Code Red Goes The Way Of Y2K

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

Worm Author's Restraint

[Travis+Fisher]

Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis? Or the CAIDA or Staniford stastical studies of the worm's spread? Some facts:

• The first version of the worm appeared on July 13 or so.
  • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
  • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
  • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
  • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
  • It contained code to deactivate its spread after the "attack phase" began
• On July 19, a second version was introduced.
  • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
  • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
  • This version infected over 359,000 hosts in under 14 hours.

(*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.

No, let it blow!

[twitter]

Hush! Let this thing blow up and get as bad as it will. I'll suffer a few days of slow net service so that the world might learn how irresponsible MS is and how bad their wares are. Of course, even if this is fought tooth and nail, it will still show up how inferior a closed source, NDA distribution model really is. Leave MS to worn their people.

Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.

A solution to the problem?

[pongo000]

For years, virii in the medical industry have been associated with people or places. So, the poor town of Coxsackie, NY has its place in history as the origin of the Coxsackie (hand-and-foot) virus. Drs. Epstein and Barr will forever be associated with the virulent virus that bears their name. Why not name computer viruses/worms/self-propagators after the systems for which they are targeted?

We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.

It's obvious

[cnkeller]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Because Code Red dealt with the White House, which is a national symbol and easily recognized by all the world. Never mind the fact that the white house web site was never in any danger of being taken off-line. Joe & Billy Bob don't know no stinking eye-pee addressess are. High profile attacks get the news...not that secret memo detailing a new flavor of Tang....

Yep. Gone with a whimper.

[Tim+Doran]

I got precisely one Code Red attack on my home linux box (via cable modem). Last time around, I had upwards of 25 attacks.

Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

MS NT/2000 buffer overflow vulnerabilities galore.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:

BindView Security Advisory
--------

Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact: tsabin@razor.bindview.com

Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
Overview:
Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.

Affected Systems:

At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.

W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)

Impact:

An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.

Details:

By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.

The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.

If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.

Workarounds:
Firewall off as much as possible.

Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.

References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin /MS01-041.asp

Microsoft's patches:
The patches vary, depending upon the service.
See the security bulletin for details.

Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/Q 298/0/12.ASP

Why Code Red is hot and SirCam is old news

[selan]

• Users perceive SirCam as just another virus. User reaction: Silly me, I got another virus. When will I learn not to open attachments?
• On the other hand, users see Code Red as a scary worm. User reaction: Ohmiga, I got HACKED!
• The perception is that Code Red is an external threat, but SirCam is the fault of the users who open the attachment.

The good side effect of all the hype is that all those vulnerable servers out there are getting patched and more destructive worms won't use this vulnerability in the future. I think that's the real reason that security experts are hyping Code Red so much--they want people to patch their servers.