Code Red Goes The Way Of Y2K

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

Re:A solution to the problem?

It takes advantages of several "short comings" in the security structure of Win32. Not much different between that and an exploit. Heck on UNIX I need root to have a process listen to port 25, but not on NT. So you're correct, it uses no exploits, however that doesn't justify the poor security choices made by MS.

Re:A solution to the problem?

I disagree. It seems to me the party most closely associated with Sircam and CodeRed IS Microsoft. Both of them only propogate while running on MS OSs. They are, by and large, a result of Microsoft programming.

Of course, the whole point is that Microsoft is NOT getting the proper credit they deserve (by Big Media or MS themselves) for creating such fertile ground for virii.

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> It kills me to shut down and restart a piece of equipment like this

Life is tough. Each time we go to our weekend house, we find a huge piece of equipment from the neighbor's cat on the doorstep...

Re:Billions of dollars spent...

[TOTKChief]

Ummm, did you not realize that your comment's parent was a parody [or worse, probably stunnigly like] the reaction of most PHB's?

Uh, it's almost doubling every hour right now

[mrneutron]

I agree the media hype is/was ridiculous, but the number of infected systems is nearly doubling in size every hour right now (8/1/01, 11:30 a.m. EDT):

http://www.incidents.org

So the Y2K comparisons might be a bit premature.

Yeah, here's one.

[peccary]

$ telnet 65.24.228.11 80
Trying 65.24.228.11...
Connected to 65.24.228.11.
Escape character is '^]'.
get /x.ida?AAAAAAAAAA

<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title& gt;</head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></ html> Connection closed by foreign host.

Re:I don't know about you

[stebalo]

According to ABC AM radio news, they are again measuring exponential spreading of the virus causing measurable slow down today.

So I am not yet convinced code red has gone the way of y2k.

What if a virus that can spread like this was actually destructive though? Could this virus be modified to destroy HDD's at an exponential rate and bring down web servers worldwide?

Re:I don't know about you

[sfe_software]

Of course last month, Code Red started with just a few infected machines and built up to some incredible number. At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there.

If I'm not mistaken (which is likely), I thought only machines with the date set incorrectly could spread it initially. Then, once other machines are (re)infected, they would spread it like normal... Thus, this time around, still, a relatively small number of machines are initiating the infection.

Add to that, last time it had only 7 days to spread; now we have a full 20 days. But this is also negated by the fact that the infection rate started to top off sometime within that 7 days anyway, at which point you simply have a bunch of sick people coughing on each other (bad analogy?). They're wasting precious air, but the rest of us are immune or vaccinated anyway.

Hopefully a good number of vulnerable machines are patched this time. Having an NT webserver in the first place is bad. Having an unpatched NT machine after a month's notice of a hole is very bad; having an unpatched NT machine NOW is grounds for a hanging. But I digress...

So far since last night, I've only logged 2 unique attempts each for two IPs, and 4 on my home (dynamic) IP. Last time, in 7 days, I logged about 30 uniques per IP per day, starting on the 13th (it didn't really fluctuate much for me).

- Jman

Re:white house

[pcurran]

I agree completely that the political aspects of code red have gotten it a lot more media hype. But aside from just the "attack" on whitehouse.gov, what about that "Hacked by Chinese" defacement that was (is?) supposed to be popping up all over the place? The US media loves a good story about those darned Chinese. I think that this may have helped the hype along as well. BTW, has anyone actually seen one of these defacements?

Re:Don't speak too soon

[gorgon]

Of course its not all Microsofts' problem, but I still think that they get too much of free ride. These incidents are often reported with a tone of "Oh, here's another virus. What will those hackers think of next?"

And yes, there are holes in other non-Microsoft software. My point is that we should hold all software to higher standards than we do. Defective software should be treated by the public similar to how other defective products are treated.

HOWTO : Protect your Cisco 6XX from CodeRed

[kaizen]

Someone mentioned this back on the 19th : simply disabling the cisco6xx's web interface does not prevent it from parsing the input (and therefore locking up) If, on the other hand, you tell it to use a different port, you get to remain connected.

1) telnet into the device. You will need its passwd (likily my ISP volunteered that info quite easily).
2) type "enable" and repeat the passwd
3) type "set web port YY" were YY is something other than 80
4) type "write"
5) type "reboot"

Who needs CodeRed worm to flood a site...

When you can simply slashdot it...

Not Quite

[espo812]

incidents.org is tracking the spread. It still looks to be on its exponental path to death and destruction of the Internet (sarcasm included.) As of this post, incidents reports 22,000 infected (up from ~13500 an hour earlier.) It's too early yet to tell how this will pan out.

Re:Not Quite

Informative!?! Redundant -1 is more like it.

Re:No, let it blow!

[DarrenBaker]

I'm of the opinion that what happened, or rather, might have happened, is due to the fact that sysadmins running Microsoft product are generally less in tune with their servers and therefore more vulnerable. I can't believe how many people didn't patch!

Re:But what about the media?

[_xeno_]

Yeah, maybe, but that's not the point.

On my way in to work this morning, I was listening to a local news radio station, and they were talking about how "Code Red" will effect servers and that everyone (!!) should download Microsoft's patch. From the linked article:

The malicious program can only be stopped if enough Web site operators install Microsoft's software patch, which plugs the security hole the worm uses to attack.

Well, the Alphaserver I admin seems to be doing ... ok, actually, it's down right now, but that's another story (flaky hardware, it seems) ... but anyway, during the last Code Red outbreak, it got probed, and it survived the attack without Microsoft's patch. Fancy that, the Apache server running on RedHat 7.0 wasn't effected, and I didn't even install the Microsoft patch!

Listening to them, I would have thought that Microsoft owned the Internet...

day off?

[passion]

Darn, I was sorta hoping it would so I could take the day off and go fishing.

Well, depending on where you live, and what job you do - you still have a chance! Today is personal freedom day... personalfreedomday.com

Is This What it looks like?

[Haxx]

Can anyone Confirm that this is what the log entry for code red is.

GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u6858%
ucbd3%u7801%u9090%u9090%u8190% u00c3%u000 3%u8b00%u531b%u53ff%u0078%u0000%u00=a 401 790 - - -

I have 2 of these today. I had 12 of them on the 19th.

~Here It Comes Again

Re:Is This What it looks like?

Yes, That's it.

Re:Is This What it looks like?

[demon-cw]

confirm!

Re:Is This What it looks like?

[Darth+Maul]

Yep, I've had 4 of these today already.
Looks just like that.

Strangely Enough

[Phrogman]

I didn't get my daily feed of juicy documents from that Sircam newsgroup I somehow seem to have joined - maybe its because the Code Red worm has knocked out all of the poster's Exchange servers...

Re:NEW DATA [was Re:Geometric growth.]

[imipak]

I find it interesting that I've been scanned once already on my home dialup. As I'm paying UK connection charges and I'm rather broke at present (see .sig) I tend to go online for short periods, collect/send mail and grab a ton of pages for offline reading. (I'm even writing this offline in emacs.) If I'm getting hit during those very narrow windows of opportunity, it implies there's a rather large number of scans taking place.

OTOH, when Incidents isn't Slashdotted, it looks like the curve is flattening out at around 25% of the total infected last time - about 60,000 +/- 5000 is my guess. The question is, is that enough infected hosts to cause enough ARP floods to impact global connectivity. So far connectivity has been patchy for me - jobserve was down all afternoon, a couple of other sites were patchy, everything else was OK. Same as normal, in other words.

Bull.

I've had 4 hits on my server in the last 6 hours.

That's as many as I got ALL last month

WSJ's journalists need to take a course in differential equations. We ain't seen nothing yet with this thing.

Rogue Bolo

Re:Bull.

The Post's writers, then, dammit. Statement still stands, though.

Rogue Bolo

any mirror sites??

There must be a mirror site somewhere.. this site has been hit with the worst slashdot effect I've seen to date.

Yet Another Shameless Snaggy Plug ;)

[Snaggy]

Nitrozac and I did a Code Red-related comic today, which I'm sure any of all you fans of G. W. Bush will enjoy. :)

Here it is...

Re:I don't know about you

[LinuxHam]

but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode

Yes, we are in agreement. I read early on that the worm was programmed to restart its infection phase on the 1st of each month. So, I sounded the alarm about that on the 23rd. Of course that theory was dethroned around the 30th when several security firms realized that the worm will not indeed return to the infection phase on the 1st of the month.

My original reply was to a poster who hadn't learned yet that the worm will not return to the infection phase on the first of each month. And yes, you are correct about the clocks. There were some 2,000 infected hosts with misconfigured clocks causing the worm to still be in the infection phase throughout the dormancy period, and all too happy to infect *new*, vulnerable and heretofore uninfected hosts.

I just wish the worm was a bit more destructive, to the point of clearing the net of the vulnerable servers and leaving it free for the rest of us. Note to worm writers: don't DDoS the net, just spread to a few other hosts, and wipe out the servers when you're done! Please!

Whoops...

[Glock27]

the Slashdot Worm has hit www.incidents.org!

186,282 mi/s...not just a good idea, its the law!

Re:"something bad didn't happen"

[Micah]

Well, it's not quite a non-event:

[micah@nova logs]$ grep NNNN *log | wc -l

25

And that's just since last night. I got 75 of them 2 weeks ago. But it appears to just be getting started.

Re:Nope, Code Red is still with us.

[Unknown+Bovine+Group]

Indeed, if each worm uses the exact same sequence, the spread is linear. Rather than fanning out, each instance would try to re-infect the exact same sites that its parent already has infected, hence linear, rather than exponential growth.

Hmm. The first host infects X others, and then all the children attempt to infect the exact same X? That would be known as NO growth.

Re:Easy Way to Spread Code Red Faster

[funwithBSD]

Even more useful would be the standard "Our website has moved, click here to jump to our new website". QED.

Worm Author's Restraint

[Travis+Fisher]

Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis? Or the CAIDA or Staniford stastical studies of the worm's spread? Some facts:

• The first version of the worm appeared on July 13 or so.
  • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
  • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
  • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
  • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
  • It contained code to deactivate its spread after the "attack phase" began
• On July 19, a second version was introduced.
  • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
  • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
  • This version infected over 359,000 hosts in under 14 hours.

(*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.

Perhaps if they had researched...

[JodoKaast]

...the Code REd worm, the poster of this story would know that there was no threat of it bringing the net to a standstill today. The real killer day will be on the 20th of this month, when the worm goes from infection mode to DDoS mode. And with 18 MORE days of infection than the one last month (with 300000+ servers compromised) had, I think it is generally assured that the net will slow it's ass down. If the DDoS attack is pointed at a valid target this time...

FWIW

Here is the "defacement" from the 1st server I got a codered log entry on, at 08:44 EDT today.

fuck USA Governmentfuck PoizonBOxcontact:sysadmcn@yahoo.com.cn

This is different from the ones last month, no?

Note: I do not see anthing like this on the few other sending hosts I can actually reach via http from the public internet. Most appear to be the original unmodified pages.

Heads-up to the admins at northwest.com. The html above came from one of your hosts.

Rogue Bolo

Re:FWIW

P.S., the *2nd* hit I got, at 10:23 EDT, was from an apparent default IIS installation on a DNS caching proxy at AOL. So don't feel too bad, northwest. :-)

Re:FWIW

Sorry, here it is in extrans:

<html><body bgcolor=black><br><br><br>&lt ;br><br><br><table width=100%><td><p align="center"><font size=7 color=red>fuck USA Government</font><tr><td><p align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p align="center"><font size=4 color=red>contact:sysadmcn@yahoo.com.cn</htm l>

Rogue Bolo

Re:Yep. Gone with a whimper.

Class B here. Steady flow of hits...

Re:I don't know about you

[lhand]

The worm goes dormant permenently on the 29th of the month. So all those sites which haven't rebooted will just have dormant worm threads running but doing nothing. They won't attempt to spread, they won't try to DoS the Whitehouse.
The reason servers with wrong dates is a problem is that if they still show a date before the DoS phase (which starts on the 20th of the month), they will still be trying to infect other systems. As that continues starting today, the newely infected systems will start attempting to spread instead of immediately going dormant as they did yesterday.
Again, previously infected systems where the worm went dormant won't start infecting again, unless (until?) they get reinfected.
It will be just as bad as before except that the IIS systems which have been patched (hopefully alot) won't participate.

It's the name!

[wowbagger]

The reasons the media likes to hype Code Red and not Sicrcam are:

1. The Name: "Code Red" sounds menacing, while "Sircam" sounds like a new pop star.
2. The Target: Sircam has no target (other than the poor schmuck who's machine is infected). Code Red attacks a target that you can send a reporter out to (yes, the web servers for the White House aren't at the White house, but that doesn't matter).

Remember, the media wants stories to be as dirt stupid simple as possible: They don't want "Boy finds girl, boy loses girl, boy finds girl again", they want "boy finds girl". "Code Red Worm ATTACKS WHITEHOUSE" is an attention getting headline. "Sircam forwards private documents" isn't.

So remember 5|<r!P7|<!dd!3Z, if you want your worm to be successful, attack a high-profile target, and make sure your worm gets a menacing name.

Re:Billions of dollars spent...

[FatOldGoth]

I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.

Even then, one thing this worm has done a good job of highlighting is that it's not just a waste of your resources if you don't patch your servers. I'm seeing a lot of my bandwidth being eaten up because other people are too lazy/incompetent/ignorant to administer their systems properly.

Sorry. Rant over. I feel calmer now

Re:Nope, Code Red is still with us.

[Cryptosporidium]

I read in the early reports (not sure if it has been invalidated or corrected now), that the random number generator did not reseed itself on each infection. Thus, the IPs generated where the same.

A variant of the original worm supposedly corrected this error.

Re:I don't know about you

[unitron]

"...every newscast I saw last night about Code Red, made no mention of how to innoculate your computer against the virus."

Ignoring for the moment the whole "worm vs. virus" thing, I saw a number of news reports that directed people to MS for the patch, and apparently CNN even had a link for it on Wolf Blitzer's page. On the whole, the coverage on this has been suprisingly good considering the general audience for which it is intended.

Geometric growth.

[Black+Parrot]

For the plot at incidents.org, the last four hourly reports show a pretty clean geometric growth, with the hourly multiplier varying only between 1.63x and 1.68x (it was a bit higher for the earlier reports).

I wouldn't go so far as to predict a continuation, but the numbers are still kind of fun. A 1.6x per hour for 24 hours would give 79,228x. With a basis of 22,001 reporting right now, that would give 1.74 million infections at this time tomorrow.

Surely this one will saturate its niche long before then, if only because of all the repairs that were made a couple of weeks ago. But it gives a hint about what's going to happen when The Big One (tm) comes along.

And the viruses seem to be getting smarter lately. I would guess that TBO will come along by the end of the year, or surely no later than the middle of next year.

Get to work on those disaster recovery plans, folks.

Apache market share

[SeanAhern]

Um. Ever heard of Apache? It's got the largest market share by far. Look at the graphs at Netcraft for a more complete picture.

Basically, the market share for IIS is up slightly in the last month, but is still at only about 20%. Apache is way up near 60%.

Re:Apache market share

Please learn the difference between an operating system and web server software. Again, saying "most web servers on the internet run Windows" is absolutely correct.

I'd rather get smarts than an MCSE

[rafemonkey]

When I am interviewing someone, I tend to look more at personality, intelligence, and curiosity. I figure that anyone can memorize the names of some commands, and throw that back at me when ever. But having been burned by a few people who were, as my papy used to say "all book learnin'". I've found that memorizing facts, and knowing how to solve problems are very different skills. I need someone who knows how to keep the network up and running, not someone who knows how to pass a test. So how do I find people like that? First I look over their resume, and make sure that the meet some minimal technical and experience requirements, then I ask the canidates I'm going to interview to describe a project they worked on, or a major problem they solved. I tell them this ahead of time, and also let them know that the project or problem doesn't have to be computer related. Then durring the interview I grill them on what they did, how they got the information and so on, trying to pick out the person with the best problem solving skills. I may not end up with the person who knows the most arcane technical details, but I do end up with the person who is most likley to be able to figure out problems that nobody has seen before.

Re:It's only just started!

[netsharc]

*.DOC files begin with the hex bytes D0 CF. Just do a search for it, and then strip everything before the D0 CF, or copy everything from the D0 CF to a new file, and you can open it in Word. Hopefully Word will warn you if the doc file has any macro viruses... considering the fact the file did come from a computer whose user doesn't know it has a virus. :) .. or just open Word first (with no files) and make sure the option to warn is turned on.

I've got some files, but they're not very interesting. Got two with meeting notes of a club called "Daughters of the Nile", written by one of their "Queens".. if you're reading this, yes you have a virus, your majesty.

Oh, but the price!

[haapi]

I kind of have to quibble about the 1.2 Billion dollar "price-tag" attributed to Code Red. Any money spent patching software is money that was required to be spent ANYWAY. If your server maintenance is out-sourced, it is that company's responsibility to patch 'em, and then bill you for it, and you pay it because that is what it takes to put a server on the Internet. 'Nuff said.

You could look at this...

[Pope]

Internettrafficreport.com for North America. Look at the response time and traffic indexes, right around 21:00 MST.

Oh, and currently, MAE-East is in the shitter, same as last time. No wonder connections may be crappy.

Will start from scratch every cycle

[Just+Jeff]

Everyone was expecting that Code Red would pick up where it left off. That's not the case because people forget a few Microsoft Windows facts-of-life:

Code Red was memory based.

Re-booting clears out Code Red

When was the last time your Microsoft Windows server lasted a week without re-booting? I know people who re-boot their machines daily, "just in case."

The few machines which do have uptimes sufficient for the worm to last from the last cycle are starting all over again from scratch. The same thing will happen next time.

Are you sure you want to delete The Internet?

[Tim+Macinta]

When I woke up today my DSL connection wasn't working. My first reaction was to think of what could possibly have happened to cause it to go down and after about a few seconds I thought "oh crap, Code Red did succeed in grinding the internet to a halt." I was about to be very angry at Microsoft for ruining the net for those of us who don't even use IIS until I tried my dial-up connection and it worked fine. So it was just a local DSL issue (which is fixed now - thankfully, as I was beginning to go through withdrawal).

Re:Are you sure you want to delete The Internet?

[VB]

You also need to:
set nat enabled
set nat add ent 10.0.0.2

Sometimes upgrading to CBOS 2.4.1 converts your router to a doorstop.

Re:Are you sure you want to delete The Internet?

[billh]

Was it a Cisco 67x? Qwest DSL perhaps?

If so, telnet to it, enter password, enable, enter password, then:
set web disable
write
reboot

Best to update to CBOS 2.4.1.

BTW, I've been hit 51 times today (one machine covering 16 IP addresses). No effect, of course, but it is funny to see in the logs. Almost 400 hits in one day last month.

Re:Are you sure you want to delete The Internet?

[Tim+Macinta]

Was it a Cisco 67x? Qwest DSL perhaps?

Nah, it was Speakeasy. I didn't mention the name because I almost never have problems with them, their customer service is excellent, and they were very fast to fix things this morning. Three hours of downtime for the past year is pretty frickin good.

Re:Are you sure you want to delete The Internet?

[billh]

Don't think I've seen the 'set nat add ent 10.0.0.2'. Could you explain?

Fortunately, my 678 had 2.4.1 on it when I got it. Flashing the bios in one of those things can be a risky venture.

It is alive

[sph]

While all the media is hyping that the worm reactivates, everyone has forgotten that it isn't instant, it won't infect a million machines in a few minutes. The start is slow. This will be much, much worse in a day or two.

My linux box has had already four infection attempts in the last three hours. I checked the pages on the infected machines. All of them had the following front page (or similar in different language):

Under Construction - The site you were trying to reach does not currently have a default page. It may be in the process of being upgraded.

This is the default page of IIS, right? So the owners don't probably even know they're running IIS. Windows is soooo easy to install. Why would you patch something you don't even know you have?

Re:It is alive

[baptiste]

Which is strange - I thought CRv2 defaced the pages of english based sites - or were these non english based sites. Maybe this is a new variant that doesn't put the hacked by chinese page up - instead tosses the default page in (or doesn't do anything to the main page)? Also - many folks use virtual servers and forget to do anythign with the default server which an IP access will route to. No telling. BUt it would be interesting to see if a new variant is on teh loose.

Re:vested interest

[Caradoc]

My favorite was the blurb on CNet telling the world that the "random seed" was a piece of code that would enable a variant of the worm to attack whitehouse.gov even if the IP address changed... If CNet can't get it right (since they supposedly cater to the digiliterati), how can you expect a "regular" "news" "service" to get it right?

Re:Yep. Gone with a whimper.

I must be in a statistically higher ratio net block. I've easily seen 50+ unique hits so far today. Last time around my grand total was over 1000 unique hosts. Its not dead, its building momentum, the time between hits is decreasing.

Re:Premature Announcement...much?

The media likes to make it first to press with any announcement, which is why this will backfire on them just like the whole 2000 US Presidential election did. HA!

Marketplace (radio) covered it well on 7/31

[himself]

The public radio program Marketplace, a 30-minute, daily business news program, covered this quite well on 7/31/01. They had mostly-correct details (NT & 2000, IIS, &c.) and some nay-sayers, as well as mentioning the sky-is-falling rhetoric that other media outlets were sticking to exclusively. I think you can get a RealAudio recording of the show on their web site at http://www.marketplace.org/shows/2001/07/31_mpp.ht ml.

why Johnny can't disassemble

[austinBlues]

Maybe the analysis didn't get it right. I've seen one connect attempt to port 80 since meltdown and there wasn't anything running on port 80 at that IP address, so it was probably wasn't Code Red, just a dork with a script.

Code Red ALIVE and well

[Fizzlewhiff]

I just checked my Apache logs on my linux box and it looks like I'm getting hit about every 15 minutes or so. It's out there...

As for Sircam, I think the press is just tired of Outlook/VBS exploits and doesn't give them their due coverage anymore. (They're as common as space shuttle launches and only those with a general interest bother to tune in.) And no VB script worm has gone after the Whitehouse yet. :)

Funny how stuff like this happens...

when the FBI and Ashcroft are gearing to double the amount of agents working on copyright infringement and "cybercrime". Seems like a way to justify the expense and loss of civil liberties. In light of the BSA/Microsoft threats to mid-small businesses lately it seems they want to drum up more sales, to "prevent this from happening again". The public meanwhile, continues to mull about, bleating "four legs good, two legs bad".

Re: Dry Flow?

I hate it when my flow dries up..

Misunderstanding of the behavior of the worm...

[igjeff]

The trick is that so many of the so-called experts mis-understood the nature of the worm.

Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.

Jeff

Re:Misunderstanding of the behavior of the worm...

[RedHat+Rocky]

What everyone seems to neglect is the virus author. Nothing has been said about progress towards finding out who wrote the thing.

They started it once, they can start it again. Not to mention all the copy cats that are being written in bedrooms across the USA right now, as kids have nothing better to do.

How long until call the Internet a living thing? It's already getting sick from time to time. :)

Re:Misunderstanding of the behavior of the worm...

[Dr.+A.+van+Code]

It checks for c:\notworm but it does not create such a file, at least according eEye (I only read the summary, not the complete disassembly, but they made no mention of it creating the file).

So the lysine deficiency isn't going to result in previously-infected systems becoming immune.

It's funny, though, that no one has advised creating such a file as a quick fix to slow the spread of Code Red. (Of course, it's better to install the patch and/or disable the index server entirely.)

Re:Misunderstanding of the behavior of the worm...

[Anemophilous+Coward]

The trick is that so many of the so-called experts mis-understood the nature of the worm.

Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

Yes much of the media, and some of those experts have definitely mis-interpreted the worms actions.

The crushing blow that this worm could still deal, is not so much during it's spread, but rather when all those infected machines start broadcasting gigabytes (or some other arbitrary number) worth of data during attack mode. The attack phase was relatively short, IIRC, but generated the most traffic. Thus, all the previous infections that haven't been patched, could possibly began re-flooding come the 20th of August.

The worm is definitely trying to spread again, our school has already been probed a couple dozen times and I expect to see plenty more over the coming days.

What other MS admins need to worry about is keeping track of any future additions to their machines. If they, or someone else, adjusts Windows components on that server, this particular hotfix needs to be reinstalled. So, in effect, your machine could get infected sometime down the road if changes are made and vigilance is not kept up (of course once SP3 comes out, I think does a permanent fix...but still waiting...)

- A non-productive mind has absolutely zero balance.
- AC

Re:Misunderstanding of the behavior of the worm...

[Fishstick]

I know, I especially liked some of the "technical explanations" that the media attempted in explaining this thing. My favorite...

The worm -- a determined sort of software virus that affects computers running certain types of Microsoft operating systems -- has struck twice before...

... was courtesy of Reuters (via Yahoo in this link)

At least they didn't pass up the opportunity to use a cute little turn of phrase in their headline! :-)

Re:Misunderstanding of the behavior of the worm...

[MrBogus]

What other MS admins need to worry about is keeping track of any future additions to their machines. If they, or someone else, adjusts Windows components on that server, this particular hotfix needs to be reinstalled.

That is true -- Either this or another index server hotfix needed to be reinstalled after doing a SP2 upgrade for example. Trying to figure out what Hotfixes are installed or need to be installed is not straight-forward.

However, what IIS admins really need to do is disable the "Application Mappings" that they are not using. This will eliminate the need to apply hotfixes for the significant number bugs in non-core IIS components which aren't widely used.

(To do this, open up the IIS management GUI, look at the Site properties, Home Directory, Configuration. You'll see the mapping from .ida/.idq to idq.dll. Remove these and you are safe from any future Index Server hacks. While you are there, remove the rest of the DLL mappings that you do not need.)

Re:Misunderstanding of the behavior of the worm...

[kaizen]

I just took another look at the "Core worm functionality" at eEye.

It seems that if you neglected to cleanup your IIS machine after being infected during the first round of CodeRed, you won't get it a second time because of its "lysine deficiency".

After spawning 100 threads, after rewriting your pages, but before entering spread-mode, it checks for the existence of c:\notworm . If this file exists, it goes dormant.

So, how many systems out there cleaned up that file but didn't apply the patch? How many vulnerable(unpatched) systems are there? How many new infections are possible?

Too bad incidents.org is slashdotted

Re:When will they learn?

[baptiste]

When will virus/worm authors learn that publicitiy (at least initially) is their ENEMY?

True, but what will surprise me is if some other worm doesn't show up today. While everyone is watching to see if Code Red hits, what better time to release a really stealth worm that doesn't deface the main page and hides the best it can to spread itself somewhat slower - and have it set to DDOS (using DNS of course, not hardcode IP) on teh 18th instead - now that would be funny.

Hacked by whom?

[cougio]

"Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?"

Simple: code red is more propaganda agains't the Chinese.

Re:Same Here

You have a 1500+Mb/s ADSL?

Where do you get that?

Not a "normal" virus?

[Captain+Bonzo]

Something I heard on the news on BBC Radio 4 made me chuckle. It was describing the potential threat and pointing out that Code Red was 'Not like a normal virus that needs you to open an email' or words to that effect. Hmm...

Looking at the numbers...

[Magus311X]

It seems to be growing at about 70% an hour, but it is slowly leveling off. Anyone care to do the Calculus and plot the curve?

I'm going to put the number of infections at 6 - 8 PM a 250,000 - 450,000 hosts just by running some rough numbers in my head and taking into account whether or not pathces where applied. Thats a lot ...
-----

Re:Looking at the numbers...

[peccary]

You can't accurately predict the curve if you don't know the size of the vulnerable population. It will tail off at some point, I expect quite a bit lower than the 359,000 infected hosts previously. If we're starting a pool, sign me up for 178,901 infected hosts.

Coxsackie

Isn't that American Indian for scrotum?

Re:Snapple virus wouldn't sound very scary

[baptiste]

Actually, it got its name from teh guys who did the initial analysis late at night and they drank a lot of Code Red to stay awake. BUt it sure was descriptive and catchy once this took off

is this it?

[Mr.+Slippery]

Am I correct in believing that Code Red probes are the cause of lines like "GET /default.ida?NNNNNNNNNNNNNNNN..." in my (Apache, of course) referer log?

Re:is this it?

[b1t+r0t]

Code red uses NNNNNNN, not AAAAAAA. Here's my favorite hit so far:

61.131.51.74 - - [01/Aug/2001:15:59:39 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 316 "-"

Why is it my favorite hit so far? Because I really was "hacked by Chinese"!

inetnum: 61.131.51.72 - 61.131.51.79
netname: NANAN-SHISHAN-SCHOOL
descr: Shishan middle school of Nan'an
descr: town of Quanzhou city of Fujian
descr: province
country: CN
admin-c: MD47-AP
tech-c: MD47-AP
mnt-by: MAINT-CHINANET-FJ
changed: milizi@sina.com 20010526
source: APNIC

Re:is this it?

You, sir, are correct.

Re:is this it?

Ah, that explains why I got several hits from my isp with that signature...

Re:is this it?

[baptiste]

Yes, that's Code Red. If you see x.ida?AAAAAAAA, that is a vulnerability scanner from EEye Software which probes for the vulnerability but doesn't infect anything - used by net admins to hunt down vulnerable servers on their network - and also, it seems based on teh spike in x.ida hits I got last evening, used by people looking for seed hosts for Code Red round 2.

Re:It's only just started!

[Dr.+A.+van+Code]

From what I've read, it's the first 134k.
134 * 1024 = 137,216 bytes.

It should be easy enough to strip with dd:

dd if=infected.doc.pif of=disinfected.doc bs=1k skip=134

Let us know if you find anything interesting.

Re:Affects more than just IIS servers

[Unknown+Bovine+Group]

Yeah, or "if you use a cell-phone, dangerous radiation is going into your brain."

Oh, wait.

They DID say that.

If you can read this bumper sticker...

Hasn't the net-media's coverage been slightly redundant? If the news is good, they look like idiots. But, if the news was bad, which would make them seem intelligent, you wouldn't be able to read about it on the web anyways. (Cnn.com is incapable of scooping the story: "Net Completely Shut Down")

So, there's no way the media could look intelligent in this (ignoring pre-existing debilitations).

Taming the Media

[thetechweenie]

I'm not sure why the media picks up certian things, and totally ingores others. Until the geeks/techs out there get some type of organization to represent us to the media, this stuff will continue to happen. This all leads back to Dmitry, and the lack of coverage there. If there were some semi-intelligent reporters out there, they'ld be reading slashdot to get their stories...

Re:Taming the Media

[Zico]

The media picked this story because it involved attacks aimed at the goverment. Why would you expect anyone other than crime listings to pick up on the Dmitry story? Dude's just another low-level criminal (alleged, of course), whose coverage would usually be limited to the back pages of a local newspaper's Metro section, if even that.

Re:Use the data, Luke!

[baptiste]

Yes but looking at it now (12 EDT) I see a gradual rise in packet loss and a drop in reachability - now that may be normal lunch hour jams, but the gradual increase tells me this is just getting rolling. Its not a matter of if, but how much, I'm seeing more scans as time goes by - trick is how bad it really gets and where it tops out at.

Re:Do NOT click that link! Virus!

[joostje]

Strange. In my friend's apache's acecss.log, I find 211.161.209.235 - - [01/Aug/2001:17:32:14 +0200] "GET /default.ida?NNNN[lameless filter made me remove full text]NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190 %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

And I assumed that that's what `Code Red' does.

BTW, what's that `Backdoor' doing in order to infect computers via one simple html (no scripts or anything, just 289 of plain HTML) file?

Increase in HTTP hits on my firewall

[AndroidCat]

After a few weeks with none, I'm starting to see an increasing number of attempts on my HTTP port. I believe this is the port Code Red goes after on unpatched MS IIS boxes

date,time,source,transport
2001/08/01,00:39:43 EDT,64.224.192.128:4482,80,TCP (flags:S)
2001/08/01,09:29:53 EDT,203.239.44.55:2464,80,TCP (flags:S)
2001/08/01,09:43:29 EDT,61.157.184.52:4273,80,TCP (flags:S)
2001/08/01,11:25:13 EDT,217.126.188.106:53726,80,TCP (flags:S)
2001/08/01,11:54:00 EDT,193.70.29.42:2668,80,TCP (flags:S)
2001/08/01,11:56:41 EDT,210.119.9.196:4754,80,TCP (flags:S)
2001/08/01,12:22:11 EDT,64.81.148.7:3924,80,TCP (flags:S)
2001/08/01,12:29:15 EDT,61.144.181.223:1319,80,TCP (flags:S)

I admit that's it's not exactly Internet-stopping volume, but if everyone is getting this, that's bound to be a lot of traffic. And note that if I was running an unpatched IIS, I'd be Code Red's bitch by now. (Or somebody's bitch if my ports 111, 139, 515, 31337, etc were open to exploits.)

Apache Resolving IPs

[waldoj]

You have a low enough UID to have a clue, so I'm curious, why do you have Apache resolving IPs in the log? Low volume server, or maybe you know the magic to make the resolution fast enough for Apache not to care? (I'm assuming Apache, anyway).

Low volume server, for the most part. That particular server (I run about half a dozen, all of which are low-volume) serves up a lot of sites that are specific to Charlottesville, Virginia, and I find it highly useful to be able to scan the logs, sometimes real-time, and see who is hitting my machine. DSLs are so common here, and the naming scheme for the addresses so similar to the business name, that I can simply see "hey, The Daily Progress is reading...OK, now the Chamber of Commerce...," etc.

So, yeah, low volume and a desire for convenience. No magic. :)

-Waldo

Where do I get the source for that worm?

[Jeppe+Salvesen]

Does the source exist? If so, I could grind the internet to a REAL halt. New cycle - infect for five days (no fixed date), bomb random ip's for two days, lather, rinse, repeat.

Whoever made this worm, was only looking to create moderate hacker. A true anarchist would have made a heck of a tougher worm.

Re:Where do I get the source for that worm?

[hygelic]

www.eeye.com - the first to discover it, has the source.

Re:Nope, Code Red is still with us.

[BlueUnderwear]

That leaves me wondering how Code Red's RNG works. Even the first time around people were reporting large numbers of hits on some servers. Is the RNG skewed to some ranges of IP addresses? If the distribution was even over the whole 32-bit IP address space, shouldn't all web servers observe similar hit rates?

Re:Don't speak too soon

[hankwang]

>Of course I wish more of the media coverage would criticize Microsoft for making holey software that allows these worms to propagate so easily, but you can't always get what you want.

This is not specifically a Micro$oft problem. There have been plenty of security holes in Linux/Unix daemons (e.g. imap, pop) that allowed crackers to acquire root permissions. Imagine what would happen if someone wrote a script to test random hosts for vulnerability, then acquire root permissions on them, and subsequently install itself everywhere.

Maybe Linux users are too kind to do such a thing to their brothers ;-)

Re:Good advertising for MS

[Rand+Race]

Yup, I had four emails waiting for me this morning from execs telling me to get the patch from Microsoft for our webserver... our BSD-Apache webserver. Two of them actually requested I patch the OS X file server as well. None of them asked me to patch the only Microsoft server we have, the SQL server... not that it matters.

Hell, I've had users coming up to me all day asking if I patched their workstations... not only does the worm not effect workstations we're an advertising agency, our workstations are all Macs!

Simple answer

[westfieldscientific]

Because we have no billyware here at all: including desktops.

Besides lack of security, other objections include fs instability, poor ability to sustain tcpip connections, code bloat, the need for constant rebooting and an ugly primitive and stupid desktop that is impossible to modify beyond superficial changes.

Our strongest objection though is that m$ is motivated by a culture of customer abuse, engineering deliberate incompatibilities with competing software as well as their own older coding, forcing their victims to upgrade at great expense to simply continue the same functional usage they'd been doing for years, and each iteration increases their level of dependency on m$ and excludes more, often better competing products.

This has already come to the attention of our community, our industry in general and the courts, and the U.S. Court of Appeals recently upheld an earlier ruling that m$ is operating as an illegal monopoly.

This same court however has handed down a ruling calling for reconsideration of a remedy. I won't volunteer my suggestions here because they haven't been requested. In the meantime, if any corporations running windoze are reading this and find themselves suddenly interested in installing Linux I would invite them to contact me or any of my competitors in the Linux community to discuss this further.

Am I the only one besides beanspace...

[WhamJack]

that is disappointed by Code Red's lack of success? I know I was looking forward to smugly watching Microsoft products wreak havoc on the Internet.

P.S. I am not a troll.

Re:Am I the only one besides beanspace...

[baptiste]

Incidents.Org is reporting expotential growth

And now thanks to a slashdotting isn't even responding :) I wanna see the 12 o'clock total! Its like watching a game :)

Re:Am I the only one besides beanspace...

[beanerspace]

I'm not sure if we're the only ones, but I still say Screw It ! Incidents.Org is reporting expotential growth, it's a warm 80 degrees out, with a mild breeze. Let's go fishin !

Re:Don't speak too soon

[MaxwellStreet]

Me? I prefer:

grep -c NNNNN access_log

Gives a neat little count.

Not really y2k

[Punto]

For me it actually felt the opposite of y2k.. With y2k all the media was "it's the end of the wold!! we were right, those damn computers are evil!!!", and I was "no big deal, just add some bytes".

With red code, I was 'microsoft is going down!! yeah!', but I didn't see much 'media inpact' (who won the 'predict the headlines' contest).

Nothing happened, but this time I was dissapointed. ;)

Re:I don't know about you

[Cato]

I also had an incredibly slow ping time and loss rate to yahoo.com about 9.00 BST (8.00 GMT, 3.00 EST) today - 380 ms pings, and 60% loss rates. Normally I get 180ms pings to yahoo.com and almost no packet loss, so something was definitely happening. Local UK sites were OK, and it wasn't my provider according to a traceroute (I have an ADSL line).

So maybe something did happen - however, the various survey sites report that nothing really major happened, so this was probably just a coincidence (maybe too many people hitting yahoo.com at the same to see if it was still up?)...

Re:Don't speak too soon

[Captain+Bonzo]

Of course I wish more of the media coverage would criticize Microsoft for making holey software that allows these worms to propagate so easily, but you can't always get what you want.

I'm not sure it's entirely MS's fault. Their software may be more holey than the alternatives, but not by the orders of magnitude that many would believe. It's just that the alternatives are often administered by more clued-up people who are more active in protecting their systems (yeah, sweeping generalisation, I know).

Besides, if there was another OS that was as high profile as Windows, I'm sure there'd be a lot more attacks against it, if only to get the media coverage and egoboo.

Preventive infections?

[Vassily+Overveight]

Why doesn't a white-hat hacker modify Code Red to apply the proper patches to systems it penetrates? (And not attack the White House website, of course.) Kind of like releasing sterile Medflys in an infected area.

Re:Preventive infections?

[dwlemon]

Or: Why don't people just patch their god damned servers?

I think the "virus killing virus" idea could backfire. We could be stuck with a virus running around trying to "cure" machines at an alarming, growing rate and clogging up the pipes. All it would take is a small mistake.

Re:Why?

CNN is a Lotus Notes shop

Re:Yep. Gone with a whimper.

Only one so far. Let's see how many you have tomorrow, or in a week, or by the 18th of August, which will be the end of the propagation cycle.

So far, I've counted 11 attacks today, versus 86 in total for last month.

Here's some graphs posted to NANOG earlier today:

http://www.caida.org/analysis/security/code-red/au g1-live-hosts.gif

http://www.caida.org/analysis/security/code-red/au g1-live-hosts-log.gif

http://www.caida.org/analysis/security/code-red/gi fs/cumulative-ts.log.gif

(I don't know if that last one includes the top two, but it's supposed to be the cumulative graph for 19-20 July)

Re:But what about the media?

[b1t+r0t]

For the record, Code Red doesn't actually infect the routers, but does trigger a known crashing bug in the IOS web server that was discovered a few months ago. So it will stop an un-upgraded router dead in its tracks.

I've been hit seven times so far according to my Apache access logs, and a possible three other times on another machine with no web server, but a logging firewall block on port 80.

At least two of the hits are from an @home and a DSL customer. Perhaps by crashing the un-upgraded Cisco DSL routers they're actually doing a service by preventing DS-Lusers' home machines from being able to spread the worm. Not to mention blocking all the skript-k1dd13 IRC DD0S w4r3z that are already running on said lusers' machines.

An interesting anecdote is two weeks ago when I called my ISP, their phone answered with a message about Code Red, and then I overheard a tech support guy in another cubicle at the ISP telling someone to power-cycle their router.

Nope, Code Red is still with us.

[BlueUnderwear]

Code Red gone? Errhm, not really. I got 4 hits on my webserver at home this afternoon, 2 and a school I help administrating, 1 at another school, 3 at our Linux club's computers, and 2 more at another computer of the club. Whereas we didn't get any hits on any of these sites the first time around (mid July). It's alive, and kicking! Rumors are also that www.java.sun.com's outage today might have been due to Code Red, but don't ask me how. Sun hopefully isn't running IIS, or are they? Or maybe it just knocked out one of their Cisco routers...

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> Hmm. The first host infects X others, and then all the children attempt to infect the exact same X? That would be known as NO growth.

It would still grow, unless the RNG had a real short cycle. True, the children would infect no new hosts, but the root worm would... until it is killed, and then the next oldest will take over. Each copy of the worm will infect the sites in a certain sequence (for example 2, 3, 5, 7, 11, 13, 17, ...) which would be infinite (or rather 2^32). The problem would be that it would be the same sequence for each copy of the worm. I.e. Worm number two would also first start with site 2 (itself), then 3, 5, 7, etc. just as number one did. Given enough time the whole 2^32 bit space would still be probed, but only the very first worm would contribute to this. The others would only redo sites which the root already has checked.

A more in-depth description can be found here

Re:Nope, Code Red is still with us.

[flufffy]

it would be random if all ip addresses were distributed randomly. but are all ip addresses distributed randomly? i was wondering cuz some tlds are more popular, and so the sub-parts of the ip addresses associated with them would also be more popular. with unpopular tlds the lower level parts of the address are also not used to the same extent. perhaps the skewed effect reflects a skewed dist. of ip addresses withion the ip address universe.

in other words, rc is not selecting form a random sample, but a skewed sample. i think.

Re:Nope, Code Red is still with us.

[realdpk]

4 hits, that's all? This morning I counted 1699 unique hits on one server, and 3485 on another (both up about 50% from 1 hour ago!). And these are just two servers out of a farm of 20 each of which have 2-5 /24's on them. Haven't seen any of Microsoft's servers yet, but I'll keet y'all posted. :)

Re:Nope, Code Red is still with us.

[daviddennis]

The original version was in fact hard-coded with a specific sequence of IPs, so you are in fact correct.

It was modified by parties unknown to be more flexible and go anywhere. So in theory the threat is now much greater.

Hope that helps.

D

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> I read in the early reports (not sure if it has been invalidated or corrected now), that the random number generator did not reseed itself on each infection. Thus, the IPs generated where the same.

> A variant of the original worm supposedly corrected this error.

I heard about that one too, but the way I heard it was that the initial variant was so inefficient that it went by unnoticed, except by eEye.

The version that was seen spreading exponentially July 19th was already the "fixed" version.

Indeed, if each worm uses the exact same sequence, the spread is linear. Rather than fanning out, each instance would try to re-infect the exact same sites that its parent already has infected, hence linear, rather than exponential growth.

Re:Nope, Code Red is still with us.

[Tim+Doran]

Each time we go to our weekend house...

Yeah, life is tough, alright. Weekend house?!?

;)

Re:Nope, Code Red is still with us.

[vulg4r_m0nk]

It's only 9am here, and my cisco's been locked up three times already. It kills me to shut down and restart a piece of equipment like this -- can't be good for its life expectancy. It also really screws up my aim on Q3 :)

Re:Yep. Gone with a whimper.

I'm the "got 1000 last time" person. The rate is slowing. At peak (~1pm est) I was seeing 1 hit for default.ida every 60 seconds on average. Right now (2pm est), I'm seeing 1 every 5 mins on average. Brakes are being applied in some form, be it patches or filtering.

In case anyone is interested, I'm in a 6X.X.X.X netblock and have about 25 IPs in that netblock assigned to a vhost apache box. All my domains/ips are feeding to a common error_log for ease of monitoring.

Reading ppls privet documents.

How can I extract the private documents from the .exe - files they are wrapped into? Im talking about the SirCam-virus-documents...

Re:Don't speak too soon

[gimpboy]

i got hit 17 times during the hayday (july 19th). i was hit once last night around 7. i've been hit 5 times since 11:40 (its 12:18 right now). since it grows exponentially it's similar to cancer. it starts off slowly and you dont notice it once its big enough to notice it you're almost dead. this is going to be a fun few days.

The Reason Code Red gets the Klaxons

[cnelzie]

The reason is simple. Everyone wants to get potentially damning documents from anyone. If the internet grinds to a halt then you would't be able to get that information from SirCam.

--
.sig seperator
--

Re:More media crapola

[b1t+r0t]

I know that virtually everyone who reads this site will agree that this is a load of crap, so let me just summarize my reaction: "To save the Internet, it was necessary to destroy the Internet."

When in actuality all we need to do to save the internet is to destroy Microsoft.

Why?

[zook]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Hype begets hype.

Re:Why?

[Alien54]

Because nobody at CNN has been infected with sircam yet.

Actually, Sircam is an agent for CNN, ABC, National Enquirer, etc.( and the other media.) Sircam is a reporters dream. All those gigabytes of confidential documents, being sent at random.

I wonder how many wind up in the hands of CNN, ABC, Fox, etc?

I wonder if...

[djocyko]

incidents.org will soon be reporting how quickly they were personally attacked by the SlashDot worm (in a nice pretty 3d line graph). That's something I would like to see.

That's a bit premature

[gclef]

I think it's a bit early to be announcing the death of Code Red.

Have a look at the stats on www.incidents.org. Right now (as of 11:30 EDT), they have what looks to most folks as the start of a nice exponential growth pattern. It's still small compared to last time, but it is showing no signs of shrinking.

Clearly, the folks who claimed that the dormant infections would all spontaneously re-start were wrong. However, *someone* re-introduced the worm to the wild, and the spread has started again.

Re:That's a bit premature

[LinuxHam]

However, *someone* re-introduced the worm to the wild, and the spread has started again.

It is thought that it was reintroduced by infected servers with misconfigured clocks showing it was still time to spread the worm. There were an estimated 2,000 such servers around the world, and when the other 99.999% of the world clicked over to 0:00UTC, those 2,000 servers finally started getting results from their infection attempts.

My thing is the admins who got infected between the 28th and the 31st got a permanently sleeping worm, and may have thought "phew! glad I escaped that one!" Next reboot.. vulnerable all over again.

Re:A solution to the problem?

[Zico]

Why would you blame anything other than Microsoft's enormous popularity for Sircam? It sure doesn't make use of any exploits. Sorry, but it's just hard to come to any conclusion other than that a lot of you guys who harp on this stuff don't have any idea what you're talking about.

NEW DATA [was Re:Geometric growth.]

[baptiste]

Finally got Incidents.org to respond, they posted new data (looks like the hours shifted though):

• 11AM - 22,001
• 12PM - 32,502
• 1PM - 41,968

SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same

Re:NEW DATA [was Re:Geometric growth.]

[^DA]

15 hits, on one IP. And this is day one...

Re:NEW DATA [was Re:Geometric growth.]

[Swordfish]

I've had 12 hits on 22 virtual host IPs in the last 20 minutes. That's

(12 * 60) / (20 * 22) = 1.63 hits per hour per IP address.

For 4e9 IP addresses, that's about 1.6 million hits per second. Each hit uses about 1 kByte. So that makes a total bandwidth of about 12 Gbits/sec. It's less than that because hits into empty IP space use only about 300 bytes for the SYN packets. But still, this is quite a large bandwidth. I wonder how much of this is heading across the border between the US and other countries right now.

If there are 40,000 infected machines, that's about 40 hits emanating out of each infected host per second. At 500 Bytes each on average, that's about 160 kbits/sec per host, which is not too far away from a credible value.

Re:No one is talking about SirCam

Because the government want's to find the author and recruit him..... Virus's that send documents out.... or they all ready did, beats the shit out of getting a search warrant. ...Ah Judge we where alerted to Mr X's activities by a Document sent concerned citizen Y who contacted our office.

5 hours left?

[VC]

Incase your having trouble loading it (slashdotted? or wormed :-)

Time (8/1 EDT) 0-1 1-2 2-3 4-5 5-6 6-7 7-8 8-9 9 10 10-11
Hosts infected 157 252 495 893 1591 2881 4792 8007 13487 22001

Thats Ex-ponential Folks, Don't want to alarm anyone, but in 5 hours itll have reached the severity of last time, and we'll still have 17 days to go.

The internet will shut down in 5 minutes, please log out now...

Re:Billions of dollars spent...

[Morrigu]

Not yet, anyway. It's still spreading at a logarithmic rate, like a biological virus. I'm seeing hits from the worm increase by an order of magnitude every 4-5 hours, starting from last night. The graphs at http://www.incidents.org show the same kind of behavoir for their systems.

It'll start out small, but it doesn't take long to become a Real Big Problem at this rate.

Re:who cares

well, if you weren't such an idiot, you'd read the article. but knowing you, you're a loser troll

New version?

[joostje]

I just saw an attack by 211.161.209.235, and the defaced site there shows a rahter different text than `hacked by the chinese' or something. (mirror is at http://www.komputilo.org/fuck.html)

Re:A solution to the problem?

[Korth]

Symantec already does this, sort of.
e.g. They call Sircam: W32.Sircam.Worm@mm
W32 is short for Windows 32bit.

Re:How do they know 22,000 servers were infected..

[david+duncan+scott]

They describe it in broad terms, but it boils down to log entries and unique source IP's.

Re:Yep. Gone with a whimper.

[frank_adrian314159]

To be fair, buffer overflows can happen to anybody

Bull****. Double bull****.

There are plenty of SAFE languages around that are completely unsusceptable to buffer overflow. "To be fair, buffer overflows can happen to any programmer who values speed over safety" is how you should phrase it.

The technology is available to avoid these things. Programmers have chosen to ignore available and safe technology in the name of a few packets per second and so we are in the state we are in today.

Don't confuse your choice with what must be.

I think the security folks should modify code red

[Greyfox]

They need to modify the worm to make it download the MS Security patch, install it and reboot the system. Although that could be significantly more damaging to those IIS server than the worm currently is. At least Code Red doesn't have the potential to leave your system in a non-working state. I've heard tell that a lot of those MS security patches don't get installed because they do more harm than good (I have no personal experience with that though; no "you're bashing windows" flames, please. I'm not.)

Re:Premature Announcement...much?

[frantzdb]

I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st.

20:00 EST == 00:00 GMT

--Ben

Re:Don't you get it!??

[baptiste]

Watching people run IIS is like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.

ROFLMAO!

I send you this file in order to have your advice

[necrognome]

The SIRCAM feature everyone is talking about wasn't included on my Windows 98 CD. Does this mean I have to wait until the next service pack? Please pass this message on to anyone who can assist me with the problem

Thanks,
Outlook Express power user

Re:No, let it blow!

[Zico]

The patch was available for a month before Red Code struck, so how does this show how irresponsible Microsoft is compared to worms that have hit other operating systems? Why has Linux been struck with worms of its own? Does that mean a "closed source, NDA distribution model" is superior, then? Besides, just like with desktops, most web servers on the internet run Windows, so it's not too surprising that more of them get attacked, especially since not only are there more, they're usually used for more important data/applications, especially when it comes to e-commerce.

Hit rate increasing.

[Robert+Frazier]

I keep an eye on three boxes (1 server/workstation, 1 FW and 1 web server). They are being hit with increasing frequency. About 20 hits so far, and most within the last hour or so. Unfortunately, this thing hasn't run its course yet.

Best wishes,

Bob

No, let it blow!

[twitter]

Hush! Let this thing blow up and get as bad as it will. I'll suffer a few days of slow net service so that the world might learn how irresponsible MS is and how bad their wares are. Of course, even if this is fought tooth and nail, it will still show up how inferior a closed source, NDA distribution model really is. Leave MS to worn their people.

Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.

Re:No, let it blow!

> Let this thing blow up and get as bad as it will. I'll suffer a few days of slow net service so that the world might learn how irresponsible MS is and how bad their wares are

Do you think the world will learn anything ? You must be kidding. Did the world learnt anything with Love Letter ? Do you see less people using Outlook ? More ? Did you notice a huge increase in pine and mutt users recently ?

One thing the world would learn is that, thanks to a Microsoft patch, the internet have been saved. The other thing they would learn is that there is a need for a better internet. The one business want.

Letting it blow won't do any good.

Cheers,

--fred

Re:No, let it blow!

Sorry to see you can't read *or* count!!!

The post said, "most web servers on the internet run Windows." He's absolutely correct.

Re:No, let it blow!

Hmm? Please explain.

Re:No, let it blow!

The worm was propigated by exploiting the shortcomings of MICROSOFT's crappy programming! Laziness on the part of Microsoft and closed source (which prevents the less lazy from correcting their mistakes) are the reasons we are in this mess to begin with. No one would have needed the patch they made a couple months ago if they had used responsible programming in the first place. Please do not try to use Microsoft to support the use of closed-source coding. Their idiocy is far too prevelent.

Re:No, let it blow!

Laziness on the part of Microsoft and closed source (which prevents the less lazy from correcting their mistakes)

What the fuck are you talking about? The less lazy _did_ correct the mistake, using the patch. Are you that much of a fucking idiot to think that other operating systems don't need to be patched because of their own fuckups? Go check out RedHat or Debian's security errata pages, where you'll find many more fuckups than Microsoft. Just face the fact that more Microsoft machines get hit because their are many, many times more of them, and maybe you'll find peace with yourself.

Re:No, let it blow!

Glad to see you can count!!!

Last figures were around 28% of sites on IIS - not quite a majority

Re:No, let it blow!

> Besides, just like with desktops, most web
> servers on the internet run Windows, so it's
> not too surprising that more of them get
> attacked, [...]

Dude, put down the crackpipe

Re:No, let it blow!

[bbcat]

Educate your users and continue upgrading to W2K

Being educated and upgrading to W2K don't belong together.
When you use W2K, isn't that more a downgrade?
Using Linux or OS/2 would be an upgrade

Re:No, let it blow!

The post said, "most web servers on the internet run Windows." He's absolutely correct.

And that makes his point absolutely moot. The Code Red worm is an IIS problem, not a Windows problem. Windows servers running Apache won't be infected. So what was he trying to prove?

Still Too Early

[jmoloug1]

I don't know why everyone is surprised that nothing happened. Last night was just when the worm would turn itself back on. It's only beginning its propagation phase now. Even the article says we really won't know anything for up to three days. Since the worm spreads in a geometric progression, after a few days the growth will become unmanageable. That won't happen immediately though.....

Re:I don't know about you

[gmhowell]

But you can bet that there are a bunch of people out there right now working on the next batch. It's so exciting to see your work on TV, isn't it?

I agree. What surprises me is that sircam and code red, despite much talking here, on CERT, etc. that these viruses still have problems (problems in that they haven't killed the net) But yes, sooner or later, (maybe in the next batch, as you said) someone is going to invent the true 'Net-killer.

Re:When are virus/worm writers going to get seriou

[Dunall]

Simply because several servers DOSing isn't a problem... with several hundred thousand DOSing, it's gonna eat up quite a bit of bandwidth nationwide.

It's a simple case of, was this virus really just meant to DOS a server, or hurt the backbone of the internet?

If it's the latter, the writer(s) has a little more upstairs that people gave him/her credit for... The simple ping flooding of whitehouse.gov could have been an ingenious smoke-screen..

Snapple virus wouldn't sound very scary

[T1girl]

Code Red sounds like something to get really worrried about, lights flashing, panic buttons being pushed, sirens going off, while Sircam sounds like another aging British rock star.

What is it the Mutant Community has to hide, I wonder, that makes them so afraid to identify themselves.

Re:Snapple virus wouldn't sound very scary

[RedOregon]

I just wanna know how many free cases of Code Red showed up at Eeye's doorstep as thanks for the incredible free publicity...

Don't you get it!??

[mcrbids]

It only takes ONE infected system to kick it all off!

It has most DEFINITELY kicked off again - logs on my primary server indicate at least one hundred hits from this bug.

Already, that's almost as many as last time, and there are 18 more days of this.

For me, it's almost like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.

Kinda sick, isn't it?

I don't know about you

[stebalo]

But my connection SUCKS today.

I was thinking it was related to the worm.

But remember, the last time it struck, it grew exponentially for 7 days until it really hit its stride.

Re:I don't know about you

[esper]

If this incarnation of the worm were really malicious, it would try more than 100 addresses.

It always has tried more than 100 addresses. It uses 100 threads to try addresses. Each thread keeps itself quite busy scanning large numbers of addresses.

Re:I don't know about you

[11thangel]

I dunno about you, but my connection ALWAYS sucks. American Residential Internet: when it goes down, there is almost never a logical explanation. (i.e. a train crashed in baltimore and melted a fiberoptic cable, bringing down my internet 200 miles away)

Re:I don't know about you

Every one of them said, "Just simply reboot your computer and everything's fine!"

This is another example of this worm's relatively non-malicious behavior. A nasty worm wouldn't have been strictly RAM-resident. That way, a larger number of machines would still have been infected last night.

Re:I don't know about you

[imipak]

• It looks (from the Incidents graph, at about 2035 UTC Wednesday) like it'll top out at about 60,000 known infected hosts;
• If nothing happens, it could just mean (as with Y2K) that the hype was justified, because everything got fixed, which is why nothing happened;
• To the people saying "yeah, MAE-east is screwed" etc - look at the average response time charts Nothing very dramatic there...
• Er, we were all right about this. Even the trolls ;)

Re:I don't know about you

[cavemanf16]

And let's face it, there's not very many, if any, sysadmins allowing this bug to propagate because they haven't updated their win2000 servers. It's mainly the home office user, the small business without a sysadmin, the home user, etc. with the 'always on' connection that's causing the problem. I think Steve Gibson is right in saying that WinXP allows default configurations of low security to impede the normal usage of the internet. Most people, even computer literate ones, will not be installing every last security update patch when they buy that new eMachine at Best Buy. They'll just be glad to have their cable connection and a new computer to play the latest MMORPG with.

What's really pathetic is that every newscast I saw last night about Code Red, made no mention of how to innoculate your computer against the virus. Every one of them said, "Just simply reboot your computer and everything's fine!" - What a lame excuse for 'solving the problem'.

Re:I don't know about you

Once you have destroyed the harddrive of your machine that machine cannot be used to attack anymore. This worm was designed to attack for 20 days (unless you put in some logic putting off the HD erase for twenty days)

Re:I don't know about you

I definately agree with your last comment. While these various and sundry viruses have seemed bad, they certainly don't seem engineered to 'bring down the internet'. There's far too many simple mistakes that were made

But you can bet that there are a bunch of people out there right now working on the next batch. It's so exciting to see your work on TV, isn't it? In any case, it's not like there aren't plenty of buffer overruns waiting to be exploited. It'd probably be a good idea to choose a Windows service other than IIS next time, simply to increase the number of hosts available to propegate the virus.

Re:I don't know about you

[mike_the_kid]

This is not really a joke, though some will see it as MS bashing:

Code Red would have started with about 200,000 existing infected machines, except that:

• How many of those upatched 2000 / NT boxes do you think have been up for the whole time since the worm went into remission? Remember rebooting will remove the worm from memory (though you would probably eventually be reinfected.)
  
• If any 2000 box is not being kept up to date on its patches and is running IIS, what do you think its uptime is going to be like? I say not good.
  

It will not stop the worm from growing, but it will play a role in controlling the code red.

If this incarnation of the worm were really malicious, it would try more than 100 addresses. (though incident.org said that the rng in the latest version is stronger). A relatively benign worm like this is better for the weak sysadmins in the long run, because otherwise they would not have known of this relatively simple security hole.

Re:I don't know about you

I don't know...

The fact that the usual user who is not security conscious, notices his Winblows machine is going really slow on it's net connection, and reboots to 'fix' the problem will likely just get reinfected, and still not realize why his net connection keeps getting slow every month. So it's malicious to the non-security conscious because we may never be 'completely' rid of it due to inept users.

It's like hepatitis flair ups and condom users. Sure, condoms protect you *most* of the time, just like rebooting protects you *most* of the time, but the disease will come back once you've been exploited.

Re:I don't know about you

[Dr.+A.+van+Code]

by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it never did .

Perhaps I'm misunderstanding (or misunderestimating? :) your point here, but I don't think the issue with clocks is that the worm will "reawaken", but rather that on some machines with significantly slow clocks (a couple weeks slow) which still think the date is around the middle of July, the worm is still in spread mode.

On such a machine, the worm never switched to attack mode, and then went dormant, but is still scanning IPs, looking for hosts to infect.

In any case, the reports that people are being scanned show that, one way or another, there are active copies of Code Red out there. And they've got almost three weeks to spread before switching into flood mode.

(On re-reading your article, I think I'm just agreeing with you. I think. Anyway, I wanted to clarify the bit about the clocks.)

Re:I don't know about you

[LinuxHam]

At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there

This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!

During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.

Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post. :)

Re:I don't know about you

I've noticed a significant slowdown too. I haven't yet had any interesting documents thanks to Sircam though. Hopefully I'll soon receive some letter to Dubya from the Presidential advisers, telling him to Nuke Russia before it's too late.

Re:I don't know about you

[mattrope]

But remember, the last time it struck, it grew exponentially for 7 days until it really hit its stride.

Of course last month, Code Red started with just a few infected machines and built up to some incredible number. At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there.

The problem is, no matter how much this worm gets hyped up, there are going to be a lot of people out there that still don't patch their machines, either because they don't realize they are running a web server (e.g. home users running Windows NT/2000 on a DSL or cable connection) or because the web server is no longer actively used and has been forgotten.

Re:I don't know about you

[WinPimp2K]

Don't be silly, everyone knows Bush the Younger has gone on public record as refusing to use email.

Re:I don't know about you

Interesting, we put up a snort box to listen for the red code at work. (ISP Tier 2) As we don't have any windows software running on our core it is more out of curiosity then any real concern for it's effects. It has logged over a thousand red code hits today alone. However I am not seeing a lot of slow down from the net. However it is tempting to reverse engineer a patch to seal the hole move on and delete it self.

Re:I don't know about you

[gmhowell]

To answer your joke/non-joke, where I work, we only have to reboot our Win2k servers about once per month. WinNT about once per week (And they are set to do it slightly more often. Also note, MS apologists, that these were set up under no SP for Win2K and SP 4 for NT. We haven't changed those policies since newer SP's have come up. We just don't need the uptime. Also note that several of those machines are running non-MS software, or more than one MS service, two situations commonly claimed to cause NT/2K stability problems. FWIW, it seems that the problems are in garbage collection.)

Anyway, it's quite possible to run an MS server for a long time without a reboot. The other trick is, unless ALL of the MS servers were rebooted at the same time (and kept down long enough to clear out some packets from the nets) there will always be a machine ready to infect another, when the latter comes back up from the reboot.

I definately agree with your last comment. While these various and sundry viruses have seemed bad, they certainly don't seem engineered to 'bring down the internet'. There's far too many simple mistakes that were made (hard-wiring the White House IP for example. Your example of only hitting 100 other machines for another.)

For that matter, if one really wants to bring down the net, why not find a good, solid method to bring down Apache (preferably on any OS)? As has been stated, it runs far more sites.

Patience is a virtue ...

It's a little soon to declare victory over Code Red. Whether or not old infections are reviving themselves, the nature of this worm and the types of servers it infects were enough to guarentee that it wouldn't spring back to life at full-force today.

The virus is held in memory. Rebooting a system gets rid of it. Even if old infections were scheduled to become active, many NT admins I know have a schedule to reboot their box every 5 or 7 days (or the server simply crashes and reboots itself, if it is poorly configured and maintained.) Quite a few machine infected in the first attack were probably cleared in one of those two methods--even if the admin was unaware they had been infected by the worm, and unaware that they needed the patch.

So there are probably far fewer machines out there with the worm intact than on the evening of July 19th. If the older worms are asleep, that lowers the number even further. The worm has a lot of ground to recover in either case. If there are an estimated 5 mil IIS servers which are vunerable out there, and only 1 mil copies of the patch have been downloaded, that equation doesn't make me too happy. Even presuming that some of those 1 mil are intending to patch multiple machines ...

There is a reason that exponential growth is such a bad thing. It can seem slow and not too serious with little inputs (where we are right now.) But past a certain threashold, it really begins to hurt.

Why it's called Code Red...

[sdo1]

Choose the form of the destructor!

You have chosen!

Woa woa woa, I didn't choose anything. Did you?

No.

Well I didn't chose anything

I couldn't help it... it just popped in there. I was thinking I could use a good caffeine lift and suddently I was thinking of a cool, refreshing Mountain Dew Code Red.

A solution to the problem?

[pongo000]

For years, virii in the medical industry have been associated with people or places. So, the poor town of Coxsackie, NY has its place in history as the origin of the Coxsackie (hand-and-foot) virus. Drs. Epstein and Barr will forever be associated with the virulent virus that bears their name. Why not name computer viruses/worms/self-propagators after the systems for which they are targeted?

We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.

Re:A solution to the problem?

[Zico]

I'm not sure you really thought this through all that well. Coxsackie viruses don't target Coxsackie, and the Epstein-Barr virus doesn't target people named Epstein or Barr. It's a kinda irrelevant idea anyway because (1) a lot of attacks target more than one system, (2) it doesn't say anything about which system is more vulnerable than the other, since all three of the ones you listed had patches available well before the attacks started.

Easy Way to Spread Code Red Faster

Instead of altering the web-page to "hacked by chinese," insert an active-X control into the page that downloads the worm. Now everyone who looks at the page gets infected as well. Obligatory Disclaimers apply, of course.

Unsecure software pays, or what?

[magi]

What on earth is happening? According to the Netcraft survey, IIS has just gained +5.49% from last month (to 25.88% market share), and Apache has lost -4.29% (down to 58.73% share). It's more than 2 million new servers in one month, from last month's 6 million servers, a +34% jump!

In "active sites", the jump is just +1.77% (Apache -1.89% down to 60.53%).

People must have heard that IIS is unsecure, and immediately installed it just to be one of the worm spreaders?

The jump is biggest ever. I guess it must be because of some new bundled IIS server. Perhaps the one in the new JesusWindows?

Re:MS NT/2000 buffer overflow vulnerabilities galo

[MrBogus]

Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
...
Workarounds:
Firewall off as much as possible.

I would imagine that 99% of NT installations and even most broadband ISPs have firewalled this stuff (it runs over the NetBIOS ports which generally use insecure authentication anyway).

Do not install COM Internet Services.

This is the predecessor to SOAP or 'web services' ((allows RPC over HTTP). Woe is Microsoft if it turns out that .NET is a gateway to all of the old insecure LAN crap that NT tends to run.

Re:But what about the media?

[Tim+Doran]

"The malicious program can only be stopped if enough Web site operators install Microsoft's software patch, which plugs the security hole the worm uses to attack. "

This is what I was talking about above - Microsoft is handling this beautifully, from a PR perspective. News accounts in my area made it sound like Microsoft invented (innovated? ;) a fix to this out-of-control virus, and everyone needs to download their patch to protect themselves.

Didn't sound *at all* like MS was fixing a bug in their software. We should all be grateful - Microsoft saved the web out of the goodness of their hearts.

Re:Premature Announcement...much?

[LinuxHam]

I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st

8:00PM on 7/31 in Washington DC is the same as 12:00AM 8/1 in London. Instead of having the worm (I won't say reactivate).. become willing to start spreading at midnight local time (like the "24 hours of y2k" we got to enjoy), the worm writer settled on midnight London time -- aka GMT Greenwich Mean Time, aka UTC Coordinated Universal Time (acronym fucked up by the French, again) -- so we would have the pleasure of the worm starting to spread from all points around the globe simultaneously.

Slashdot Internet Worm

[viper21]

I wonder if SANS has indexed the Slashdot Internet Worm yet?

Attributes of the Slashdot Internet Worm

1. Client visitation of a certain url(http://www.slashdot.org) many times a day to check for 'updates'.

2. Deployment from said website to new 'target locations' to search for more information

3. Since the slashdot worm is a distributed computing application, there will be thousands of 'attacks' on a persons webserver. These attacks will be untraceable due to their distributed nature.

I wonder what the graph for this one would look like?

-S

Prepare for the next time this happens

[sg3000]

Just so we can all prepare for the next time this happens, what's the proper way to pronounce "IIS"?
( ) "aye-aye-ess"
( ) "two-ess"
( ) "aye-ayes"
( ) "aye-iz"

(Of course I don't know how to say it! I run Apache/Linux and Apache/Mac OS X.)

Why SirCam ist not hunted down

[12dec0de]

If I take the message I recieved from the Microsoft 'Security' Mailing list as an indication the simple reason, why only the worm is hunted and not the virus, is that the virus doesn't hurt microsoft.

starting on the 28th. I saw articles (online and off) that hinted servers running Microsoft products would be targeted. And bosses would ask their SysAds the month before: 'Why has our server been attacked'
correct Answer:'Because we run IIS'. (The Answer:'Because I was not quick enough to notice the need to patch' would not be helpful to the SysAd, and there would not be given.)

The victims of the Sircam are only hurt by sensitive documents in isolated cases. Most of the time it will be the cantinas menu. This doesn't hurt the image of Microsoft. And they will do nothing to stop it. At least they never did in the last 20 years. So why start now.

It is all about perception.

Re:Codered is not dead ... sure not ...

[freaker_TuC]

This is by the way only 1 C-class on the net ...

Re:But what about the media?

[Pinball+Wizard]

only affects MS IIS servers

Not only that, but only those IIS servers that haven't been patched. I don't know of anyone running IIS who doesn't at least get the Microsoft Security Bulletins. If there is a patch available for anything you'll hear about it on the mailing list. I didn't really worry about this one at all.

I have to wonder though - with both Code Red and Sircam, as well as a number of other virii - the damage inflicted by these programs was much less than it could have been. Its as if the virus writer wanted to grab lots of attention(I'm sure having the national media talk about your creation is very gratifying to these people) rather than inflict as much damage as possible.

Re:A bit premature?

[baptiste]

The other interesting thing is the # of probes I got from the Eeye Scanner starting yesterday afternoon a few hours before 8PM EDT - From IPs on totally different nets (ie it wasn't a local ISP admin doing it) Looks to me like some folks were looking for seed hosts to get things rolling again. Even more interesting is the probes wern't being done sequentially since I didn't see scans across my web server IPs, they were more random.

The news...

[cdipierr]

On two local news channels last night they gave the helpful tip of "If your system seems slow and infected, just reboot and it'll be fixed, but you can download this patch if you really feel like it..." ... Argh, is it that much to ask for the news channels to get it right for once? We don't need to keep this up every month.

The Fatboy Slim solution

[magi_caspar]

Walk without rhythm, and you won't attract the worm.

Yer BOTH full of it!

[Bilbo]

The original poster said that "Most servers on the Internet are running Windows." This may or may not be true, but it has nothing to do with how many servers are running IIS vs. Apache. It is possible to run an Apache server on Windows, and it too would be invulnerable to the worm.

Do the Netcract graphs show OS percentages as well as the Web server percentages?

(I think the original point stands though, that the Internet is being threatened by a relatively small percentage of the servers out there running MS software...)

How inferior is easy to judge

[twitter]

Until upgrading and patching is as easy as:

1. Editing a textfile /etc/apt/sources.list
2. apt-get update
3. apt-get upgrade
and free software is retrieved from any of hundreds of mirror sites around the world, closed source distribution will continue to be second or third rate.

A pay for each copy in a box approach to distribution just sucks rocks.

A subscription to closed source junk is almost as bad. It can't be updated as quickly and well, it costs money. Do I really want to pay for my telnet client every month? If you buy microsoft OS, you have bought the same telnet client two or three times in the last four years. Same old bugs, same old look, same limits, yawn.

MS has got a record of inconvenient and extortionate distribution. Their dedication to the pay per each copy on each machine model and "aggresive" competitive measures to break other people's software has left them with nasty co mingled code that sysadmins are rightly hesitant to patch, ever. They have consistently denied any failings by blaming user and sysadmin ignorance and lazyness. People, not just crackers, have noticed that MS stuff won't work and every piece comes at a price. In the end despite all you wrongly say, the proof is in the kaputting. As yet another virus blows over them and anoys everyone, the inferiority shines through.

People who knew better didn't expect anything less

[marcushnk]

And sircam wont get the air it deserves until the private doco's flying around, actually do some damage other than sapping our bandwidth .
Actually I wouldn't mind seeing a web page dedicated to putting "lost doco's" from sircam on it.
Very vouyreistic ;-)

It's obvious

[cnkeller]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Because Code Red dealt with the White House, which is a national symbol and easily recognized by all the world. Never mind the fact that the white house web site was never in any danger of being taken off-line. Joe & Billy Bob don't know no stinking eye-pee addressess are. High profile attacks get the news...not that secret memo detailing a new flavor of Tang....

I thought...

[LoRider]

... that the worm wouldn't do it's damage until after it switched to attack mode and started it's DDOS attack or something. I was under the impression that it currently is going around looking for losers to infect and after 19 days of infecting IIS servers than it starts it's 8 day attack on some poor bastard.

Re:Same Here

Wow, must have 10Gb Ethernet to interface with the LAN.

The formula for the current rate of infection

I've run a regression on the data provided by incidents.org (after the slashdot effect cooled off.

The best fit curve is:

y=49.373x^3-371.64x^2+967.7x-439.19

Where x is the hour from incidents.org's data (starting with 1).
Obviously its a polynomial, not an exponential because there are only finite number of hosts. By the way, in case you are stuck with without a calculator handy... in 24 hours the curve plots to 491,253 hosts. Not a bad day's work.

Re:But what about the media?

[Omnifarious]

This isn't true. The routers it affects are largely the routers for people's home DSL installations. Having those routers crash isn't a huge deal for the Internet as a whole, but most home users aren't equipped to deal with the problem.

Snort...

Well, I've had 8 separate hosts trying to kneel my webservers in the last hour...

Re:attribute 'to' malice, not 'too'..

And thus you point out the irony that you so clearly seemed to have missed the first time around. I'll attribute that to stupidity.

Re:Incidents.org mini-mirror

[baptiste]

Well, be careful - teh top table says 'Hosts Infected' which I take to mean 48,489 NEW hosts were infected that hour (the next hour is up and its like 52,273 for 14:00-15:00 EDT)

Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.

Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?

Yep. Gone with a whimper.

[Tim+Doran]

I got precisely one Code Red attack on my home linux box (via cable modem). Last time around, I had upwards of 25 attacks.

Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

Re:Yep. Gone with a whimper.

[noc]

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

No, buffer overflows cannot happen to just anybody. They only happen to people programming in languages without bounds checking. And more specifically, in those languages, they only happen to people who didn't roll their own bounds-checking systems. Apache, for example, is written in C, but despite that, it really ought not to have buffer overflow errors, because if you use proper Apache style and their utility functions, they won't happen.

There is no reason whatsoever that buffer overflow errors should ever happen. They only happen to coders who try to squeeze every last drop of performance out of code when they can't. Which leads to the question: how fast do you want the wrong answer?

Re:Yep. Gone with a whimper.

[FatOldGoth]

Well, I'm monitoring the firewall logs for a class C subnet right now, and I'm seeing a hit every two minutes on average. It's not as bad as the 19th of last month, but it's been building steadily throughout the day. I got no hits between 00:00 and 09:00 BST, but they started shortly after that and have been escalating slowly.

I'm hoping this is the peak right now, as the last wave ate up a third of the incoming bandwidth on my company's Internet pipe at its height.

Re:Yep. Gone with a whimper.

[FatOldGoth]

Just in the time that's passed since I posted that last comment the hit rate has climbed to two or three every minute. I really hope this peaks soon, as otherwise this pipe's going to be completely clogged by tomorrow.

Waaaah! No /.! I'll have to go back to working or something!

Re:Yep. Gone with a whimper.

[nachoman]

I got 17 attacks the first time around and 4 this time in my apache logs. I'm not saying that I think i'm going to see as many as last time, but it's not over yet. The last one was just requested about an hour ago.

It's still too early to tell.

Re:Yep. Gone with a whimper.

[gorilla]

Buffer overflow's happen more to people who program in certain styles. If you have a methodology of good design, limited privilages, and isolation between unrelated modules, then you are not going have a problem with buffer overflows. On the other hand, if you have a methodology of hot programming (ie without design), then testing to detect the bugs, then you are going to be suspectible to this sort of bug.

Re:Yep. Gone with a whimper.

[RennieScum]

Not quite. I admin a Red Hat/Apatchy server, and during the first wave we got 85 unique attempts. In the "break" between waves there were two, adn I checked on it casually last night. As of midnight PST there were no new attempts, but this afternoon I found 42 new malformed client requests. Ahh...43 now.

This was posted in a previous Code Red article, but I think I'll include it anyway. If you're running Apache on .*N?X, use this to check for attempts (note: only goes back as far as your error_log has been rotated)

grep default.ida /path/to/apache/logs/access_log | sed "s/ .*$//g" | wc -l

(get rid of the wc part to list the IP's)

And yes, buffer overflows are generically possible, but can you get libsafe for MS products?

Re:Yep. Gone with a whimper.

[geoffb91]

I have seen a few attempts late in the day (not that they will get into a WebSTAR server, ha ha)... but some of our servers haven't seen any attempts yet.

It will be more interesting to see what comes in overnight. If the chart on incidents.org is accurate then I think there will be a lot of failed attempts in the log tomorrow morning.

-G

It's only just started!

[Dr_Cheeks]

Code Red propagates itself throughout the month until somewhere near the end (19th, IIRC) when it starts to attack whitehouse.gov.

Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.

That is, of course, assuming that Gibson was right yesterday when he said it will still be active....

And don't start hyping sircam - I'm enjoying reading private documents ; )

Re:It's only just started!

[blakestah]

How does one do that, without activating the worm? I got lots of these, but when I save the attachments and poke at them with emacs, it's all gibberish.


Try piping it through strings.

Re:It's only just started!

[jamesdood]

Yeah, on the securityfocus incidents list there are people gettting probed every few seconds on class B subnets.. My single webserver has been probed 6 times so far this morning, I think it is ramping up. Hopefully most people have patched their boxes (or even better installed Apache!) I don't think this will have a huge impact but it is going to infect more machines over the next few days (Seeing how it only started showing up on July 11th and then wasn't a "big" deal until the 19th!) .

Re:It's only just started!

[Anonymvs+Cowardvs]

To view the file:

strings filename | less +"/MIMEmess"

To recover the file:

dd ibs=1 obs=1 skip=137216 if="filename" of="output-filename"

Re:It's only just started!

[Moonshadow]

Approximately the first 137k is the virus's executable code. If you'll look towards the end of the file, you'll find the document there in plain text for you to read.

I forget the exact number, but of you strip off the first X bytes with a hex editor, you can open the document regularly.

Re:It's only just started!

[bob_jenkins]

And don't start hyping sircam - I'm enjoying reading private documents ; )

How does one do that, without activating the worm? I got lots of these, but when I save the attachments and poke at them with emacs, it's all gibberish. Almost everything is Word documents. I haven't been brave enough / familiar enough with Word to dare looking at the attachments in Word.

I think it's fun getting these Sircam worms, so long as I don't actually infect my machine with them, and so long as they're not too big. Makes me feel like I'm part of a community, with common experiences and everything.

It's not over.

[Tokerat]

Remember, the worm propagates to whatever systems it can from the 1st until the 20th of the month (I belive) and then, for the remainder of the month, it floods the IP of whitehouse.gov (which has been changed) with DOS attacks.

According to all the CERT wanings, this affects some of the most widely used routers on the net. So wait until the 20th or so, when all of the infected servers start flooding and bumping off routers all over the country and world.

If you thought AOL was slow....

Re:It's not over.

[baptiste]

Some of this most widely used 'RESIDENTIAL' ie DSL routers on the Internet. The request causes the firmware to freeze in older firmware (the routers have embedded web servers in tehm for administration) SO its not going to cause backbone routers to go offline

Nice data

[Professor+J+Frink]

Using the data from the first 10 hours of incidents.org's numbers the data fits very well to an exponential curve.

Using a formula of: y = a*exp(bx) gives values of a=195, b=0.5271 and with a chi^2/(N-2) of 8.5 (ok it's not brilliant but good enough for government work ;0).

Why you could even use this for teaching purposes (until the number of machines hits saturation or bandwidth effects kick in, or the admins get off their arse, or... hmmm, this is starting to get more interesting than my thesis ;0)

Re:Nice data

[pipeb0mb]

nheeayyiii.
the burning and the pain the LADYYYYY!!
in the real world, the humans wont burn quite so..uh..fast...hyeeii

red code along with netcraft's poll

[cyrilc]

I just hope that people will realize that running IIS is just as unsecure as using Outlook for a mail reader

But worst of all, this month's Netcraft survey shows that IIS is gaining ground on Apache which just make this all mess even bigger

Maybe we will see the opposite trend next month when people are switching back to Apache...

Well, at least now even the press can understand that M$ product are plain insecure and the old argument saying that "it's just because no one is using the competition's product" doesn't stand anymore with the Apache vs IIS market share

Re:vested interest

I disagree; the BBC has done some impressive reporting on the worm. Take this report for example, especially the last few paragraphs of the "slumbering software" section.

surfing speed

[linuxpng]

I don't know, but my surfing speed is actually about 10 times faster today than normal.. Maybe this is a patch? ;)

A better Code Red target?

[AndroidCat]

Whitehouse hell! Code Red II should go after microsoft.com

Then we'd see some fast patching of bugs, you betcha! :^)

What they didn't take into account

Their prediction was based on the notion that all these servers had the correct time.

Given the level of expertise of sysadmins that don't apply old security patches, one could hardly expect them to have set up xntpd.

Luckily, I don't use Windows, so all I have to worry about are the weekly kernel exploits of Linux. :-)

Billions of dollars spent...

[tonywestonuk]

And nothing happens!! - So, this means it was a waste of time/money patching up the servers then? As with Y2k, If the time/money wasn't spent sorting out the systems, things could have been as predicted.

Re:Billions of dollars spent...

ummm, did you not realize that the parent comment was modded as "insightful"? some parody

Re:Billions of dollars spent...

[Lizard_King]

this means it was a waste of time/money patching up the servers then?

I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.

MS NT/2000 buffer overflow vulnerabilities galore.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:

BindView Security Advisory
--------

Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact: tsabin@razor.bindview.com

Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
Overview:
Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.

Affected Systems:

At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.

W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)

Impact:

An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.

Details:

By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.

The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.

If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.

Workarounds:
Firewall off as much as possible.

Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.

References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin /MS01-041.asp

Microsoft's patches:
The patches vary, depending upon the service.
See the security bulletin for details.

Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/Q 298/0/12.ASP

Code Red = Code Dud

[tenzig_112]

Another near disaster passes us by and I have to say that I'm more than a little dissapointed.

I got all revved up in late '99, waiting for the death cults and survivalists to do their thing. But everyone was remarkably quiet about it all.

Y2K = all hype and no looting. California Power Crisis = same. Code Red = Same. I promised myself I wasn't going to get excited this time. But with all the coverage, I got suckered into it again.

What am I going to do with my Honda generator that I bought in '99, sold in 2000 and bought back again two weeks ago?

Here are some links to stories about similar dissapointments:

Foretold Apocalypse Refuses To Occur

Survivalist Emerges From Y2K Bunker, Says "Oh, Crap"

and....

[4n0nym0u$+C0w4rd]

completely ignoring the Sklyarov situation. Actually, it doesn't suprise me at all, but thats because I have discovered the secret media equations..... Virus = bad hacker = ratings , Dmitry = innocent = bad U.S = not blindly patriotic = bad ratings/disbelief , I'd give the rest of the equations including how to calculate the honesty and accuracy of all news stories....but I want to keep them a secret HAHAHAHA.....

To: you@you.com
From: MadMan2002@techie.com

I am sending this to you in order to have your advice.

Attachment: SecretMediaFormulas.doc.pif

damn, doesn't that just figure

Code Red Patch?

[HD+Webdev]

Washington Post says: "To protect your system from re-infection, install Microsoft's patch for the Code Red vulnerability problem:"

Shouldn't that be "...install Microsoft's patch for the serious IIS security hole that Code Red is exploiting"?

I know I'm being picky, but I wish I had a nickle for every person who thinks that the MS patch is for Code Red and not for a serious security hole in IIS.

CERT is guilty of misleading (bad wording) people from the start of all this. That's probably one of the main reasons news organizations are spreading an inaccurate description of the patch.

How do they know 22,000 servers were infected...

...by 11am today?

I couldn't see anything about their methodology on the page... is it actual data, or a "guesstimate"?

Y2K My Ass

[SpunOne]

Well, if you look at the graphs available at incidents.org you can see that this outbreak has been growing slowly, but the growth rate is substantial. It may not be the end of the Internet, but it's certainly something to keep an eye on.

Code Red is getting more press than Sircam...

[BlueUnderwear]

... because reporters usually protect their sources. And witht the wealth of confidential documents that they're getting from Sircam, they're not going to rat on it, won't they?

Re:But what about the media?

[MWoody]

Granted, I haven't been following this too closely, but didn't it also spell doom for certain flavors of Cisco routers? Although, I suppose those in charge of the routers tended to be better equipped to deal with problems than those merely running IIS by default.

Simple Concept, Big Story...

[daoine]

It seems that the media tends to pick up on the viruses that are easy to explain and have big name targets. It's much easier to come up with an obnoxious "Virus attacks White House" headline to attract attention -- even though something along the lines of "Guess what -- those pictures you took? Your boss has 'em." is probably more important to the average Joe.

Sad but true

[Mdog]

I'm sure I'm not telling anybody here anything new, but the reason code red is getting more attention is because:

• The name is cooler
  
• Snowball effect
  

I don't know about the rest of you, but I'm rooting for the virus.

Comic strip about code red

[uigrad_2000]

http://ars.userfriendly.org/cartoons/?id=20010801

CNBC report

As of 826 AM PST, Aug 1, CNBC is repeatedly reporting that they have reports from security professionals that Code Red is "just now becoming re-active" and could affect 1,000,000 computers by the end of the day. FWIW.

Re:Second Wave of Code Red a fluke???

[matty]

Indeed, I'm up to a total of 20 attempts on 2 servers (14 on one, 6 on the other). And the attempts seem to be increasing as time goes on.

This will TRULY be interesting to see how it plays out.

As a matter of fact, this is the first DOOMSDAY type situation that is actually playing out as advertised. The others (Y2K, 9/9/99, the GPS reset, sunspots last summer) all fizzled without much fanfare.

Thank God for Linux! (and other Free alternatives)

Re:Code Red...unneeded hype.....

[grammar+fascist]

Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning.

My father works for the National Weather Service, and this is exactly the reason they have so many checks they have to go through before they issue a warning or a watch. (Not that it takes long to get through them, but they do check themselves on it very well.)

I suppose the big difference is that when people don't listen to the NWS they tend to die. (I still remember when my dad came home just devastated when some people in a national park were drowned in a flash flood that he put out a watch for.) Still, you're absolutely right.

The problem is that there's no central authority that most people know of to go to for this sort of accurate information. There's nobody competing with the NWS on the weather. The news states the information they get from the NWS exactly as it comes (with some embellishment to add entertainment value). If those media people could quote and point to actual security experts (not just the loudest), we'd be much better off.

Re:When are virus/worm writers going to get seriou

[baptiste]

I'm with you here, but I think its the ego thing - they want the publicity - a worm like you describe wouldn't generate the instant news coverage they crave - a worm liek you describe wouldn't because half the admins would think it was data corruption, not a worm - it would generate news on /., etc but not the national news media.

DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.

Re:the reason is...

[punkass]

Damn you for making me laugh out loud at work.

I guess this mean that ...

[SnapperHead]

• More computers are running *nix then people think.
• People where upgradeing there machines to *nix durring these. (Finally seeing the light)
• People left there computers off the entire day, only to be very pissed of at Windows and sware they will upgrade to *nix today.

• Acutally, I think its a little of all of those. I didn't bother with it, or even care. I simply laughed at everyone yelling and screaming over it.

I'll Y2K yer ass..

The growth rate of my cock is becoming quite substantial, and I'm going to Y2K yer ass pretty soon now.. FUCK, that feels damn good!

Viewing other people's files for gratification

[Dr_Cheeks]

Word documents are easy if you don't care about formatting - just look at the end and the text should be there. And I heard (elsewhere on /.) that the exact amount of crud to stip off the front is 137216 bytes, but I've not bothered testing that out yet.

I got a .zip yesterday (the second file I've got so far) that had been turned into a .pif, but when I looked at the archive under Linux I had no problem viewing it, and was even able to listen to the really lame midi file in there without needing to do a damn thing to the infectious file.

Basically, you're pretty safe poking around at these under Linux (they're aimed at Win/Outlook users after all). Though since I don't have a permanent net connection and I do have ps -aux and kill -9 I can rest pretty safe : )

Hmmm...

According to this graph there are 22 thousand NT IIS servers, damn thats harder to swallow then this graph.

No one cares about privacy

[analog_line]

Well, not really, but big shiny evil looking denial of service attacks are far more headline grabbing than grabbing a random personal file and sending that out. For most of America (and myself) the chances of something actually damaging getting sent out via SirCam is slim to nil. Possibly embarassing? Yeah, but embarassment isn't an ability that most Americans have. The people that need to care about SirCam are the guvmint and big corporate honchos and they don't consume the majority of news...

Re:Stephen King, writer, dead at 54

[xXgeneric+nicknameXx]

is this a troll or are you just misinformed?

A picture paints a thousand sniggers

[Rogerborg]

The best take on this I've seen today is over at User Friendly.

Code Red is just warming up

[Swordfish]

I'm seeing a very rapid increase in the dreaded /default.ida probing on my network in the couple of hours to UTC 16:30. This is almost certainly world wide. So I think that anyone who thought it was over might be very wrong.

And it's very important indeed to emphasize that it is MS's fault. This is a propaganda coup. Someone should do a press release!!

All my port 80 are belong to Code Red!!!
For great justice!

Re:More graphs

[spagiola]

That spike at roughly 1830Z doesn't inspire much confidence in these data.

Sheesh

[Mike+Hicks]

Look, it's not going to destroy the internet. It's not going to be a tempest in a teacup either. incidents.org reports 22,000 infections at this point. I've recorded 4 hits so far this morning (though I got nearly 30 the last time around).

For the media to go nuts, it took press conferences and press releases from the FBI and Microsoft. Those big organizations aren't making the same noise about Sircam (or Sklyarov, or...).

Another site with real time stats.....

[baptiste]

Incidents.org is major hosed (ie slashdotted)

Dshield.org has some stats going too. Looks like 23,400 infections as of around 10AM EDT....

Re:Another site with real time stats.....

[baptiste]

My bad - their DB is for all infections reported not just Code Red - the 'Code Red Real Time Stats' thing underneath threw me - it just links back to incidents.org :( Links are supposed to be UNDERLINED people!

Re:Affects more than just IIS servers

[unitron]

Imagine if the Ford/Firestone mess had been reported as "If you own an SUV your tires are dangerous".

Re:Huh?

[unitron]

Have you tasted Code Red? I think they make it out of worms.

Re:"something bad didn't happen"

Not at all. The manufacture of news is at least a 50-year-old tradition in the U.S. I can't remember if James Glick [sp?] pointed this out in "Faster" or if it was in the book "Hidden History", but McCarthy used to do this all the time: he'd intentionally schedule a press conference only to postpone it, saying that a witness could not be found. The papers would read Hearings Postponed: Key Witness Being Sought.

The media loved it because it sold papers. McCarthy loved it because it kept his name in the public eye.

Tons of Celeb Mpegs Here...

at Nitrvodeo

Red Code vs Sircam -- The MS-FUDyard wars

[Rotten]

Hey!
That's a show I'd like to see!

How is this funny?

[Robber+Baron]

How is this funny? You want to see Bill Gates punching himself in the he... Oh! Never Mind!

Worm spreads in a biological pattern...

[debaere]

The worm increases activity in more of a biological pattern (ie geometric). 1 host infects another host. Those 2 hosts infect 2 more, the 4 hosts infect 4 more... etc

I believe the media expected the "attack" to happen like an artillery barrage, or the way the US attacked during the Gulf War - all at once.

If you think of it the way it really is, the way diseases spread, then you realize that the problem is only going to get worse. How worse remains to be seen.

My server logs have reported 400+ hits since 2am EST, and it is increasing in a ~geometric rate. From 2 - 8 I got 58 hits, from 10:30 to 11:30 I've had over 100.

Dave

Re:Don't speak too soon

[gorgon]

How can I tell if I got a Code Red hit?

Check your access_log (for Apache - other web servers probably have similar log files) for hits of the form:

111.111.111.111 - - [01/Aug/2001:06:57:14 -0500] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 326 (IP address changed to protect the guilty).

To check for Code Red I use:
tail -10000 access_log | grep NNN

Re:the reason is...

[Zico]

Notice these articles NEVER said what systems Code Red wouldn't affect, just that Code Red WOULD affect Microsoft systems.

Yeah man, it's all one big conspiracy! Damn corporations even have the media bought off! You just watch the next time there's a plane crash. The news media gives a list of VICTIMS, man! There's hundreds of millions of people that weren't in the crash and the korrupt media is just covering that up! And my hangglider with the big Mountain Dew logo on it -- did it crash? No! But did the media ever mention that or did they just keep talking about that damn plane? You don't need me to tell you, you know what those bastards did!

I blame the military industrial complex and those evil corporatism forces, or whatever the hell Jon Katz is always complaining about!

Second Wave of Code Red a fluke???

Last time i checked my web server logs it wasnt. 63.127.47.130 - - [01/Aug/2001:15:05:45 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 381 "-" - -

Good old Hype

"The internet will die" is a nice story to scare people with whereas just another virus is well, just another virus. Even apparently when it's not just another virus...

Myself, I'm still waiting until I can say my computer is infected with the Foot and Mouth virus

--

Nicholas Blachford
myfirstname@mysurname.freeuk.com
Ministar nepretpostavljenih okolnosti
I find that alchol taken in sufficent quantaties produces all the effects of drunkeness.

Great site for more info

[Dunall]

http://www.caida.org has tons of info tracking the virus so far. At present they're showing that there are more than 100K systems infected but the number just suddenly dropped off.. Probably problems with their data.

http://worm-security-survey.caida.org/

Shows actually how many people gave a damn about the alerts and actually did something.. That's just a small sample and the Unpatched IIS servers remains about the same the entire time.

Here's a quote from an E-mail that I just got ...

(david moore with help from a bunch of elves)

http://www.caida.org/analysis/security/code-red/au g1-live-hosts.gif

was exponential till about an hour ago, we're not sure if leveling off is due to our monitor load or an actual peak in the data.

log-scale version http://www.caida.org/analysis/security/code-red/au g1-live-hosts-log.gif

will put on main caida home page later today and update every minute (you'll have to hit reload, and you won't actually notice changes at a minute granularity so please no per-minute cron jobs to reload :) )

note the corresponding graph for 19-20 july:

http://www.caida.org/analysis/security/code-red/gi fs/cumulative-ts.log.gif

no per AS stats for this outbreak yet, also under construction.

Why?

Becuase nobody at CNN has been infected with sircam yet.

vested interest

[TomV]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

I suspect it's simply because whitehouse.gov was a known DoS target for Code Red. So, surprise surprise, the US state went into full-on battle mode. And an FBI warning makes for a good news story.

Meanwhile, I was very "impressed" to hear the BBC news last night explaining that 'the code red bug is a type of virus called a worm'. Did no-one with even an ounce of clue get a look at that script before it went out?

TomV

Re:vested interest

[TomV]

On the other hand, to be fair to the BBC, I got a top-rated chuckle out of this:

"What might also hamper the ability of the virus to spread is the relative unreliability of Microsoft web servers.

The Code Red virus lurks in the memory of a web server and is cleared when the computer is rebooted.

As Microsoft servers crash more often than many of their counterparts, this might limit the spread of the malicious code."

(from this story on the BBc news site.

TomV

Re:Answer

Gibson rocks, have some respect.

Re:The Reason Why...

Virus writers don't name viruses, the AV companies do.

This settles it...

Microsoft sucks. Even their VIRUSES don't work RIGHT!

Re:People underestimate the bandwidth of the 'net

[baptiste]

200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles

Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.

Re:Chicagoans: send your regards to GWB

and this has what, exactly, to do with GWB?

you're a fucking dumbass.

People underestimate the bandwidth of the 'net

[iabervon]

All of these infected hosts ramping up with attacks on other servers and sending gratuitously inefficient traffic takes up a lot of bandwidth... but not compared to the bandwidth the 'net has these days. 200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles.

Having those hosts sending packets that break routers and printers is more of an issue, but those have generally been fixed last month, because they couldn't very well just have been left off until the thing went dormant.

The internet's infrastructure has grown significantly in capacity (although not necessarily in smart physical placement) since it was easy to DOS the whole thing with a worm (or with the start of the school year, for that matter), and it's happened in response to actual use of the bandwidth. All of the clients generating web requests easily overcome the traffic all of the servers running IIS could possibly generate, not to mention the traffic that goes over any large, bulldozer-accessible cable.

Re:People underestimate the bandwidth of the 'net

[Dunall]

But if it keeps on it's current track, I think we're going to see a LOT more infected hosts than we did last time.. That could start to add up.

$8.2 billion cost for Code Red. Gimme a break.

[ihawk]

Just read on The Register that Code Red has cost business $8.2 billion in repair cost and lost productivity. Horse pucky. I can't believe that the actual cost is even an insignificant fraction of that. How much does it cost for an MSCE to reboot a Win2K server? These kind of artificially inflated numbers are just more justification for misguided legislation and heavy handed corporate tactics.

Re:But what about the media?

[skilletlicker]

The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers.

Because all the data those IIS servers were supposed to send around would've sure affected people trying to use your Apache server.

Gone with a whimper?!?!

[LinuxHam]

What makes you think its over? It took 6 days to get to 359,000 infected hosts last time around, and you want the Internet to be choked within 14 hours?!? This time around, it will have 19 days to spread.

Microsoft estimates there were 6 million vulnerable servers when the hole was announced. They said last night that they've had 1 million downloads of the patch. How many of you think half of them were home users of Win2k? There are millions of vulnerable hosts still out there. Keep an eye on www.incidents.org. While there were only 157 hosts infected by 1am ET, there were over 22,000 infected ten hours later.

I have always had a very tight dialup Linux firewall with IPChains (only ssh open inbound), but I wanted to setup my own monitoring station to see how this thing affects me over the next couple of weeks. I hung netcat on port 80 using xinetd, installed snort, and then opened inbound port 80 in ipchains just to see how many probes will come my way. So far, no one has guessed my IP address.

Incidents.org mini-mirror

[karlm]

Incidents.org is currently pretty slashdotted. My T1 is only getting 33 bytes/second. Here's a minni-mirror snapshot for you die-hard Code Red fans.

As of 16:25 EST, the incidents.org website is showing 48,489 infected hosts (as of 14:00 EST).

P.S. I wonder how many requests for interviews Prof. Morris is getting about his infamous worm and the Code Red worm.

Chicagoans: send your regards to GWB

We have excessive heat warnings and heat advisories all the way from Michigan to the Gulf Coast. The heat index is 110 degrees (Fahrenheit) in some spots, to above that -- 115 in St. Louis, Missouri; Little Rock, Arkansas, and Chicago, Illinois.

Chicago really is the bull's-eye today. It's the farthest, biggest northern city that we have significant excessive heat warnings for in the region. And that means residents need to stay out of the sunshine, drink plenty of water, check on pets. Make sure they have plenty of water and maybe some shade as well, and make sure that the kids don't get out there and play too much this afternoon.

Make sure the elderly without air conditioning have fans, if you can. Many older Americans try to save money by not turning on the air conditioning. But this really is the day to turn on the air conditioner and try to keep yourself cool.

If you're in Chicago, try to go to the lake shore, even find a movie theater where you can find a matinee in the middle of the day.

attribute 'to' malice, not 'too'..

I'll attribute that to stupidness.

Media Hype

[OpenSourceRulez]

Okay, so the Code Red worm reappeared, but now enough sysadims had enough reason to put the patches in and it hasn't had an infection rate as high as the last time. Okay Code Red is a nasty virus and such, but it doesn't deserve the media coverage it is getting. Even the media coverage is half truths. Seriously I have Win2k, but wasn't affected because I didn't have IIs running. I was pissed off to hear all of the reports of Win NT and Win2k computers are vulnerable to this when really the virusonly propagates on those OS's but to get in you need IIs running. The media cries wolf so much nobody knows when to believe then and this is one of those cases. I would rather have had the attention on SIRCAM than this as it does leak documents, potentially classified/confidential ones. The media needs to grow up and learn what to report and what not too. This is a case of them not reporting what they should have been.

Growth rate (slight OT)

[Anemophilous+Coward]

So I haven't studied the graphs much, but I feel a bit nit-picky as to the rate of growth being used by everyone (caveat: I am not a hardcore mathmetician either).

I've seen two terms used to describe the code-red growth: geometrically and exponentially.

Now if I remember my basic math teachings you can have a arithmetically increasing (or decreasing) sequence which proceeds at a (I believe) constant rate: 2,4,6,8,10,12.... rate increase of +2.

There is also the geometric series which progresses something like this: 2,4,8,16,32,64,128.... rate increase of x2.

Then exponential series which (IIRC) progress by a factor of 'e'. Hrm. Have I just answered my question; exponential series are just a subset of geometric series, with the factor being 'e'? Or are they significantly different? And if so, just what rate is (did) code-red progressing at?

Like I said, it's nit-picky, but I hear both terms thrown around like they were candy and am curious as to which one best describes the growth (since the sites with graphs seem to be overtly busy at the time). Thanks in advance to any hardcore mathmeticians shedding light on this.

-A non-productive mind is with absolutely zero balance.
- AC

Re:Growth rate (slight OT)

[d-e-w]

It's exponential. The difference is how the growth rates look on a graph and how quickly they increase past a certain threashold. Early on, the growth rates look relatively similar ... then exponential becomes really, really bad.

*huh* ./ won't let me post my little graphs for you all.

Geometric growth is a straight line headed upward at a constant pace over time.

Exponential growth is an upward curve that may look geometric in the short term, but whose pace increases greatly over time. It eventually grows at a much, much faster pace.

Code red may be a 'tempered' exponential, since reportedly some versions of it stop attacking after infecting 100 hosts. That simply means the curve isn't as extreme.

code red / pepsico

[psychalgia]

the worst of it is is that i cant get the damn name out of my head, and now im drinking this nasty soda. Is it really so far out that PepsiCo released this worm to get us to buy their new flavor?!??!

http://www.internettrafficreport.com/

[Troodon]

http://www.internettrafficreport.com/

Perhaps not the most sophisticated measure but its still interesting to note how latencies etc picked back up to those normally seens over normal work hours for a little while.

Re:http://www.internettrafficreport.com/

[Troodon]

NB/ Take a look a the 7 day graph here.

"The "traffic index" is a score from 0 to 100 where 0 is "slow" and 100 is "fast""

Re:But what about the media?

this would be one of those cases of the choir preaching to the choir. go ahead, just call up the news places and complain. matter of fact, i insist. tell them that they are so stupid for thinking that "the entire internet" runs on microshaftware.

Its warming up...

[aralin]

My apache logs show for today already more code red attempted attacks than for all the last month together. What about someone finally posting how to edit the apache config files to just discard and mainly do not LOG these attacks. Since if it will really grow out of proportion, it will trash a lot of partitions on disk of many unix servers...

Not surprised

[yka]

To get internet to grind should MS have percentace of servers they claim to have.
It's now prowen, importance of MS/IIS, providing internet services, is greatly excaterated.

Well, so far...

[matty]

No problems here at oz.net (Seattle):

226 Transfer complete.
10128585 bytes received in 76.89 secs (128.6 kB/s)
ftp>

That's my 1mbs DSL connection, which seems to be operating at full speed. Also, I've grepped my syslogs on my servers at home and at work and I find no mention of *.ida.

That (obviously) doesn't mean it's not out there, though. :)

Ironic, you'd think that with all the Windows servers there must be just east of here that we'd be dead in the water. (moderators: That was a joke . Laugh! HaHa! +1 Funny! :)

Re:Well, so far...

try
tail -f /var/log/apache/access.log |grep default.ida

I have it running as my x-background:)

Re:Well, so far...

[matty]

(said in my best Jewish imitation, ala Billy Crystal in The Princess Bride)
AHHHA!!

From my home server:

/var/www/logs# grep .ida access.log
192.83.112.172 - - [01/Aug/2001:05:44:42 -0700] "GET /default.ida?NNNN(plus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
202.28.38.25 - - [01/Aug/2001:07:05:12 -0700] "GET /default.ida?NNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
64.75.31.153 - - [01/Aug/2001:09:53:46 -0700] "GET /default.ida?NNNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205

...and from my server at work:

/var/www/logs# grep .ida access.log
203.65.201.241 - - [31/Jul/2001:21:34:37 -0700] "GET /default.ida?NNNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
211.254.138.162 - - [01/Aug/2001:07:22:21 -0700] "GET /default.ida?NNNNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
216.156.1.67 - - [01/Aug/2001:09:39:56 -0700] "GET /default.ida?NNNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205
217.34.96.101 - - [01/Aug/2001:09:55:18 -0700] "GET /default.ida?NNNNplus more N's to avoid the lameness filter)*
%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u 9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u00 03%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 205

/var/www/logs/access.log, not /var/log/syslog. Thanks for the tip. :)

*=Sidenote: Isn't it rather ironic that one of the lamest things about Slashdot is the lameness filter? :)

Hype

>In spite of Michael Hyatt-like hype,

yeah, i heard some websites had a `guess the headlines` story!!! Some people will do anything for attention, right?

Lets get this going again!

Okay, so our Apache servers can't aid in spreading the worm -- only our unpatched IIS boxes can.

So why don't we whack together a perl script that'll do the job on an Apache machine? Take the same intelligence that Code Red uses, and let it go out and infect a few more IIS servers. After a while shut it down and let MS's products take the glory again.

Coming Soon! - Code Red II

[WillSeattle]

Remember all those wonderful hijinks that Code Red did? Yes, perhaps it wasn't as good as SirCam, but wasn't that really scary, hearing it on all the news channels?

I guess this means we can expect the sequel, just like in Hollywood - Code Red II: The URL generation!

Man, they do an IP lookup, instead of a URL. Bet that will take them about five minutes to recode ...

Amusing how they used the Borland Delphi IDE to create it, no? Scott__ sussed that one out. Maybe the next one will be done in C# ...

Is Internet Security an Oxymoron?

[Alien54]

Cringely has an intersting article on the future of the Internet entitled:

Internet Winter - Why Internet Security is an Oxymoron

There is this interesting factoid:

Still, did you know that 41 percent of images attached to British business e-mail messages are pornographic? Does that say more about business or the British?

He seems to have bought the Steve Gibson line to some degree although he is more reasonable. The problem is that the scenario Cringely paints is likely to be painted as unlikely because it is so unbelievable. Sadly, this does not make it any less likely in fact. As he says:

At this point, I'm supposed to write, "Ah, but here's what we do about it," only I can't. Our vulnerability is too great and our lack of defensive talent too profound. There are ways to protect systems and networks against these kinds of attacks, but no depth of will to really fight them. The Internet is already such an ingrained and incompetently managed part of our lives that it is already too late."

Re:New version? VIRUS Warning!

[jamesdood]

Different worm Norton AV identified as the Backdoor SADMIND virus when going to the mirror site! Danger Will Robinson!! Danger!! ;-)

The Reason Why...

[toupsie]

The reason that "Code Red" has been covered more in the media than "Sir Cam" is simple. Which one sounds more dangerous? "Code Red" sounds like what happens before we launch nuclear warheads at the Ruskies while "Sir Cam" sounds like a rejected name of a Pokemon. In the news media, danger and sex sell. Just look at the Chandra Levy coverage.

If you are virus writer and want the media to pay attention to your creation, I would suggest the following scary names:

1. Hailstorm (oh wait Microsoft is already using that)
2. Super Explode-O-Matic Death Bringer
3. Kiddie Pr0nB0mb
4. DefCon 4 Ultra Hurt Machine
5. Keyboard Ebola
6. Belgium (According to DNA)
7. AOL Outlook IIS VBS Player
8. HMO Claims Adjuster
9. Lizzie Grubman SUV White Trash Compactor
10. NASDAQ

What is really telling about Sir Cam vs. Code Red is that my mail server has bounced over 2,500 copies of Sir Cam vs. Apache recording 19 log entries of 'default.ida' from Code Red. Game, set, match, Sir Cam.

No one is talking about SirCam

[wiredog]

Because we, and the press, like getting all those juicy documents from Senator X, Company Y, and Miss (or Mr) Hot Pants in Marketing at BigCorp Intl. If we started raising hell about SirCam, the flow would dry up and we'd have to go back to work.

Re:No one is talking about SirCam

[Fishstick]

Yes, exactly. Probably can count on one hand the number of days it will take before some administration official is invited to some congressional sub-committee hearing so he/she can use code red as an example of why we need a few hundred million $ to set up an anti-hacker SWAT team that will prevent these kinds of malicious attacks on our vital national information infrastructure.

...or something.

Re:No one is talking about SirCam

[Bearpaw]

Probably part of the hype is also because it [gasp!] targeted the White House (servers). If the White House is involved, it must be important.

Answer

[phaze3000]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Because Steve !! Gibson !!! didn't rant about Sircam..

I wish the media would vet these so-called 'experts' before blindly accepting everything they say.

Re:Answer

[Rogerborg]

• I wish the media would vet these so-called 'experts'

Uh, they do. They go through a painstaking process of deciding which one will give the most attention grabbing copy for the least effort. Good old Steve!! even inserts his!! own CAPITALS!! and SHRIEKS!!! for them !!!

Let's face it, anything you read in a medium supported by advertising is designed to grab eyeballs, not impart truth. And yes, that includes /.

Codered is not dead ... sure not ...

[freaker_TuC]

Guess there is still some action about Codered ...

This happened in the last 12 hours:


CodeRed IDA Overflow
386 sources - 45 destinations

CodeRed Defacement
342 sources - 45 destinations

"something bad didn't happen"

[bhny]

Does anyone else find it strange that newspapers are reporting non-events

Funny

[kTag]

"As of now, the Internet is operating normally."

Thank god the FBI is here to look after the Internet!! What would we do without them?

For the next version of IIS, you'll get agents knocking at your door to check if you applied your patches...

When will they learn?

[mlknowle]

When will virus/worm authors learn that publicitiy (at least initially) is their ENEMY? That is, if everyone knows that a virus/worm/whatever is about to strike, they will prepare for it! (That is to discount the "is whitehouse.gov down yet? better check" effect...) Now, when a virus comes around which isn't publisized, or acts too quickly to be publisized, there will be a problem. Plus, the virus author will then get his "recognition" (although not as much as respect as someone who emerged as a hero preventing a much-hyped virus, but anyway)

SirCam?

[ScottyB]

What, you mean you really didn't want my advice on what I thought of your pr0n collection (the "stuff" directory you sent me)?

*sniff* *sniff* but I thought our friendship had gotten that closer

More graphs

[Mike+Hicks]

For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale] [logarithmic scale]

Re:Don't speak too soon

How can I tell if I got a Code Red hit?

Use the data, Luke!

[cyways]

I was curious to see whether there was any discernible hiccup in Internet service as a result of the feared revival of Code Red. A quick trip to Matrix.net's average performance page suggests not. A quick glance at the graph for the past twenty-four hours shows a dip early this morning, but once you look further down at the weekly or monthly graphs, you see that today's blip is not much larger than ones seen at the end of July when the worm was supposedly sleeping.

What I find more remarkable is the poor performance of the root name servers. They drop something like 20% of all the packets they receive from the testing servers!

It's out there, and growing.

Take a look at http://www.incidents.org/ reported over 20000 *new* infections in the last hour. (the total infections seems to be broken at the moment.) It's been climbing steadilly all day.

Remember Quake?

[sterno]

Am I the only person who remembers a few years back how the release of a new version of Quake (I think Quaker 2) was going to cause brownouts on the Internet? Everybody loves stories of apocalyptic scale carange, so the media will feed it to them whenever they can. Is Code Red overblown? Of course! It'll still cause some problems, but on the bright side, the publicity is causing people to fix it. So anyhow, I think I'll just not worry about it and play Quake 3 so I can destroy the Internet in a fun way :). ---Steve

It's just starting slow

As of now (8:30 AM PST) NPR is reporting that Code Red is out there and has started to make its effects felt. Keep your eye on the slope of the curve to judge this one.

Re:the reason is...

[jocknerd]

I totally agree. Any free publicity for Microsoft is good publicity. Notice these articles NEVER said what systems Code Red wouldn't affect, just that Code Red WOULD affect Microsoft systems. Microsoft is the master of marketing. They know how the American people are. We like snippets of information and news. We don't want to read the whole story, just the headlines. All we really got out of all this were the following:

worm, computer, microsoft, windows 2000, patches

Where was Sun's marketing dept? They should have been talking to the press as well.

Huh?

I just bought a Code Red from 7-11 about 15 minutes ago! There's a whole shelf full! What are you guys talking about?

Re:Huh?

[Neon+Spiral+Injector]

Man, what ever you do, don't eat the worm.

Not out of the woods yet

[asc4]

I suspect that the news media can only handle pushing FUD and hysteria for one threat at a time. It is interesting to note, though, that growth of infections is again showing exponential growth, which begs the question...given all the hyperventilating even the mainstream media has done over Code Red, how can you not have patched your servers by now?!?

Andrew

In unrelated news,

today the code red/sircam worm/virus took a left turn and attacked RIAA.com, more at 11.

FBI talking bollocks, say Metropolitan Police

[JimPooley]

Found this on ZDNet..

UK police say misleading warnings from the FBI led home PC owners to believe that their computers could be infected by the server worm
The Metropolitan Police has criticised the FBI for issuing confused messages about the Code Red worm, which led home PC owners to believe that their computers could be infected by a self-propagating worm that only attacks Internet servers.
Last night the FBI was on red alert for an Internet meltdown, due to begin at 1am BST once the malicious worm became active again.
As the Metropolitan Police's Computer Crime Unit points out, over-hyped warnings by the FBI have failed to acknowledge that only unpatched servers using versions of Microsoft's Internet Information Server (IIS) would be vulnerable to re-infection. "Code Red cannot affect a machine unless it has a Web server installed, which is very unlikely as this does not happen by default," said DC Andy Cox of the Metropolitan Police.
The confusion has caused panic amongst some ZDNet News readers. Questions such as "how do we protect our PCs from this new virus attack?" and "should I shutdown my system Tuesday night?" have bombarded the mailroom in the last couple of days.
Graham Cluley, a senior technology consultant at anti-virus firm Sophos, agreed that FBI warnings should have clearly stated that Code Red cannot affect home PCs, and accused the organisation of imitating a "John Grisham novel".
"It's good news that the Internet didn't melt down, but the danger is that because the FBI issued such hyperbolic warnings with the suggestion that this has cost billions of dollars already, the average person will remember that nothing happened, and not take the next warning seriously," said Cluley.
The Metropolitan Police has confirmed that contrary to widespread warnings "nothing has happened" since 1am BST. The time-sensitive worm, which replicates between Windows 2000 servers, and exploits the so-called Microsoft Index Server flaw, is programmed to re-propagate itself on the first of each month, and so will no longer be lying dormant in previously infected machines. For British anti-virus firms a sleepless night was unnecessary -- reports confirm that few systems have been compromised this time round.
"Companies will now be thinking what a bunch of charlatans the FBI is," added Cluley.

What a bunch of charlatans the FBI are, surely...

Not fair to compare the worm with Y2K

[jotaeleemeese]

In spite of what the media would like you to believe, the Y2K problem was real. I guess I do not need to dwelve too deep in this place to convince of this people that basicaly know that what I am writing is true, I just think that to echo the tidbits of computer-illiterate media in /. is a sad development.

Still mad I didn't cash in !

[beanerspace]

I'm still fuming that I wasn't able to cash in on this one! You know, a lame book that I advertise on the 700 Club, scaring little-old-blue-haired ladies so bad that they nag their living-in-the-basement-35-year-old-sons to move out to the woods and build the bunker. Then again, at least they're out of the house.

7 this morning, so far

[jonabbey]

I've seen 7 probes from Code Red on my home linux box in the space of three and a half hours, and one probe on our work server.

Interestingly enough, we were scanned by what purports to be a network security scanner here at the university last night, using a variant form of the probe. Looks like our network security folks were hunting for open servers before the storm hit.

OK - it doesn't add up! [was Re:NEW DATA]

[baptiste]

OK - I'm confused. Incidents.org is finally recovering from teh /.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....

Re:OK - it doesn't add up! [was Re:NEW DATA]

[HD+Webdev]

The first numbers shown (the graph) are the # of hits on Incident.com servers, split up by hour.

If an infected IIS server hit 4 (or 40) of the Incident's servers during any of those hours, only 1 infection would count and be added to the Total Infection Number.

Re:OK - it doesn't add up! [was Re:NEW DATA]

[Flagbrew]

The top graph shows number of probes (in that given hour). The bottom graph shows number of distinct IP's infected (since 8/1).

A bit premature?

[baptiste]

I'd say its a bit premature to say this is all over. I doubt it'll be as bad as before - but remember, CRv1 was slow to spread due to the lack of a random IP seed. Once CRv2 came out it spread like wildfire.

I've seen 5 scans across 2 servers so far from five unique hosts - Last time I got between 20 and 30 per server. But its just getting started. So it may very well continue to spread at a slower rate due to the # of hosts that have been patched - but there are still plenty of vulnerable hosts out there. On Jul y19th, my scans didn't really pick up till the afternoon - I have no idea when v2 hit the net, but its the whole snowball effect, it starts slowly then picks up speed rapidly.

I think it'll be a lot less of a problem than the media wants to believe, but I think it'll still be a significant problem.

But what about the media?

[Aerog]

The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers. The news story I heard made no mention of the systems affected, simply summarizing it as "Webservers everywhere". No, this isn't intended to be Microsoft-bashing, but what would have been the situation had it gone off and the world realized that only a certain server configuration was affected? Would that have been glossed over in the same way that the vulnerablilty was?

It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?

Re:But what about the media?

[peccary]

Some high-end Cisco hardware is NT based, and runs IIS, and had this flaw -- not just the 675 and its ilk.

Re:But what about the media?

[mabs]

What the media has done is just follow the lead of the FBI, and the virus companies. I saw late last night an interview on a current affairs program, where some virus expert was watching internet bandwidth changes during the day, and you know what? internet bandwidth went up a tiny bit at about 1pm AEST, let me think... Lunch time??? - I rolled over laughing.

Anyway, the FBI are making a big thing about this because it makes them look good, think about it:
FBI PR GUY: Isn't something supposed to be happening with this virus at the start of the month?
TECHIE/GEEK: It's only going to start spreading itself, nothing major.
FBI PR GUY: (Running to press room) Oh No! It's going to start spreading itself again, we must warn everybody.....

And you know what's even funnier, the FBI took credit when they said that it was their intervention that stopped a major catastrophy from occuring on the internet. Maybe they're just trying to justify those new jobs they just created (Yes, they are DMCA related, but a most stupid peop^H^H^H^H^H^H^H^H^H^H^H^H americans would think they are the same).

And just before you start ranting at me, just remember what date this virus begins to become active again (00:00 21/*/*).


(PS. I don't mean to imply _all_ americans are stupid, think of the poor central and south americans in Mexico and Brazil, oh, and those in the minor percentages on the northern part.)

Re:But what about the media?

[SethJohnson]

I fully agree with you. This deserves to smack across the face of BG himself like a french-thrown pie... But it's not.

I was startled by the effectiveness of whatever calls from Microsoft's PR department that resulted in this Reuters spin:

"Computers running Windows 95, 98 and ME are not vulnerable to the worm."

As if those are the only computer OS's in the world! And while the article triumphs the safety of those Microsoft products, it fails to mention that this whole problem relates only to a given microsoft product (IIS). The pointer given in the article isn't even aimed at microsoft.com.. it's digitalisland.com/codered. What a smokescreen!

Isn't it funny that when a piece of hardware is deemed faulty, the company that makes it will issue a recall at great expense to the manufacturer. When Microsoft's products are deemed faulty, the product is repaired at great expense to the consumer.

Re:Affects more than just IIS servers

[daviddennis]

Yes, but you can bet it would be a horrible public relations disaster for Honda.

This deserves to be the same for Microsoft, for exactly the same reason.

D

What about Mountain Dew sales?

[b1t+r0t]

It would be interesting to look at the sales of Code Red Mountain Dew (so when are they going to make Code Blue?) and how they have been affected by all the publicity generated by the worm. This is the kind of publicity that money just can't buy, other than by passing out free cases of soda to cube farms full of programmers.

Funny: 'geometric progression'?

Like what, a square? Oh, you meant to say exponential progression.

A little knowledge is a dangerous thing.

Wanna hear something funny?

[HoldmyCauls]

I just read this story now at 3:00, because I've been GOING AROUND THE WHOLE BUILDING RUNNING NORTON!!! HAHAHAHAHAHA!!! *goes insane*

Media Coverage

[Ms.Taken]

There were stories on the local 11:00 news on ABC, NBC, and CBS affiliates here.

One explained that Code Red only affected servers, so home PC users had nothing to worry about. Another said that rebooting would get rid of the worm.

All three said that Microsoft had come up with a cure: a patch to eliminate the threat. Not one mentioned that the virus targeted Microsoft IIS.

This worries me more than the worm itself. The combination of increasing high speed home internet access and inaccurate, incomplete reporting sounds like a perfect recipe for future disaster.

CodeRED 2.0

[deathcow]

Funny that the dilr0d programmed the worm to attack an IP address instead of a DNS name. I hear this months release, CodeRED 2.0, is going to go after the entire 10.0.0.0 network.

Infection is slowing down??

[LinuxHam]

Look at the dramatic slowdown in infections from 10am to 5pm ET at incidents.org!

New hourly infections were roughly 9,000, 10,000, 9,000, 7,000, 4,000, 1,000, and then 300?!?

I wonder what's the story. Out of an estimated 6 million vulnerable hosts, Microsoft claiming 1 million recent patch downloads, and just 2,000 misconfigured systems continuing to spread the worm throughout the dormancy period, could we really be done at just 127,000 new infections?? Perhaps the data collection method is flawed. They collect logs from dshield right? I wonder if many firewalls are slow to report or something..

something just doesn't seem right here.. We'll never get to an million infected hosts at a rate of 300 per hour!!

Good advertising for MS

[DrCode]

Sure, we in the Linux community think of this as another strike against Microsoft. But the way the news is being reported, the message to the general public is:

1. The internet is being threatened.
2. Microsoft is providing the fix.

Re:Oh, Phew...

[billh]

You have a low enough UID to have a clue, so I'm curious, why do you have Apache resolving IPs in the log? Low volume server, or maybe you know the magic to make the resolution fast enough for Apache not to care? (I'm assuming Apache, anyway).

I've been hit twice more since I started reading this story. 53 Code Red checks on my 16 IPs now. Heard from a couple of people with Cisco 678s, too. They aren't very happy today.

ARIN seems to be feeling it...

[slykens]

Heh.

I am trying to keep track of where I am getting hits from geographically. So far I've got one US host, a bunch of Korean hosts, and a Mexican host.

whois.arin.net seems to be rather swamped from my end of the net. Kinda makes me wonder if ARIN is bogged down with lotsa whois requests or things are just generally slow there today.

I've just seen *somthing*.

I must say that I've just seen a couple of CodeRed-like hits on our firewall. Seemed to originate from Taiwan. Which might make sense if their clock is set to think that local time is GMT

If so, then this may get worse in the next few hours...

Just a thought.

-bob
reality has quit (ping timout)

Stephen King, writer, dead at 54

Horror/fiction writer Stephen King was found dead in his Maine house this morning. I'm sure we'll all miss him - even if you didn't read his books you've probably enjoyed one of his movies. Truly an American icon.

Re:Don't speak too soon

Well I would love to be able to fix this, I had it nice and formatted properly and then Slashdot said it was posted 276860 hours ago. The story didn't even exist then!!!

Previewing that comment keeps messing things up for some reason (/. bug?) so I started a new comment and posted it again, it worked, but of course I forgot to hit code...

Oh, Phew...

[waldoj]

So I guess I don't have to worry about all of these in my logs, huh?

ool-18bf4a76.dyn.optonline.net - - [01/Aug/2001:12:01:01 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN[fucking lameness filter]NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332

Phew. Thanks guys. I'll just ignore those, then.

-Waldo

Re:Affects more than just IIS servers

[labratuk]

Yes, but people know about cars (relatively). They seem to understand them.

Whereas with the internet people who dont know anything about it are scared of it and often fail to apply basic real-world logic to it. So the conclusion they come up with are frequently completely irrational.

the reason is...

[JEDi_ERiAN]

The reason why sircam is not being publicized nearly as much as code red is because...M$ owns the media. They wrote the code red "virus" and sent it out, simply to get their name in the media, and even better, that they worked hard at making a patch available before the "attack" was supposed to happen. This is just more publicity for M$, and they are loving every minute of it.

E.

Data integrity defences

[tjwhaynes]

You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.

They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.

That's why you should be running an integrity checking system, such as Tripwire, to keep tabs on files which change on your system. Run in conjunction with something like LIDS where you can stop a file being editted while allowing log records to be appended, or where all your logs are sent to another machine as a backup (or even to a line-printer), you know precisely what has changed and when, regardless of the change dates.

Quite frankly, if the MD5sums on my files change without the dates changing, that's a pretty big hint that you have been compromised. Time to reach for the backups.

Cheers,

Toby Haynes

Re:Same Here

[stilwebm]

I talked to my parents last night who had both come to the conclusion that they could not connect to the internet (they have DSL) because AOL had shut down to avoid the worm. The funny thing was, it turned out the SirCam virus was responible for their scewed up TCP/IP stack.

Re:Same Here

[Delirium+Tremens]

Yeah, sheeh. Sometimes I am afraid of clicking on ".iso" links because it can bloat my browser's cache and file system soooo fast. "Mandrake80-inst.iso" can now crash my PC in 4 seconds, that's even faster than the installation process itself...

... Alright, I-A-m-S-o-r-r-y for the typo. Thanks for pointing out.

Qwest DSL Users

Qwest has a help page up with instructions to prevent Cisco routers from hanging after being probed by the worm.

Shouldn't answer a troll, but...

[Midnight+Ryder]

When was the last time your Microsoft Windows server lasted a week without re-booting? I know people who re-boot their machines daily, "just in case."

Been quite a while - the last 'reboot' was an unintentional shutdown due to hardware failure. It's been up 3 months since that failure - and no, it's not suseptable to the CodeRed worm, since I see no need to run unused services on my machine (in this case, the Index service is where the voulnerability is at - and it's turned ON by default.)

Like the three 'experts' who called y2k?

[Sj0]

The media knows *NOTHING* about technology, and whenever they get more than one crackpot with a similar story, they run with it. *ESPECIALLY* when it has to do with the magic boxes that the internet runs on.
Was anybody else unnerved by how they used the same three experts for the y2k problem for the whole 3 or so years that the media was covering it? People honestly believed in some places that the world was coming to an end...
The horribly funny thing about it is; if Y2K wiped out your bank account, it would also wipe out your debt. Problem? I don't see one. The media made it sound like a few things would happen that would destroy humanity, without talking about A) the countereffects (bank account = loan too), or B) how easy some of them are to stop (ie. nukes going to blow in 2000? pull the plug in december 1999).

The mass-media no longer is a public service, but a machine meant to keep the population ignorant. There should be a rule that news providers are only allowed to give news, and not be a part of anything else. This way, ultra-biased reporting like is shown every day on the 11 o'clock news is avoided.


...And did anybody else notice how many times they tried to set a date for y2k to strike? I counted 9/9/99, Newyears 2000, febuary 2000, and I'm suprised they didn't try to do it again (with a y2k.1 bug type thing -- it doesn't have to be the truth, just as long as they can find the one person from paranoia university that says that the programmers screwed us again and the magic boxes that we go on the internet with are going to all die, and the world will be plunged into darkness, it's news!)

Sheep. Why does the world need to be herded around like they are mindless drones? Most really aren't, they're just treated like it...

Code Red...unneeded hype.....

[Chanc_Gorkon]

Yeah the problem could have been serious if we all had our heads buried in the ground, but most of us, even the dumb ones have heard about this. In my town they even talked about it on Talk Radio. While I agree that there was some need for a warning/alert, I feel, because of the nature of the virus, there was TOO much hype.

Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning. They don't want to risk not issuing a warning, but if there's a possible severe storm heading our way, they want to make sure it's severe before issuing the warning (hence weather spotters, advancing NEXRAD and other things of this sort). If they just issued a warning for every cell that has a possiblity of being severe, then the poeple may dismiss a valid warning.

Why does this compare to the Code Red thing? If you hype the virus too much, if the attack is benign or doesn't happen, then when a real bad virus hits and spreads across the net, the people will ignore it and open the stupid attachment or not patch the computer. The media needs to start being responsible and until the media becomes less liberal and less concerned about getting ratings, we will have to live with over hypeness such as Y2K and the Code Red. And when the big one comes, because the media cried wolf so many times, the un-thinking populus will suffer. Also, there were people worrying about their PeeCee's at home when this thing has no danger to the common schlub running Windows 98 or ME. The worst that can happen to them is they have no access or slow access to the internet. The common schlub cares more about the price of gas on the corner then if his internet connection works. (I on the other hand would be freakin! ;) )

Re:The foul-mouthed individual in the last post

[Johnycomel8ly]

Yeah, you're right. Better late than never... Unless, of course, enough of microsoft's hundreds of thousands of customers don't get to their website to download their "laziness-fixer" before the worm that exploits their near-sightedness causes the entire internet to become gridlocked for a week or so. We should all give our retinas a rest anyways.

white house

[crazyfrenchmen]

Why do they care more about code red than sircam? Simply because code red attack the holy White house .org, like always, it's a politic problem, not a technical one.

Re:When are virus/worm writers going to get seriou

> mean, these DOS attacks are not really all
>that damaging. If you want to cause some damage
>then you alter a few words in word files and
>web pages, change a few numbers in spreadsheets
>and databases every few days.

Shhh. Do not call attention to these operations.

effect vs affect

>the Apache server [...] wasn't effected

affect (verb)- The worm will only affect Windows servers running unpatched Index Service.

effect (noun)- The effect of the spread of this worm is to potentially choke bandwidth making the internet appear to be slow/gone.

Reading Excel files from Sircam?

[molund]

I have been having lots of fun for the past week reading people's private Word documents, but when I opened Excel document in a text editor, I couldn't read anything.

I did a little research, and I discovered that Sircam appends itself to the beginning of a file, and it is 137,216 bytes. Therefore, by stripping the first 137,216 bytes off the beginning, you have the original file.

I found a utility this morning that will do this. It is called "fb". You can get it here.

The command to strip a file is:

C:\> fb a 137216 "file name.xls.pif" "file name.xls"

Happy Snooping!

When are virus/worm writers going to get serious?

[Colin+Smith]

I mean, these DOS attacks are not really all that damaging. If you want to cause some damage then you alter a few words in word files and web pages, change a few numbers in spreadsheets and databases every few days.

Data *corruption* is far more damaging than blitzing a server or formatting a hard disk. It's where the real danger lies.

You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.

They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.

So, I'm not worried about files being deleted or servers being DOSd. I have backups, I can move servers, it's a minor inconvenienience at worst.

I'm worried about trojans/worms which search boxes and *change* information.

What are you complaining about?

[dave-fu]

Would you rather see this be another self-fulfilling media prophecy (a la Attrition's dissection of the US/China "hacker war" that was supposed to be going on) or would you rather see the problems get fixed?
As I read it, there's already 22K infected hosts out there (as of 10-11 AM) that incidents.org has found; how many more haven't probed their servers yet? The A and B strains of the worm aren't as plodding in their search for new servers to infect, and there could be even more strains out there. Hopefully, some braindead admins out there have taken note of all the media coverage and will patch their machines before this ramps up any further than it already has.
Or would you rather journalists got their copy about the devastating effects of the worm done in advance rather than trying to prevent it?

Affects more than just IIS servers

[CausticPuppy]

How about this (admittedly cheesy) analogy...
Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.

More media crapola

[Erbo]

This morning, David Coursey on ZDNet AnchorDesk is recommending that we guard against future "threats" like Code Red by setting up "national firewalls" and an Internet "border patrol" to ensure that THe Net will "become a real civil society in which rules matter and violators are punished."

I know that virtually everyone who reads this site will agree that this is a load of crap, so let me just summarize my reaction: "To save the Internet, it was necessary to destroy the Internet."

Eric

Do NOT click that link! Virus!

[L3WKW4RM]

Norton AntiVirus popped up when I hit that page: Scan type: Realtime Protection Scan Event: Virus Found! Virus name: Backdoor.Sadmind.Dr File: C:\Documents and Settings\xxxxx\Local Settings\Temporary Internet Files\Content.IE5\DIDOG2BA\211.161.209[1].htm Location: Quarantine Computer: YYYYY User: xxxxx Action taken: Clean failed : Quarantine succeeded : Access denied Date found: Wed Aug 01 12:31:05 2001

Re:Don't speak too soon

[naasking]

huh. Look at that. 6 times today hitting just about every 1/2 hour.

Same Here

[Delirium+Tremens]

My INCOMPETENT DSL provider (that whishes to remain Anonymous) has been severely hit by the worm. My 1500+ Mb/s connection has been down since July 20th, and I've been forced to put my old analog modem back to use, with its RELIABLE 56 Kbaud speed.

Thank you soooo much, Telocity!
Or is it DirectTvInternet, now?
(Oops, I said it...)

Conspiracy Theories!

[beeblebrox87]

Perhaps the whole point of Code Red was to distract people from Sircam! Probably not the intent, but certainly the effect.

Why Code Red is hot and SirCam is old news

[selan]

• Users perceive SirCam as just another virus. User reaction: Silly me, I got another virus. When will I learn not to open attachments?
• On the other hand, users see Code Red as a scary worm. User reaction: Ohmiga, I got HACKED!
• The perception is that Code Red is an external threat, but SirCam is the fault of the users who open the attachment.

The good side effect of all the hype is that all those vulnerable servers out there are getting patched and more destructive worms won't use this vulnerability in the future. I think that's the real reason that security experts are hyping Code Red so much--they want people to patch their servers.

Yeah...

[talks_to_birds]

...like the Washington Post is a big expert in Internet security issues.

t_t_b

Don't speak too soon

[gorgon]

I think that everyone's a little too quick to call Red Code a dud this time around. Its still pretty early in this growth phase, and I've already gotten two Red Code hits on our web server (and I only got 19 last time). Of course its not going to drag the internet to a screeching halt, but it may make as much a nuisance of itself as it did a couple of weeks ago. Remember the growth phase is supposed to go until the nineteenth.

And if it does end up being a dud that's a good thing, right? Just like Y2K all of the ridiculous media coverage of Red Code got enough people to patch their servers so that it couldn't grow as quickly this time.

Of course I wish more of the media coverage would criticize Microsoft for making holey software that allows these worms to propagate so easily, but you can't always get what you want.

Re:Don't speak too soon

[mini+me]

I prefer: cat access_log | grep NNNNN | wc -l Just cause I like typing out long commands! Now for something more useful: #!/usr/bin/perl # Setup # # Location of access_log $access_log = '/usr/adm/access_log'; # # Save directory $save_dir = 'worm'; # # Lynx location, leave blank to skip page downloading $lynx = 'lynx'; # Program open(LOG, $access_log) || die "Unable to open $access_log"; while($line=) { if($line =~ /NNNNN/) { ($addr, $null) = split(/ /, $line); if($lynx ne "") { print "Retriving page from: $addr\n"; $addr_us = $addr; $addr_us =~ s/\./_/g; exec("$lynx -dump http://$addr/ > $save_dir/$addr_us.htm"); } else { print "$addr\n"; } } } close(LOG);

It's out there

[Rupert]

... but how fast is it spreading?

I don't think we'll know until at least tomorrow. Remember, this thing is going to stay in propagation mode for another 18 days.

I checked my Apache logs first thing this morning - nothing. Since 3pm UTC I've had a couple (one from China, one from Korea) of hits (compared with 19 last time). Asking around the office of others with home web servers, this seems typical, per IP address.

The *REAL* Danger here...

[mprinkey]

..is the enormous traffic generated by all of the /. folks hitting reload on the incidents.org website!

CR gets more press because it has a cool name

[shaneb11716]

Marketing works :~)

-Shane

Same thing here

[matty]

I'm up to 27 total attempts like you describe on 2 servers (15 & 12), 7 in the last 2 hours alone.

Predicted Code Red Growth

Using data available through 1 PM EDT, I performed a fit to standard population growth equations with considerable success. From this I predict a maximal number of simultaneously infected servers at

75,000 +/- 10%
with 95% of maximal saturation by 6 PM EDT.

75,000 is still quite a lot, but it's a significant drop from 200,000+, so I suppose all the coverage has made some difference.

Premature Announcement...much?

[Julius+X]

I think that its WAY too early to be saying anything about Code Red yet. I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st.

If we remember from last time, the spread didn't start to go insane until 1-2:00pm...which would make the net slow down right...about........now.

Watch it Grow

[Morris+Schneiderman]

Here's a link to http://www.internettrafficreport.com/index.html.

North America has the poorest performance, but the major routers all over the world are slowing down.

If you click on any region, you will see detailed stats for the major backbone machines, plus performance graphs for the region.

Sorry, but it's not looking good.

ps. I just clicked the link in preview and, while the performance indicies have not changed much in the past few minutes, the trends have all flipped from down to up. So who knows...

My server logs show infection mounting ...

[ehack]

211.21.0.82 - - [01/Aug/2001:23:42:12 +0200] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 322 "-" "-

Picking up steam?

[gunnk]

incidents.org is currently showing 115,000 infected machines (when they're showing anything at all -- really hard to get to the site). I saw nothing all day but have had 5 probes against port 80 (http) in the last hour according to my firewall. 4 appear to be from nameservers and 1 looks like a FIREWALL! Oh, the irony...