't want you administering anything of mine.
If you actually care about what you do, then you MAKE the time. Explain to people what you're doing. Encourage them to understand what's involved. Tell people to piss off, you're saving the company.
There are just so damn many of them!
39 this year. That averages to slightly more than one per week thus far. This is a lot, to be sure, but it is not "too many." The thought "too many" should be followed by the thought, "What are my alternatives?"
If you're that peevish about MS product security, then don't use MS products.
I am overworked as it is yet my CEO still asks "What exactly does he do again?"
Then quit. Get a job elsewhere. Do something else.
Those would be SysAdmins (if you can call them that)
Network Admins (like BGP router gods) and Router Gnomes (the little guys in the routers who move the packets swiftly) did the work.
get your terms right....aye!
-davidu
# Hack the planet, it's important.
perdida writes:
If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.
Good! Poor security needs to hit companies where not only it hurts, but boards of directors and shareholders will see it: in the insurance premium line on their budget.
Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.
This I would be going far. Every business should be allowed to make their own stupid decisions. Save regulation for where it actually can do some good; for example, keeping businesses from harming consumers or each other.
----
----
Open mind, insert foot.
--
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
You mean like this? (of special interest are the graphs starting here. Also note that the first attempt to model the spread of a virus was done in 1703, and the resulting equations look a whole lot like the ones derived for Code Red.)
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I posted to BugTraq that the published curves for Code Red infection rates looked very much like traditional biological infection rates, and was soundly rebuked in emails by people who obviously knew better, except they didn't.
"Those who forget the past are condemned to repeat it." -- Santayanna
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I am trying to imagine few possible variations of virus/worm/trojan writers:
:)
first: Employee of antivirus/security company with agenda to keep people aware of dangers of Internet/"hackers" and so on... Working hard but enjoying hoopla and good compensation packages - as long as company is growing/becoming more know/visible/important. Being careful not to make real damage and making sure his PR team is first to report new findings of company's always alert "antivirus" team.
second: Stupid hacker who is smart enough to make working worm able to break 359,000 hosts in 13 hours, yet stupid enough to be easily blinded and nice enough to kill itself (stop spreading) after two days.
This second variation is, at least for me - not easy to imagine. But then, I am only a programmer with no more than 18 years of programming experience - what can I know about programming?
Fun begins when all brave and smart "journalists" of the net start bitching around how these "virus/trojan/worm" writers are, in fact, only stupid.
Someone IS stupid, but who?
http://opencm3.net, http://www.nongnu.org/gm2/
Sure, the results aren't that surprising, but it's still an interesting comparison.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
"Not only corporate machines where infected. Lost of machines from homeusers "
That is definitely caused by MSFT's incompetence. One of the first rules of security is not to run any unnecessary services. I installed Win2K on my home machine and immediately discovered that it was running IIS, including FTP, W3SVC and SMTP. Sure, they were password protected, but they shouldn't have been running in the first place. How many home users *need* those services on by default?
Nova...
No va
Don't go
Kinda like that, anyway...
t_t_b
--
I think not; therefore I ain't®
I'm on PJ's "enemies" list! Are you?
Sounds like a great idea for the next Austin Powers movie. I can hardly wait to see how they exploit the manipulation tools we have available today for graphics editing
for many Fortune 1000 organizations, patching is a bad thing. They want stable systems and have a rigorous change control process to guard against problems.
Great. Do they have an artificially intelligent firewall, too? That's what it's going to take to allow people to run software with known security holes for very long.
Does anyone else remember the worms that were attacking unpatched Red Hat systems ~3 years ago? It was six months between the time the exploits were discovered/patched and the time that the worms started making their rounds. A more recent Red Hat attacking worm came out something like 3 months after the security holes it exploited were discovered. Now we've got an IIS security hole, with a worm exploiting it within a month.
Do you not see where this is going? We're at the point where virus/worm authors aren't just reusing each other's code, they're talking about writing modular hostile code in the first place! Take a "worm kernel", load in modules to install back door A, autonotification service B, and brand new exploit C, and send it off to the internet the same damn day you discover a new buffer overflow.
This is coming soon, and if you have computers hanging out on the internet, you need to be ready for it. Don't give me any BS about "rigorous change control". If you want to think of it in those terms, think about this: Running known exploitable, publically accessable software will cause your computer systems to undergo uncontrolled changes without your approval!
Throwing many MS OS/App patches into the mix without testing the effects of the patch on your systems environment is just as foolish as not installing the patch.
No, it really isn't. What's the worst that buggy MS patches can do to you, reformat your hard drive? Not installing the patch can result in your data being published to hostile destinations, your passwords being sniffed, other systems on your network being attacked by the compromised unpatched system, your network being flooded by the compromised system, and your business being brought to a halt for days while you explain to the feds why your computer was being used to try to crack *.fbi.gov. Oh, and for kicks, the attacker/worm might reformat your hard drive afterward anyway, to cover his tracks.
Some compilers do flag certain functions:
test.c:
#include
int main(void) {
char overrunme[10];
gets(overrunme);
}
gcc -o test test.c
/tmp/ccLMNOP.o: In function `main':
/tmp/ccLMNOP.o(.text+0xb): the `gets' function is dangerous and should not be used.
thanks, i needed that
It would be more accurate to ask, Can you sell a car with defective locks?
Then, what constitutes "defective"?
Can you design a lock that will keep out 90% of people trying to break in? Probably. Can you design a lock to effectively block all professional thieves? Don't bet on it. Worse yet, can you design a lock that will force all people to lock their cars? Not a chance.
So, if you can't even design idiot proof, perfectly secure cars (which we've had around for close to 100 years), then how are you ever going to create an idiot proof Internet?
--
Your Servant, B. Baggins
Hummm... If my brakes fail because I haven't maintained them, then people die.
If my server gets infected by a worm because I haven't maintained the software, then a couple other people (who are ALSO at fault) have their computers infected...
Sort of several orders of magnitude difference in consequences there.
I agree with your basic premise that people should be required to demonstrate their competence before handling dangerous systems, and that they should be held responsible for the consequences when they screw up, but I think you'll have a difficult time getting licensing regulations for owning and operating PERSONAL COMPUTER SOFTWARE passed in a country like this.
Seems to me that the manufacturers need to be held responsible for creating better, safer software, and for making it easier to update that software when problems are found.
(BTW, when's the last time you updated the Apache software on your system? Bet it was more than 30 days ago.)
--
Your Servant, B. Baggins
...I wonder what the punishment should be, then, for the US, for having inflicted itself with Bush as its chief mouthpiece...
Hmmm.
Maybe having Bush is punishment enough. Even if the rest of us do have to suffer his ugly mug in the news...
--
--
Don't like it? Respond with words, not karma.
This worm had a doubling time somewhere between 30 and 40 minutes, until it had compromised a significant proportion of the vulnerable machines. This time is proportional to the rate that a compromised machine can attack new ones, and to the ratio of vulnerable machines to the address space. I believe that the speed of attack cannot be increased much, this worm was remarkably efficient -- it will only be increased as the number of broadband-connected machines increases. The advent of six-octet IP addresses will, for a while, dramatically lower the percentage of vulnerable IPs compared to the address space, although that won't happen for a while.
What worries me is the advent of internet e-ppliances. These will probably not be patchable, and so, if infected, will remain so. Don't think that because machines don't have disk drives that they are invulnerable to worms, as this current worm didn't touch the disk at all, but stayed memory-resident. What's going to happen when a million e-refigerators start attacking root DNS servers, say?
thad
I love Mondays. On a Monday, anything is possible.
--
I can see the fnords!
- how long will it take before the Internet only becomes usable between the 20th and the end of each month?
And then how long will it take before someone feels compelled to release a countervirus that patches the security hole, or cripples Code Red?Hell, why stop there? How long until the internet becomes just one giant code battlefield, a la Core Wars?
My God - it just hit me. The language used in Core Wars is Redcode!
--
I can see the fnords!
The only reason a fuss would be kicked up is because Microsoft would never stand for anybody besides them having that kind of access to computers running Microsoft OSes. If people switched to an Open Source OS, there could be multiple 'security providers' they could choose. The market could then choose the proper balance between security and privacy. I doubt anybody here would complain about that.
Need a Python, C++, Unix, Linux develop
Your analogies don't make sense. They lack the element of negligence.
A computer user passing a virus along to someone else is more akin to a driver drinking 10 beers and then crashing into someone else, in which case, his license will surely be revoked.
A pet that goes around biting other people will also certainly be put to sleep.
When you sign up with an ISP, you are making your machine a part of the Internet. If that machine does not play well with others (who are also paying for their access) it should not be allowed on the network.
Simple. If a customer's machine is responsible for further spreading a virus, worm, etc. the ISP should CANCEL the customer's account without a refund. People would be more responsible if irresponsibility affected their wallets.
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
Riiiggght. This is the second time Code Red has been mentioned on Slashdot with a reference to the "stupid" author. Compared to the skilled network admins? What, the ones who let Windows NT boxen on their network? The ones who got HACKED by the silly virus author? Yeah, they're skilled all right, truely elite.
Mock the author as you will, but the fatal errors in Code Red were choices that the author made. His options for those choices could have been stopped, too. It wasn't really the stupidity of the virus author that saved whitehouse.gov, but the vigilance of some people doing things that might be illegal under the DMCA or some other law in the near future.
Remember that the next time you're feeling elite, yourself.
I don't know, somebody could release a nice, polite worm instead. They don't all have to be surly, you know.
Your right to not believe: Americans United for Separation of Church and
Well, they're cheaper by the dozen, you know :)
Your right to not believe: Americans United for Separation of Church and
If patching is so painful, maybe those companies should consider using software which doesn't need as many patches, or open source software where there's a huge community that beta-tests patches as soon as they come out.
Although I bet that even taking a couple days to verify the patch before applying it would still beat most of the worms out there - the Code Red exploit was known for a month or so before the worm hit.
Your right to not believe: Americans United for Separation of Church and
It's worth remembering that this sort of problem has been seen before, with the Robert Morris Worm is 1988. The similairities in terms of spread are clear, although the damaging affect (Morris brought down a large percentage of the then mainly academic based Internet) was much more severe - so far. The article makes clear that we need to be aware that things could be worse, when script kiddies start playing with this virus
Lessons were learnt then, and it probably makes sense to revisit them and ensure we haven't missed anything.
Those of us with machines at home running services should all be careful (be it Windows, Linux, Solaris, *BSD or whatever), and review our presentation to the world. Check out Bastille Linux for a start.
ooooooh! What does this button do? - DeeDee, Dexters Lab.
Doing that might provoke a serious response (e.g. corporate America stops using Outlook) and then the virus writers' fun time would be over.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
And perhaps you've kept up to date. I sure haven't. The last car I took the engine of apart was built around 1956. I've looked under the hood of a few recently, and ... I think I'll leave that to the professionals.
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Even so, occasional patches get accepted that make things worse. There just isn't time to test things properly. Actually, there isn't equipment, either. A proper test would require running duplexed systems, and then deciding which set of bugs you would rather live with. And you don't usually know the full list for either. So you make do with small scale tests, that you already know aren't really good enough, and try to project the results. This gets a lot of the problems, but by no means all. So you make a backup, apply the patches, and cross your fingers, hoping that if you need to retract the patch, it will be before too much new data has been entered (or that you can know that the data isn't getting corrupted during entry).
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
Doesn't it mean men (as opposed to women)? Or is that viri?
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
It's a bit interesting (I tried that mod, too). Apple has detailed specs of what a legitimate Mac application should look like. And the Apple applications were notorious for ignoring the rules.
... O, wait, there is not Linux company. I guess that the LDP will be honored :-).
MS has rules for how a Windows application should act, and the MS applications are even worse than most DOS application about following those rules.
I wonder if Linux will follow this tradition
(LDP : Linux Directory Plan? Or do I have the wrong acronym?)
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
That's not the code red worm, that's the sircam virus. The Code Red worm spread through IIS servers, the sircam virus spread through email with the characteristic lines "I send this file in order to have your advice" and "Te mando este archivo para que me des tu punto de vista".
Photos of bits of the past hiding in the present: afiler.com
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
There was a couple of versions of it and another will surly arise.
Well, that certainly helps too. :) Also the fact I use mutt for my mail makes me fairly safe from just about anything.
.. it's scary to think what a malicious person with good social engineering skills could do ..
But seriously.. the english/engrish is so bad in some of these that it's a dead giveaway
BilldaCat
Where are the truly destructive worms/viruses/trojans/etc.? I'm really surprised no one has written anything that would forward itself along, then wipe out the HD (no random chance BS), or something like that ..
.. the grammar errors in the e-mail are usually enough to tip me off it's a virus to begin with, that's what I guessed about SirCam before I really knew what it was ..
And these guys seriously need to hook up with someone who knows English
BilldaCat
But no system can be made absolutely secure. Even the best maintained sites have been cracked.
john
That is definitely caused by MSFT's incompetence. One of the first rules of security is not to run any unnecessary services. I installed Win2K on my home machine and immediately discovered that it was running IIS, including FTP, W3SVC and SMTP.
Totally unlike RedHat which doesn't automatically install and run sendmail, apache, etc?
john
From earlier reports, a lot of the machines infected were personal Windows PCs running Microsoft's personal web server, which is apparently a stripped down version of IIS. Most of these people will never apply patches. Hell, many of them probably don't even know they are running it, they just clicked "install everything" when they installed Windows.
is that sooner or later, somone is going to use this replication method to write a worm that does some REAL damage, and the door is wide open because of all of the Windows machines (and even poorly configured Linux machines) which are online at any given time and not protected by a good firewall. It's not just cable and DSL either -- at any given instant, there are millions of unprotected machines attached to the internet via dial-up. Any of these machines that happen to be running a susceptable version of Microsoft's personal web server are vulnerable. Many people are probably running it unknowingly - they have 30+ gig hard drives and just clicked "install everything" when they installed Windows.
I'm just glad I don't run IIS.. Just Imagine if a whole this big was discovered in Apache.. I'm just glad there's people out there that look at Apache source just to make sure this doesn't happen.
So much for "zero administration" networking. Funny you never hear MS pushing that buzzword anymore. Of course technical people no doubt realised all along that it was just marketing BS, you have to know what you're doing and keep up to date to run servers, but now millions of not-so-clued-up people have fallen for the hype, they were led to believe that a few mouse clicks is all you need and you can sit back and relax while your server runs itself. Thanks to this attitude things like "code red" can flourish. Marketing people are quick to push terms like "zero administration" but won't readily mention "service packs", since that implies "non-zero-administration".
-----
But I find this hard to believe. The worm attacked whitehouse.gov, and although I truly dislike Bush and his administration, I can see how this could be construed as an attack against the United States itself. I understand that sentiment is very far-fetched, but remember, when it comes to things like this, there are hot-shot lawyers involved who will do, and say, whatever it takes to win their case. And yes, that too is a generality, but if the US catches this guy, I can see them using that as a viable argument.
Really bad analogy: Firing an unarmed nuclear warhead with anti-antimissle technology at the whitehouse lawn. "But I was just showing you that your systems were severly lacking ...", "But it wasn't armed ...", "But I meant ..." are all irrelevant. Leniency is not a concideration. The missle was fired at the whitehouse, all else is irrelevent.
---
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
---
---
"Of course, that's just my opinion. I could be wrong." --Dennis Miller
Now this sounds kind of suspicious. Does anyone have any actual konwledge of what they can do?
/. a couple of times..
Yes, this has shown up on
I read an independant review that said they were full of it. The reviewer took a couple of hundred images (some porn, some not porn), had a perl script rename them to a random filename, and ran their software on it. The result was that it had a less than 1% success rate.
It makes you wonder where all the truly devious virus writers are.
If, in the case of SirCam, files were posted to an unmoderated news group instead of e-mailed randomly then the authors could retrieve them anonymously.
Add in the ability to distinguish victims (such as hosts only on a certain domain); to quietly terminate itself if the victim isn't on "the list"; and stick to a specific task instead of just spamming and destroying -- you will have something truely devistating.
It makes me wonder what we AREN'T finding and what ISN'T getting the headlines.
--
Charles E. Hill
Learning HOW to think is more important than learning WHAT to think.
If they are mutated and ill-tempered... I don't see the problem.
--
"It's tough to be bilingual when you get hit in the head."
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
I'm sure that version 2.0 of the worm will fix all of the problems.
Of course, even then I restrict access with hosts.allow and/or firewalling at the machine iteself and remove it from inetd.conf once I'm done. And even though I don't use telnetd normally, I updated just in case. It's hard to argue that an encrypted telnet is always a bad thing to have around.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
You just described my Father.
And I'll bet that 95% or more of Slashdotters wouldn't fix their car themselves
I suspect you would lose that bet. Many of us were hacking on cars before we hacked on computers.
Best Slashdot Co
I got my license in 81. Most people didn't have computers then. I suspect that dividing line, agewise, is around 35 or so. People younger than that started on PCs, and pay to have their Johnson Rods lubricated, those older started on cars and can pull a VW engine in half an hour.
Best Slashdot Co
Wrote about the coming DDoS from Hell.
Best Slashdot Co
I'd really like to be able to check those graphs!
I'm old enough to remember when discussions on Slashdot were well informed.
... and if their car breaks down on the side of the road because they didn't maintain strict maintenance checks, it should be confiscated without reimbursement. And if their pet poops on the neighbors yard, it should be killed. And if you didn't fully understand the text of all those laws you accidently broke, you should be thrown in prison for life.
There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.
If you were an insurance product manager you'd make sure there was an exclusion on the policy that denied claims on servers that were 30 or more days behind in the latest patches. (Yeah, I work for an insurance company)
Of course this would make everyone apply patches as soon as they came out, which could very well create more problems than it solves. Damned if you do, damned if you don't.
I'm surprised that no one is mentioning that the random infection part of Code Red is programmed to restart on the 1st of *every month*. Sure, by changing the IP of whitehouse.gov and short circuiting packets destined for the old IP to the bit bucket, the attack phase will never be a problem.
/dev/null. Perhaps that would drive enough white hat hackers to spread a repair worm, and start that whole argument all over again.
However, since it appears the number of infections capped at about 359,000 machines, I would venture that at least a quarter of those machines will not be repaired/rebooted by August 1st. If the number of infections went from zero to 359,000 in a couple of days at most, imagine what kind of storm is going to kick off on August 1st when nearly 100,000 machines restart the infection phase of the worm! How long will it take for the estimated 6 *million* vulnerable IIS servers to be patched?
Just for the sake of gloom-and-doom, how long will it take before the Internet only becomes usable between the 20th and the end of each month, due to Code Red infection storms between the 1st and the 19th? I don't think the core Internet routers can perform stateful-enough inspection as to route "Code Red infection" attacks to
--
Steve Jackson
Intelligent Life on Earth
One of our servers was compromised (my bad). A few days after I found the worm and patched it I got an email from SecurityFocus.com saying (and I paraphrase): Hey idiot, you have a worm on your server. Go get this patch and install it and stop spreading it.
I thought that was a good idea for admins that didn't know about the worm.
The insurance adjuster idea is a good one, but I don't agree with the patch policy limitation. Instead, give the policy a rate structure that makes it *very* appealing for an organization to have a dedicated security person/department on hand (and not just a part time guy in IT).
As for the law and patching, you need to realize that for many Fortune 1000 organizations, patching is a bad thing. They want stable systems and have a rigorous change control process to guard against problems. Throwing many MS OS/App patches into the mix without testing the effects of the patch on your systems environment is just as foolish as not installing the patch. For some, applying a patch to server software is a several day process!
Hi! How are you!
I send you this file in order to have your advice.
[Attachment: Dastardly Plan Details.doc.pif]
k., who's gotten about a dozen of these so far.
--
"In spite of everything, I still believe that people
are really good at heart." - Anne Frank
"In spite of everything, I still believe that people are really good at heart." - Anne Frank
Take a look at the domains that were the most-infected -- they were, by and large, cable modem providers, and the study concludes that home and small business users (read: Microsoft's target market for most of their products) were responsible for most of the worm's spread.
It's really disturbing to think that the Internet's stability rests on the shoulders of these people, half of whom probably don't even understand the concept of keeping up-to-date with security patches.
The ironic thing is that this tide is probably being held back by the fact that in order to "legitimately" run a server off a broadband connection, you generally have to pay through the nose, meaning that those who don't have a vested interest or Daddy's money need not apply.
Disturbing all around, really...
I was reading my transfer log file and saw the following:
/default.ida?NNNNNNNNNNNNNNN
N NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
N NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
N N% u9090%u6858%ucbd3%u7801%u9090%
% u9 090%u8190%u00c3%u0003%u8b00%u5
212.244.30.10 - - [19/Jul/2001:18:28:35 -0500] "GET
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090
31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252
There were about half a dozen such requests from other hosts. I thought it might be interesting to show those of you who don't have webservers running what it looks like.
Ian
"I think it's safe to say that most people on Slashdot are not only competent enough to apply patches, but interested enough in computers (for work or a hobby or whatever) to actually do it".
And also lazy enough to write scripts to push all the patches automatically to all the servers so we can have time to sit around and get paid to read slashdot.
Sombody please mod the above post into oblivion. Do you really think this guy can hire the help on his own? If the CEO doesn't know what he does, do you think he's going to hire more help. Oh and before you go off claiming that the CEO should be show they need more help, maybe the company really can't afford it.
What gets me about this is that Microsoft came out telling everyone there was a patch, so it wasn't their fault. Well its their bug in the first place. Not all admins can spend all day finding all patches for their stuff. There's also the added problem of patches ocassionaly breaking the application they patch. What do you say when that happens, the CEO's not going to care that you "needed" the patch he'll be pissed that the systems are down. The only real solution is better systems from the getgo.
The /. DDOS effect.
/. effect on websites talking about the defeat of his creation as a revenge...
I bet the author of the virus planned the
mirrors anyone?
DUH!
You'd think people would learn, but then you'd also think that we'd learn that thinking people would learn is incorrect... heh, ; )
Sticking feathers up your butt does not make you a chicken - Tyler Durden
I think it was done this way on purpose. Any 31337 h4x0r would have added a DEL c:\*.* or something else to it.
---
HTML is obsolete. It's time for a new, simpler and richer markup language.
At the risk of being slightly off topic...
Changing anything that Microsoft considers 'default' or 'normal' can be a problem, even when the change is relatively easy to make. In your example, I have a feeling that if you installed any additional software to work with IIS, especially MS software, it would have issues with your simple change. It just assumes that everything is the default, even if it could just check the registry during install.
To make myself a little bit clearer (while my coffee is still kicking in this morning), I'll give an example. I am a command line user, even in Linux and Windows. Try using Program Files in a command line path. It gets very, very repetitive. So I changed it to Programs. Registry search and replace, rename, a couple of other things. Yes, there is a registry key for the location of Program Files, and properly written software looks for it during an install or run. But try to install a a patch, or an upgrade, or anything else, and watch your Program Files directory magically reappear. The assumption is that nobody changes it, so Program Files is hard coded.
My point? Even when MS leaves a way to change things, they often don't honor it. So the harder you try to customize or secure a system, the more you have to work to make sure that you haven't broken something else. A sad state of affairs, it is.
...was leaving unneeded script mappings on the computer.
While MS patches are wont to generously restore them for you behind your back (thanks a lot for that one, retards) it's a more or less well-known issue by now and not one that the clueful should ever fall victim to. This isn't a Unicode error or anything of that nature: even unpatched, simply nuking the mappings would have saved them.
Easy does it!
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
Most stupid people can't write even write a virus.
...in x86 assembly
...that infect over 200,000 webservers in under 24 hours.
Mitnick only compromised a handful of systems. I guess this makes him a complete retard?
If you're seeking insurance against the costs of a DDoS attack, your insurance assessor can reasonably insist on knowing details of your infrastructure and what procedures you have in place to decide what premiums to charge. But the administrators of the population of vulnerable machines that the DDoS attack is exploiting are not the ones likely to be asking for insurance (the report suggests from the distribution of attack host domains that "at home" machines on cable and DSL were playing a significant role, for example), so the scope for direct pressure is rather limited. And the statistics on what makes a vulnerable DDoS target are still very inexact, and will continue to be for as long as victim corporations are unwilling to go public and admit they've been DOS'd.
Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.
I can't see that proposal flying. What I can see is that the current free-for-all where there are no controls whatever on the fitness for use of software products will be brought to an end. You want to produce software for commodity sale and use? Fine, then you/ your company must have the appropriate certificate of good practice and have your products and procedures reviewed regularly, and you'll probably need malpractice insurance, as well. If you just want to play with software as a hobby, then that's OK, but you need a license before you're allowed out on the public net, and/or you need to put your creations behind a certified firewall.
This is a damned-if-you-do-damned-if-you-don't situation. If you order your henchmen to do it, they will certainly screw it up, and, depending on the movie rating, will be severely injured to killed.
At least if you have your henchment bring the hero(es) to the secret lair, you don't have to pay out as much disability or have as high employee life insurance. This is why usually contractors are brought in, not because they really are the badest killers from the four corners of the earth, but because by going corp-to-corp, you won't impact your premiums when they are killed. Plus it keeps employee morale up.
-no broken link
Simple, just have Jon Katz write all the articles posted.
This worm only went after IIS, so it must have only burnt the cable providers themselves. I hope it tought them a lesson.
Pardon the rant. My little Debian box was broken into by some looser last night. I blame my own inexperience and inability to configure things properly, but I'd love some help tracking that sucker down. He had a 24. address.
Friends don't help friends install M$ junk.
Why of why do people use MS BS? No insult to the fine folks above, especially freedos, but the alternatives are better used together rather than piece wise. Openssh on a PC with IE and Outlook is not secure in anyway. Don't throw your computer out the window, throw windows out of your computer!
Friends don't help friends install M$ junk.
I've have found occasionally that using Progra~1 can create an error on bootup in win2k that goes like (I don't have it in front of me right now but its something liket this)"file found called programs, could cause conflicts, would you like to rename".
Also, from the article, MessageLabs even has an intelligent scanner that can look at an image and recognize the difference between baby pictures and Debbie doing Dallas. Now this sounds kind of suspicious. Does anyone have any actual konwledge of what they can do? This Cringley guy sounds like he's just quoting MessageLabs' press release....
Speaking of being a jackass... don't blame it completely on the admins either. There is about 3 security bulletins from M$ per week. This patch in question requires SP1 to be installed as well. If the IIS server was up withoug SP1 then that requires 2 reboots to get the server patched. In many cases, the admins are overworked and cannot get to every patch all the time. Sure, the admins should be able to get the patch on before hell breaks loose but hindsight is always 20/20.
Personally, I had 1 of 3 IIS servers at my job vulnerable and it was 'ploited. Of course, when it the Code Red worm infected that server, the server took out one of my 2500 series Cisco routers. That was fun since it was still too early in the day to know that it was indeed the worm causing the problems. I am the only IT person here, supporting 75 users, 17 servers, 100+ workstations. I do support, net admin, and IT department management. I am currently upgrading the corporate website, doing a software audit, a hardware audit, reconfiging our routers, I have 30+ helpdesk issues in my queue and I am late on 4 projects. I also advise our development team on network related aspects and I am trying to put up a new FTP server, backup server and mail server. I have enough on my plate then to jump at every damn MS Security Bulletin. There are just so damn many of them! I am overworked as it is yet my CEO still asks "What exactly does he do again?".
In the future will I put a little more time at getting the patches on the IIS servers when they come out? Sure will. Did I learn a lesson? Yes. Did my company learn a lesson? Nope. Not until I leave this place and they have nobody around...
But we're not a typical cross-section of the public. People are used to buying something and having it work. They don't need to patch their TV every couple of months to prevent people abusing it, and they just don't (and probably never will) see why they should do this for their PC, which is just another appliance (to them at least). And I'll bet that 95% or more of Slashdotters wouldn't fix their car themselves if it started burning a lot of oil - it's all a matter of whether you're willing and able to do the job.
The only way you're going to stop people like this propagating worms or virii or whatever in this manner is by taking that need for vigilance out of their hands. Quite how you do that without infringing on their privacy is beyond me. But just think about the fuss that would be kicked up here on Slashdot if Microsoft wrote it's software to require MS full access to it's OS at all times over the phone line under the pretext of helping home users keep their machines up to date.
Don't criticise the regular consumers unless you've got a better solution. And I don't count banning them from the net as better (even if it does have a certain appeal).
That's very true actually. I mean, I'm pro *nix, anti Microsoft/Windows but lets not forget that buffer overflows come from the use of the crappily designed stdlibc which is only still a standard because of years of acceptance in the Unix community.
I mean, sure it's the developers fault for using these functions but as a community, we should have kicked scanf and friends out decades ago. Compilers should complain if you use them. Heck, they should refuse to use them unless you define #NOTTOBEUSEDONAPRODUCTIONSYSTEM or something.
Rich
Or you could look at the flip side of this - instead of it being an attack by activists, it could have also been an attack created by someone else. By timing it right, and adding the right message (and the right target), blame is easily passed to someone else completely.
Or, you could go with the theory that our own law enforcement agencies have set this up as a way of deeping the distrust of the Internet within the rest of the government (US, for those Non-US readers) so that harder CyberCrime laws are passed and larger budgets allocated.
I love the conspiracy game - it's so easy to find multiple targets for something like this! ;-)
Davis Ray Sickmon, Jr - looking for something to read? Check out my three free novels at MidnightRyder.org
Well designed systems expect that the admins will be lazy/unreliable/clueless and provide appropriate defaults. Don't blame the admins, blame Microsoft
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
all he/she really had to do was post a story to slashdot with a link in it.
The REAL sam_at_caveman_dot_org is user ID 13833.
Wait...I'm growing a brain!!! Please disregaurd everything I said about IIS and Outlook. I think I will start using Apache...
Don't run it on FreeBSD...
Patches are a part of running a server. Security holes are a part of life. It has nothing to do with this being Windows. The worm could just have easily been written for FreeBSD. If I didn't mind risking getting thrown in jail for the rest of my life, I'd consider proving that.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
so he was watching as all these servers were being infected.....
:)
and all he did was doddle some graphs?
Posted by CmdrTaco on Monday, July 30, @14:01PM
from the scalpel-video-camera dept.
BadDoggie writes "David Moore at CAIDA (The Cooperative Association for Internet Data Analysis) was monitoring his /8 network again after this story appeared in Slashdot. His findings are somewhat interesting and show just how swiftly Slashdotters across the world can take down a server." It was shier stoopidity of the Editurs and the bad luk of CAIDA that noone mirord the siet and grafiks. note: Chek the the grafs, these pikshirs really dew tell a 1000 word.
> Try using Program Files in a command line path
Try using "progra~1"
Ughhhh! First this Worm and now they're hitting me with the slashdot effect!!!
- A bloated API. The implies complexity, which guarantees a continuing stream of new exploits.
- No outside review of its design. You can't take a software vendor's word for it when they claim their product is secure. Whatever the economic shortcomings or moral strengths of open source, it does seem to be the only way of guaranteeing the absence of undiscovered exploits.
As I've said before, the day will come when it will be illegal to operate an insecure system on the public internet. Perhaps sooner than later.Side note: what's with wasting all that bandwidth on Quicktime animations? The Flic files are a fraction of the size, and run on the same viewers.
__
The problem is that these happen all too often. We're building complex systems, but our tools are not up to the task, at least at the security end. This was a stack smash, the multiple telnet vulnerability is a stack smash (there's some keyword expansion in the buffer, and that wasn't accounted for), the (in)famous Morris worm was a stack smash. There are exploits for environment variables of unchecked length, there are exploits for using a supplied string for a printf or sprintf ( printf(a) instead of printf("%s", a), which causes problems if a is evil-user supplied). Why are these still happening? These are all known problems, with easy solutions. C tends to be our language of choice, but is insecure. Where are the additional tools though that can secure it? A sort of SecureLint? These bugs and worms are causing economic damage. Isn't it worth a portion of this money to try to make tools to clamp these down?
And that's just the base stuff, sacrificing security for perceived ease of use or speed to market is a topic for someone elses rant.
(Obligatory karma whoring link)
Flawfinder
Compare this to the FreeBSD Telnetd exploit which was used to deface several websites lately.(stileproject etc..)
Can you imagine there is any sane admin with a frequented webserver who runs telnetd on it, instead of using SSH ? Appearantly there are a lot.
Not only a bad administered IIS is prone to attacks. No OS helps over bad administration.
here is the FreeBSD security advisory, just in case you ARE still running telnetd on your freebsd box.
how much you want to make a bet that a lot of folks are going to grab the 13 meg quicktime file?
The .fli file works just fine.
Check out the Vinny the Vampire comic strip
"It is a greater offense to steal men's labor, than their clothes"
Unfortuantely at some companies its a requirement.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
Yeah im totally agree, I go through it alot on many of the projects a work on. We recently had a rollout of W2k and O2K. These systems want a users files in My documents. Unfortuantely there is a legacy directory from before M$ created this as the efault for the world that all the users are used to using. 3 Months of Reg hacking, MSI customizing, and testing, we finally got that under control.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I blame both, its stupid of M$ to design a bad system, but sometimes your stuck with what the company you work for will let you use, and then you HAVE to work around the Vendor's(M$) stupidity.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
It is Possible to run a secure NT Based Web/SQL server. The problem is that MS makes everything run as the system acocunt on the machine by default. Most people don't change the defaults. Things get further complicated if you do change the account that these services run as, due to the fact that nowhere do they tell you all the things that these services need access to, or to talk too. Then things get even worse as they make assumptions in upgrades, patches, and addons that you are running as system.(This is a major problem when it comes to frontpage at times) The fact still remains though that you can infact change the service account that these services run as, to a different account and then restrict the access these accounts have to other parts of the system. For instance, only the IIS, service account has access to the SQL server that backends it. Then you make the service account for IIS only a local account on the Web box, with no global domain access. Then you take the actual logon rights away from that account, then restrict it from access to anything outside of wwwroot of the IIS box. Then give ownership of all the files that make the web site to a different account and give the IIS account read only access. The same can be done with the SQL account, only a local account, no access to anything on the box. it can be done it just takes work, and Most M$ admins are to lazy to do it.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I don't run any servers but I run W2K at home and Win98 at work on my PCs. At work I don't have a choice and really at home I have to use windows to keep everything compatible. Anyway, my point is that I gave up trying to keep up with the patches for Windows, Office, and every other software package I am running. I'm trying to learn to use OpenBSD so that for ANYTHING where I need to get internet access, I can run it on the OpenBSD box. There are so many damn pathces and repatches for software that it can be impossible to keep up. I don't think you can point the blame at the manufacturer, because there will always be new hacks, nor can you blame the operator, because he/she MIGHT need to get some work done outside of patching the damn software. That's why as far as I can tell, the only safe route is to pick the most secure OS you can and go with that for anything where you will allow outside connectivity. At least this way you lessen the risk. You will never be truly safe, but you will spend a lot less time patching and be less likely to be the object of anger when something like Code Red hits.
PS - I'm not trying to say theat OpenBSD is the most secure. I have very little experience with any OS besides Windows and I'm picking that one to try based on observations and comments. I'm sure there are Linux distributions that are just as safe once they are locked down. But it sure seems like OpenBSD warnings come across Bugtraq a lot less than most.
Scott Plumlee
I don't really think it was stupidity. Maybe the author hard coded the IP address so it could be stopped easier. Maybe it was just to show the world how easily crappy software can be comprimised. A worm that attacks whitehouse.gov is bound to get lots of attention. Maybe all of it was intentional.
In a distributed OS class I took a few years ago, we split up into teams and built worms that would compete with each other. Break into a machine, suck up resources, kill the other worms, spread, repeat. Ahhh, what a great class.
The Evil Overlord List
For the person who made it it is just a game, but for some other people it was reality. Lot of people had to go patching up. Lets see it.....360.000 server * 10 minutes each ~4 man year work.
For the same reason we don't all live in houses built like bank vaults. Sometimes the tradeoff between high security and ease of use comes up a little short on the security side (this is both a product choice tradeoff and a use of sysop time tradeoff). And because the alternatives to Microsoft products are just as vulnerable to attacks. The real problem here is that we don't have enough variety in host operating systems and server software. A wide variety of systems will limit the scope of any single exploit.
I do not have a signature
I've put up a mirror here.
Take a look at Microsoft Bundles Worm with IIS!
Give a man a fish and he will eat for a day.
Give a man a fish and he will eat for a day.
Teach him to eat and he will fish forever.
At the risk of sounding like a /. drone, I'm happy to see this sort of analysis done. There are surely some who'd argue that the conclusions drawn [i.e., the next attack could be designed better and be much more effective] might spur someone on to building a nastier worm. Sure. Probably will happen. But if everyone will learn what causes this problem--duh, not updating the security fixes--then the problems will become minimized.
Of course, it also provides every reason for non-IIS/MSFT users and sysadmins to chuckle, but who's to say that hubris won't set in?
-- Geof F. Morris
I'd say that almost any defacement of stileproject.com would be an IMPROVEMENT.
then wipe out the HD (no random chance BS)
random chance bs?! you obviously havent been to the dr evil school of evilness. sure you could just shoot austin in the head, but how much fun would that be?
the animal doesnt even have opposable thumbs, focker!
Code Red: The IIS-worm that would have attacked whitehouse.org, but blew over for most of us
SirCam: The email-driven trojan infecting millions of Windoze PC's and sending misc. files to the whole OE-addressbook or every emailaddress in memory, presumably sent to wipe out the harddrive somewhere in October.
Code Red wasn't nearly as tough as SirCam, as there are more people on this world who open attachments without checking the filename than people able to set up IIS.
Actually, both groups should be dragged out on the street and shot...
This sig is intentionally left blank
Should read:
It was the sheer stupidity of the slashdot readers and the skill of some network admins which aggravated the slashdot effect and it's DoS potential.
thank you.
There is no spork.
Or make the vendor responsible for damages caused by a software bug. Then, patches won't cause crashes, and people will be more willing to patch their software with the latest patches.
Do not confuse duty with what other people expect of you; they are utterly different.Duty is a debt you owe to yourself.
http://www.kryptolus.com laugh!
--
Violators will be prosecuted and prosecutors will be violated.
I throttled fetchmail to not download e-mails over 200K, leaving all those damn viruses up on the server, and using webmail access to check and see if they are valid e-mails or viruses. If they are viruses, I've been sending people a form letter informing they are infected with the SirCam virus and giving the URL of an anti-virus vendor page on how to remove it.
I made the mistake of quoting the text portion of the virus just to show what had bit them. When replying to an @home user, I got an e-mail bounce giving an error 554: You have been infected by the SirCam virus. (I doubt it, I'm running Linux)
Apparently, some ISP's are scanning for SirCam on incoming mail, or at least for its text strings, and bouncing viral e-mails. Not bad; that at least informs the victim who is clueful enough to read the mailer-daemon error message. Not great; they apparently aren't scanning outgoing e-mails from their own users.
---dragoness
Ratguy
Around 10:00 UTC in the morning of July 19th, 2001 a random seed variant of the Code-Red worm (CRv2) began to infect hosts running unpatched versions of Microsoft's IIS webserver.
If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.
Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.
Goat sex free since 2001
But I sincerely doubt the majority of people will hook up appliances to teh Internet - there is no need and it costs too much (even with teh advent of super tiny an inexpensive web servers - its still a siazble cost when you consider access - running wire to it or wireless.
Top Most Bizarre/Disturbing Error Messages
The post above about security focus sending emails to infected machines - we could deveop a toolset/module that could assist in alerting admins who got hit. Obviously it would need a central DB to track who got nailed so the poor guys email server didn't crash when thousands of Apache servers sent emails to webmaster@yourdomain.com after they got probed. But seriously, the idea of a network of webservers running specialized tools being able to either alert webmasters once or twice when a probe from them arrives or even (shakey legal grond of course) having the ability to send out an anti-worm to patch teh server automagically and be done with it. Imagine the headlines the day after 'Linux web servers fix compromised IIS servers after DeathWorm IV spreads like wildfire'
We could call the project 'IISafe' or something.
Hey - it could happen :)
Top Most Bizarre/Disturbing Error Messages
So I guess this could be the new Red Hat marketing slogan: "Friends don't let friends install Windows NT."
The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
If ever there was a more graphic proof why monopolies are bad...
What I find interesting is the parallels with biodiversity. One of the argument for biodiversity, especially in agriculture, is that a wide variety of species will slow the growth of any disease or epidemic. If everyone planted the exact same species and variety of wheat, a single organism could wipe out the global harvest; but if everyone used whatever species or variety they felt like, an opportunistic organism's growth would be blunted. The organism can't adapt and infect to a hundred varieties of a crop, so it will try to infect unideal hosts and fail.
This same argument can be said for software. If everyone uses the exact same software from the same company, then an opportunistic hacker or virus could rapidly take over everything; but if there were more companies and products out there, then the virus/worm would either have to learn how to hack a dozen or more different systems, or it is limited to growth among one particular system. So if MS gets its way, we'll get computer equivalents to AIDS and Ebola creating pandemics of worms and viruses. But if there were more competitors, then no single worm or virus could ever pose much of a threat.
The bitter lessons of a veteran coder: http://bitterprogrammer.blogspot.com
Then again, why would I use Microsoft if I don't trust its so called "security" ?
---
morcego
Right on Hemos!
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
Let's reverse engineer this sucker and get this thing working better next time!
Okay NSA,. you should hire better Worm Coders next time if you want to frame the Chinese.
Two Towers-Two Worlds.One seeks triumphs and freedom for man.The other deems man unworthy and wrecks them.
That graphic is very cool. Seeing how a computer worm can spread is a wake up call. I am convinced that people won't patch with regularity until a worm comes along that *really* screws things up and billions of dollars are lost in cost of data. That will be a sad day.
:)
As long as I am on the graphic, did it remind anyone else of the scene in Wargames where the computer is plotting out all the nuke scenarios? It gave me a cool flashback
Lawrence Lessig is my personal hero.
It was the sheer stupidity of the worm's creator
Or was is Hacker Ethic?
Maybe the guy was just trying to further expose IIS's vulnerablility and net admins lack of security measures without causing any real damage.
The difference between theory and practice is that, in theory, there is no difference between theory and practice.
We were hit 11 times on the 19th
once on the 20th
Here is the last one
7-20-01 - 12:37:08 63.118.238.92 - GET
-Here It Comes Again
The moral of the story is not to hire dumbass admin's who don't do their job.
A patch for this was realeased *1 month* before this virus hit the streets! Frankly any admin who bothers to actually check for patches/updates are going to find them. Hell, after a 2 minute search I found the patch.
Frankly, if someone wants to use IIS that's fine, I'd rather use Apache than IIS. But this virus got around because of Admin incompetence.
Any one notice that "CAIDA" means "fall" (verb), in spanish?
It is the spanish equivalent of saying "the server is down" (the server fell).
Just a little inside joke for my spanish speaking buddies ;o)
I couldn't fail to disagree with you less.
There has been romours about some activists (anti-capatalist, pro-environment, anti-globilisation, whatever, etc) gaining technical knowledge to launch DDoS attacks against their targets. Perhaps this was the beggining?
Goerge Bush is particulrly unpopular with these groups, particularly due to the "Son of Star Wars" project and his attitude to the Kyoto agreement. The target of this worm, the timing of the attack and the "red" agenda all suggest to me that this is a political attack. When will the next one strike?
What about licensing? Here I mean "license" in in the governmental-regulation sense (like a driver's license), not in the GPL sense.
People own cars; cars are valuable tools. Yet it is in the public interest to ensure that cars are in good repair. Licensing a vehicle implies a small penalty in terms of privacy, but one that most people acknowledge is necessary.
As the damaging potential of computers increases, I can forsee a future in which computers have a "license plate", and the owner is required to maintain basic security provisions, or face the equivalent of a traffic ticket - or even a more serious criminal offense if the negligence was deliberate.
Toronto-area transit rider? Rate your ride.
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.
Once again, evil is thwarted because, just as on television, the villans are incompetent while the virtuous are strong and intelligent.
I wonder if the virus author also committed any of the following classic villan errors:
So, the world is safe again ... but ... for how long?
Toronto-area transit rider? Rate your ride.
We program a worm that when infected, decrypts all e-books and places the unlocked PDF file on their hard drive, then quietly spreads via Outlook. I mean, If you actually PAY for an e-book you are probbably an oulook user too, right?
I think the moral of the story is not to trust Microsoft's so called "security".
I am wondering if the darn thing ain't still crawling around. I got to the office today and found a couple more in the mail box, not to mention these were from folks with whom I have never been in communication. (si habla espanole?) - so I wonder about the address book feature I seem to remember from last week? Anyhow, the messages were the same, too attachments.
The worm attacked whitehouse.gov, and although I truly dislike Bush and his administration, I can see how this could be construed as an attack against the United States itself.
/. Plaza, school children would have sung songs about him/her, perhaps even a holiday and parades. ;)
Perhaps he/she should have attacked microsoft.com. It would have been far more appropriate. Heck, we would have probably put up a statue of him/her in
The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
I don't see what is wrong with IIS. I also don't understand all these security patches they keep putting on thier web site. I just don't bother with them though, I mean all that time to download and install. I would much rather have M$ email the patch to me so I can easily open it through Outlook, I mean I open all of my attachments through Outlook anyway even if I don't know the person... ...Wait...I'm growing a brain!!!
Please disregaurd everything I said about IIS and Outlook. I think I will start using Apache...
Apparently has enough bandwidth/processing to handle an entire /8 class... but can not seem to handle the slashdot effect...
Looking for any old 8-bit Heathkit/Zenith software/hardware - http://heathkit.garlanger.com
Everyone knows that you shouldn't let anybody run a WinNT server at all. There is really no practical reason. The IIS server is run as root to the Windoze machine, so any file access that would have been restricted in unix by running Apache as Nobody is now gone and I can have, perhaps, write access to your boot.ini by just hacking in a .bat file through a ftp bug, then connecting to the address with the .bat file so it executes server side. And it takes even more power. So if anybody can think of a good reason for using IIS, WinNT, MS SQL, or anything like that, by all means say it so I can laugh in your face.
A jpeg is worth 1024 DWORDS.
so the moral of the story is to not use MS IIS, right? Thats what we all learned from the previous article on security and how to avoid the script kiddies taking over everything.
|---------------|
practically an AC
I think this worm was relatively sophisticated. Was there a similar expolit of IIS put to such use in recent history? I think most people just rebooted and it went away (of course they are open to exploitation again now). And they will get infected by this worm or a variant. Also, how many servers didn't even get hit this time around? They could be waiting to be expolited. Has anyone seen worms hitting their (patched) servers since the weekend? If so, has the code changed? Sorry, I have a lot of questions.
How perfectly goddamn delightful it all is, to be sure. - Charles Crumb