Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Goes The Way Of Y2K

Posted by timothy on from the code-blue dept.

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

1 of 407 comments (clear)

  1. Worm Author's Restraint by Travis+Fisher · · Score: 5, Interesting
    Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis? Or the CAIDA or Staniford stastical studies of the worm's spread? Some facts:
    • The first version of the worm appeared on July 13 or so.
      • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
      • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
      • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
      • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
      • It contained code to deactivate its spread after the "attack phase" began
    • On July 19, a second version was introduced.
      • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
      • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
      • This version infected over 359,000 hosts in under 14 hours.
    (*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

    The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.