Code Red! All Hands to Battle Stations!

We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD ^[?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.

Worms and market share

[jmv]

It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.

Re:Mis-set clocks?

[RedHat+Rocky]

My God, I just realized that the worm's creator was obviously a man with an ex-girlfriend. It has a monthly cycle. It spends the 2/3rds of the month putting its nose in where it doesn't belong. It then spends the remaining 1/3 of the month on a complete lashing-out, bitchfest.

Gads. Couldn't he have just gotten drunk instead?

Gibson may be extreme, but he does have a point

[starseeker]

While I'd agree that he may be overly paranoid, I do share the opinion that the internet is extremely vulnerable right now, although not necessarily for the reasons he states.

I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.

We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.

Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?

The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.

Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.

And boy do I love the hysteria.

[taliver]

I got a call.

At 5:15 AM.

In the morning.

From my mother.

She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.

I informed her that this was unlikely, and went back to bed.

Re:Down with the internet!

[b1t+r0t]

Does anyone know how/where I can get my computer infected with Code red?

All you have to do is:

1. Sell your soul to Microsoft
2. Install a copy of IIS
3. Connect to the Internet without a firewall
4. Wait. It will be automatically delivered to you within 24 hours. Or it's free.

Re:Mis-set clocks?

[mike260]

The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.

IIRC, the worm is memory-resident-only and therefore can't survive a reboot. It's not picking up where it left off, it's starting over infecting the internet almost from scratch, so it should be the same thing as last time. Except that this time everyone's forewarned.

Microsoft knew it all along: It isn't a bug that Windows requires rebooting every few days, it's a security feature.

Re:Steve Gibson Made this Worse

[agallagh42]

The Register has a good summary of Gibson's ravings here