Slashdot Mirror
Code Red! All Hands to Battle Stations!
We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.
I think it may have been irony?
The fellows at eeye, who are the ones who found the IIS hole, and then found and analyzed the worm called it Code Red, because they drank copious quantities of Code Red Mountain Dew while they worked on it. Check the archives at SecurityFocus.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
Umm. ColdFusion server runs on linux. Sure, you can't use studio, but the lack of a text editor's not necessarily a reason to abandon the platform. The docs are all HTML, install in windows, copy the docs over.
ENDUT! HOCH HECH!
I thought there already was a Microsoft tax on stupid admins?
Your right to not believe: Americans United for Separation of Church and
What I propose is a GPL'd shell/python/perl script that "grep"s the apache/thttpd/whatever access log for "default.ida" requests, and logs the requesting site name/ip to a file. Sort | uniq this file for good measure, then send a friendly message to the webmaster at this site, stating at least the following points:
Running this a few times a day, and keeping track of the sites that we've mailed already to avoid duplicates, should give semi-awake (i.e. reading mail, but not patching their system regularly) IIS admins some friendly help.
What do you think?
Apparently this guy saw it coming.
--
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I hate to criticize .NET since I am by no means the expert on the subject. Think about if .NET actually succeeds. Every PC, PDA, cell phone, and dog collar will be running a Microsoft OS and accessing its data over .NET. What happens when the .NET version of Code Red comes out? What then? All my data is wrapped up in .NET. Everything I do is on a server somewhere but the wireless .NET is too bottlenecked for me to get to it. It's a sign of things to come. Companies put many $$ into Microsoft software and constantly have to upgrade to keep a virus from systematically destroying their entire network. When are people going to get the hint that despite all their propoganda, Microsoft is not good for anyone.
There is no reasonable defense against an idiot with an agenda
:wq
I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).
They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?
- j
Other than that, quite an interesting article ;).
-- Is "Sig" copyrighted by www.sig.com?
A class action against Microsoft would be appropriate, in that it is a defect in a Microsoft product that made it possible. The class action should be led by non-Microsoft users impacted by the problem, so EULA issues are irrelevant.
Where's the plaintiff's bar when you need them?
Don't forget, Steve Gibson is the guy who managed to make a 13 year old kid in a chat room, writing code that opens a socket, sends a few IRC commands (the hardest being the Ping/Pong set) and accepts a few commands sound like some sort of Big Black Voodoo Priest, sitting upon a throne carved from human bone, piecing together zombies from heaps of human corpses and sending them out to do his evil work.
Vintage computer games and RPG books available. Email me if you're interested.
Think about 25 percent of the servers on the internet constantly sending out a stream of crap against random websites, not to mention clogging up the wires as they search in vain for more servers to infect. In other words, imagine if 25 percent of the servers on the internet were suddening acting like SlashDot... Don't forget also that the attack affects various web-enabled machines, such as certain Cisco routers, HP LaserJets, and the like.
Vintage computer games and RPG books available. Email me if you're interested.
If you go here: http://www.microsoft.com/technet/security/search/b ulletins.xml you'll find a lovely XML doc which lists hotfixes going back, I believe, to 1998, what they apply to, what they're superceeded by, and so on.
If you look for 'hfcheck' on the ms sites you'll find a lovely little WSH script that grabs this bulletin, and uses WMI to check servers and tell you what needs to be installed. It defaults to only checking for IIS patches, but that is easily fixable.
Vintage computer games and RPG books available. Email me if you're interested.
There are a few points of interest here:
"We all say so, so it must be true!"
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
then at least I would know that it didn't apply to any of my servers. Instead, I have to read through a few paragraphs of crap before it gets to the "IIS security flaw" line.
Analogous to real virii and worms, Those that destroy their host too quickly dont spread.
Those that dont spread die off.
Making a system unbootable doenst destroy the data on the harddrive. But if the data on the harddrive is destroyed- the admin will reboot.
The computer is now offline and the worm gets no more opportunities to spread.
A common way to overcome this is to set a logic bomb: have the worm set a cutoff date after which it becomes destructive. The problem with this approach is that it allows people time to patch their systems.
A good compromise would be to make the system unbootable immediately- with a boot loader that wipes the harddrive. Then set a logic bomb with a cutoff date after which data gets deleted.
Its tricky though. A good twist may be to rearrange some dll's in the filesystem- to cause patches to fail. Also setting up a backdoor vector for reinfestation. Then at least 3 subtly different versions would have to be released simultaneosly.
Its a lot harder than it sounds. And not worth it really.
... and a card with our Condolences to mark the death of his "child".
The problem was that there were just enough Cisco routers running down-rev software that crashed when you send "GET ?" to port 80. Fix those, and the Internet will be fine. The traffic is a non-issue.
Netcraft's numbers do not apply to this situation -- they tally *public* webservers *by domain*, which means it ignores virtual hosts and load balanced configurations. Since the worm attacks on the IP address level, I think you'd find there's significantly more IIS _servers_ out there than the 20% of IIS _domains_ number indicates.
Second, Microsoft has a large market of intranet servers and client machines running IIS for some reason or another. That's a significant amount of mayhem that doesn't show up in Netcraft's reports at all.
When I hear the word 'innovation', I reach for my pistol.
As the previous writer clearly stated, and you clearly missed, this is just not the case with IIS. Since IIS has LESS marketshare then Apache one would expect Apache to have this kind of problem and not IIS, but it doesn't (All of which the previous poster stated).
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for
You mispelt "Part of the reason Windows virii are so widespread...."
Which you would have partially correct, but mostly wrong. W2K is MORE stable than previous Windows, yes, but no where near as stable as the traditional Unixes. Windows API could NEVER be described as stable since upgrading Windows almost always breaks something important (my CD burner, for example, which works in OS X, but not WinME). This is the reason many people are still on NT4 SP3/4. If they move up to SP6 or W2k, something important breaks. This is a big reason why Windows is taken down so much. The other part you addresses with the "easy to write for" comment. VB is easy to learn (compared to Unix scripting) and can be learned on a desktop machine before one begins coding for IIS. You can use VB for all sorts of things, including scripting the breaking into of systems, so that some 9 yr old on AOL can breaking into WIndows machines all day long...
Burn Hollywood Burn
Media here told the public Code Red would infect all computers. They simply ignore the fact that Code Red infects only IIS 5 server.
A local lead moron - the president of Hong Kong Computer Society, a branch of British CS, told the public that in order to protect yourself from virus, we all should update the latest virus signature and do not swith on computers. I'm sure all their members would feel shame of their president's cluelessness.
Scott Adam is right, idiots, morons and clueless people are defining the reality.
Turn a non-tech hobby into your career.
--
[baptiste@surfboard httpd]$ tail -f access_log | grep .ida
136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280
136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280
Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart
Top Most Bizarre/Disturbing Error Messages
Turns out that this signature is probably from the eEye CodeRed scanner to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
Top Most Bizarre/Disturbing Error Messages
If the Internet Ceases, then society will regress to the point when you can only create pr0n from whatever scraps you can find in the dilapidated ruins of New York City.
Mod Karma -1: I sed bad wurds. If I cep my mouf shut, I wud be at riyses.
Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.
www.lucernesys.comHorizon: Calendar-based personal finance
IIS: It Isn't Secure.
.NET later. That one's a very good reason. If the world DOES jump on .NET bandwagon would you like to stay behind( don't think '.NET port to Linux')? Could be very bad for business. On the other hand, if .NET doesn't work out, you can always jump to Apache.
.NET.
But no, really I can tell you why IIS is still a choice as a web server, and also I'll tell you why it is so insecure.
(WARNING: As Always, IMHO).
IIS is still a choice because:
a) You can teach virtually anyone to perform simple administration on an IIS server.
b) You don't need to use a command prompt (no, it doesn't really scare people, they just tend to believe it's such a fuss to make things work.)
c) It comes with Windows 2000/NT (if you had a choice to 'Run Your Very Own Web Server(R) while running MS Office and games, without having to boot to another OS, what would you think would be better?).The fact that It's There(r), is also extremely important;otherwise, people who had to use a Windows server would use Apache for Win32 instead.
d) It's a breeze to install and enable (incorrectly of course;there are plenty of configing and patching you can do on IIS to make it safe/er, but no-one seems to bother:'Who whould try to hack ME?')
e) It means that it'll be easier for you to migrate to
Now, why IIS is insecure:
a) Do you remember how long it took Microsoft to realise the Internet was going to be the next big thing? That hurt them. Sure, they did release a web server (their lamest ever --IIS 2.0), but it was behind its time.IIS 4.0 was their first proper attempt, and while it worked, Microsoft had a lot to learn about security. They had to release patches constantly to help the poor early-adopters (nobody new it was going to be so open), which unfortunately, were quite a lot.IIS continued to grow, as it fitted the bill as a method to extend businesses with a Windows/NT infrastructure to the Internet. So, now we have 20% of the Internet, running IIS.
b) IIS is also insecure because 50% of it's sysadmins are idiots. 50%, not all of them, not none of them. 50% . Now, if you pushed a *nix sysadmin to run IIS (you would have to push real hard though), you would get a web server (being configed and patched correctly) which would totaly evade most (if not all) of the IIS hacking frenzies and DoS attacks of the past 2 years. Including Code Red (the MS patch for that buffer overflow buf was published a few months ago.The wise IIS sysadmins noticed.).
c) Remember, IIS is young. It's about 6-7 years old, but it wasn't taken seriously since Windows NT 4.0, 4-5 years ago.As with Windows 2000, the time for IIS to become a proper,feasible solution is longer than that. And isn't Apache much older (please enlighten)?
And how will IIS become secure?
IIS 6.0 will be the first IIS to be reasonably secure, IMHO of course. Because it will incorporate all the fixes until now (quite a lot, shouldn't they be running out of bugs?) , but most importantly because it will patch itself (that's what I heard anyway).
Now for your opinion: Will IIS 6.0 be a proper web server? Think about it and don't reject it: There wasn't a single reason to consider it if you were happily running the latest version of Apache, but now there is:
Think, think, and then post. And please correct me if I'm wrong.Thank you.
Oh and some things I'd like to point out, because some people get it wrong:
a) When you install Windows 2000 OR WinNT 4, it won't install IIS.Not even with full install. You have to install it separately AFTER the OS installation is complete, so people know when it's installed.
b) The Internet won't cease to exist, and this isn't a conspiracy by Microsoft (probably).
There is no such thing as 'world peace'.
Cringely tells us that the true threat is servers with mis-set clocks
No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.
I got the following mail from MS yesterday. (The ironic part is I initially was suspicious because the subject line was in all caps -- how rude!)
l easeID=30833
l easeID=30800
. asp?
url=/technet/itsolutions/security/topics/codeptch. asp
l t. asp?
url=/technet/security/bulletin/MS01-033.asp
The following is a Security Bulletin from the Microsoft Product Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
-----BEGIN PGP SIGNED MESSAGE-----
The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?Re
Step-by-step instructions for these actions are posted at
http://www.microsoft.com/technet/treeview/default
Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/defau
Because of the importance of this threat, this alert is being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
Talk about FUD - here's a quote, from Scientific American, no less: "Imagine a cold that kills. It spreads rapidly and indiscriminately through droplets in the air, and you think you're absolutely healthy until you begin to sneeze. Your only protection is complete, impossible isolation,"
WOW! That sounds awful! Run for the hills!
But wait - imagine that a vaccine for the cold has been available for months. You could get vaccinated just by logging into a website.
Oh, and once you're infected, all you need to do is take a nap (ie. reboot) and you're healthy again.
What a load of scare-mongering. SciAm should know better.
I suspect this is the cure.
Best Slashdot Co
If any Mozilla developers are listening, I have a request. I'd like a version which displays a visible icon everytime I log onto a IIS server. Then, if I double click the icon, it could list a selection of 'counter measures' such as CodeRed which I might deploy. These might use a plug-in architecture and be downloadable from sites using other browsers.
Thanks for listening.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
Perhaps this could be a monthly competition. Assuming, of course, that anyone can get through the infection storm to post to it.
Oh, and I'd like to propose a name for the inevitable next worm that just won't die - The Lazarus Worm. Cool, eh?
Why then is this threat suddenly everywhere?
They're FUDing the Net!
The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.
Waiting for the other shoe to drop. . .
Can you think of a better marketing ploy to make your soft drink sound hip and edgy and get the name plastered all over the media? This could be even better for free publicity and name recognition than the Verizon strike.
Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say.
Sorry, but Apache mostly runs on *nix systems... anything from Linux to Solaris to FreeBSD.
Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all.
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for.
Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread.
-- russ
Natural != (nontoxic || beneficial)
And then another bug will be discovered, and then another worm will start spreading and so forth. The only solution to this (IMHO) is not to shut down whatever network or to put another patch or even to switch to Apache. The solution is to stop the false ideea that using computers is easy. It is not, it requires work and study. Thos who are merely pushing buttons on screen should quit computers or pay more atention. Having a netwotked computer is a responsibility and people should learn that. "Easy use" of computers is the virus, not Code Red. Sorin M
Gimme a break.
Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.
It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.
Opus: the Swiss army knife of audio codec
While I'd agree that he may be overly paranoid, I do share the opinion that the internet is extremely vulnerable right now, although not necessarily for the reasons he states.
I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.
We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.
Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?
The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.
Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.
"I object to doing things that computers can do." -- Olin Shivers, lispers.org
At 5:15 AM.
In the morning.
From my mother.
She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.
I informed her that this was unlikely, and went back to bed.
I demand a million helicopters and a DOLLAR!
All you have to do is:
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft