Code Red Goes The Way Of Y2K

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> It kills me to shut down and restart a piece of equipment like this

Life is tough. Each time we go to our weekend house, we find a huge piece of equipment from the neighbor's cat on the doorstep...

Re:Billions of dollars spent...

[TOTKChief]

Ummm, did you not realize that your comment's parent was a parody [or worse, probably stunnigly like] the reaction of most PHB's?

Yeah, here's one.

[peccary]

$ telnet 65.24.228.11 80
Trying 65.24.228.11...
Connected to 65.24.228.11.
Escape character is '^]'.
get /x.ida?AAAAAAAAAA

<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title& gt;</head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></ html> Connection closed by foreign host.

Re:white house

[pcurran]

I agree completely that the political aspects of code red have gotten it a lot more media hype. But aside from just the "attack" on whitehouse.gov, what about that "Hacked by Chinese" defacement that was (is?) supposed to be popping up all over the place? The US media loves a good story about those darned Chinese. I think that this may have helped the hype along as well. BTW, has anyone actually seen one of these defacements?

Not Quite

[espo812]

incidents.org is tracking the spread. It still looks to be on its exponental path to death and destruction of the Internet (sarcasm included.) As of this post, incidents reports 22,000 infected (up from ~13500 an hour earlier.) It's too early yet to tell how this will pan out.

Re:But what about the media?

[_xeno_]

Yeah, maybe, but that's not the point.

On my way in to work this morning, I was listening to a local news radio station, and they were talking about how "Code Red" will effect servers and that everyone (!!) should download Microsoft's patch. From the linked article:

The malicious program can only be stopped if enough Web site operators install Microsoft's software patch, which plugs the security hole the worm uses to attack.

Well, the Alphaserver I admin seems to be doing ... ok, actually, it's down right now, but that's another story (flaky hardware, it seems) ... but anyway, during the last Code Red outbreak, it got probed, and it survived the attack without Microsoft's patch. Fancy that, the Apache server running on RedHat 7.0 wasn't effected, and I didn't even install the Microsoft patch!

Listening to them, I would have thought that Microsoft owned the Internet...

day off?

[passion]

Darn, I was sorta hoping it would so I could take the day off and go fishing.

Well, depending on where you live, and what job you do - you still have a chance! Today is personal freedom day... personalfreedomday.com

Strangely Enough

[Phrogman]

I didn't get my daily feed of juicy documents from that Sircam newsgroup I somehow seem to have joined - maybe its because the Code Red worm has knocked out all of the poster's Exchange servers...

Re:NEW DATA [was Re:Geometric growth.]

[imipak]

I find it interesting that I've been scanned once already on my home dialup. As I'm paying UK connection charges and I'm rather broke at present (see .sig) I tend to go online for short periods, collect/send mail and grab a ton of pages for offline reading. (I'm even writing this offline in emacs.) If I'm getting hit during those very narrow windows of opportunity, it implies there's a rather large number of scans taking place.

OTOH, when Incidents isn't Slashdotted, it looks like the curve is flattening out at around 25% of the total infected last time - about 60,000 +/- 5000 is my guess. The question is, is that enough infected hosts to cause enough ARP floods to impact global connectivity. So far connectivity has been patchy for me - jobserve was down all afternoon, a couple of other sites were patchy, everything else was OK. Same as normal, in other words.

Re:"something bad didn't happen"

[Micah]

Well, it's not quite a non-event:

[micah@nova logs]$ grep NNNN *log | wc -l

25

And that's just since last night. I got 75 of them 2 weeks ago. But it appears to just be getting started.

Worm Author's Restraint

[Travis+Fisher]

Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis? Or the CAIDA or Staniford stastical studies of the worm's spread? Some facts:

• The first version of the worm appeared on July 13 or so.
  • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
  • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
  • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
  • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
  • It contained code to deactivate its spread after the "attack phase" began
• On July 19, a second version was introduced.
  • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
  • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
  • This version infected over 359,000 hosts in under 14 hours.

(*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.

Perhaps if they had researched...

[JodoKaast]

...the Code REd worm, the poster of this story would know that there was no threat of it bringing the net to a standstill today. The real killer day will be on the 20th of this month, when the worm goes from infection mode to DDoS mode. And with 18 MORE days of infection than the one last month (with 300000+ servers compromised) had, I think it is generally assured that the net will slow it's ass down. If the DDoS attack is pointed at a valid target this time...

It's the name!

[wowbagger]

The reasons the media likes to hype Code Red and not Sicrcam are:

1. The Name: "Code Red" sounds menacing, while "Sircam" sounds like a new pop star.
2. The Target: Sircam has no target (other than the poor schmuck who's machine is infected). Code Red attacks a target that you can send a reporter out to (yes, the web servers for the White House aren't at the White house, but that doesn't matter).

Remember, the media wants stories to be as dirt stupid simple as possible: They don't want "Boy finds girl, boy loses girl, boy finds girl again", they want "boy finds girl". "Code Red Worm ATTACKS WHITEHOUSE" is an attention getting headline. "Sircam forwards private documents" isn't.

So remember 5|<r!P7|<!dd!3Z, if you want your worm to be successful, attack a high-profile target, and make sure your worm gets a menacing name.

Re:Billions of dollars spent...

[FatOldGoth]

I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.

Even then, one thing this worm has done a good job of highlighting is that it's not just a waste of your resources if you don't patch your servers. I'm seeing a lot of my bandwidth being eaten up because other people are too lazy/incompetent/ignorant to administer their systems properly.

Sorry. Rant over. I feel calmer now

Re:Nope, Code Red is still with us.

[Cryptosporidium]

I read in the early reports (not sure if it has been invalidated or corrected now), that the random number generator did not reseed itself on each infection. Thus, the IPs generated where the same.

A variant of the original worm supposedly corrected this error.

Re:I don't know about you

[unitron]

"...every newscast I saw last night about Code Red, made no mention of how to innoculate your computer against the virus."

Ignoring for the moment the whole "worm vs. virus" thing, I saw a number of news reports that directed people to MS for the patch, and apparently CNN even had a link for it on Wolf Blitzer's page. On the whole, the coverage on this has been suprisingly good considering the general audience for which it is intended.

Geometric growth.

[Black+Parrot]

For the plot at incidents.org, the last four hourly reports show a pretty clean geometric growth, with the hourly multiplier varying only between 1.63x and 1.68x (it was a bit higher for the earlier reports).

I wouldn't go so far as to predict a continuation, but the numbers are still kind of fun. A 1.6x per hour for 24 hours would give 79,228x. With a basis of 22,001 reporting right now, that would give 1.74 million infections at this time tomorrow.

Surely this one will saturate its niche long before then, if only because of all the repairs that were made a couple of weeks ago. But it gives a hint about what's going to happen when The Big One (tm) comes along.

And the viruses seem to be getting smarter lately. I would guess that TBO will come along by the end of the year, or surely no later than the middle of next year.

Get to work on those disaster recovery plans, folks.

Oh, but the price!

[haapi]

I kind of have to quibble about the 1.2 Billion dollar "price-tag" attributed to Code Red. Any money spent patching software is money that was required to be spent ANYWAY. If your server maintenance is out-sourced, it is that company's responsibility to patch 'em, and then bill you for it, and you pay it because that is what it takes to put a server on the Internet. 'Nuff said.

You could look at this...

[Pope]

Internettrafficreport.com for North America. Look at the response time and traffic indexes, right around 21:00 MST.

Oh, and currently, MAE-East is in the shitter, same as last time. No wonder connections may be crappy.

Are you sure you want to delete The Internet?

[Tim+Macinta]

When I woke up today my DSL connection wasn't working. My first reaction was to think of what could possibly have happened to cause it to go down and after about a few seconds I thought "oh crap, Code Red did succeed in grinding the internet to a halt." I was about to be very angry at Microsoft for ruining the net for those of us who don't even use IIS until I tried my dial-up connection and it worked fine. So it was just a local DSL issue (which is fixed now - thankfully, as I was beginning to go through withdrawal).

Re:Are you sure you want to delete The Internet?

[billh]

Was it a Cisco 67x? Qwest DSL perhaps?

If so, telnet to it, enter password, enable, enter password, then:
set web disable
write
reboot

Best to update to CBOS 2.4.1.

BTW, I've been hit 51 times today (one machine covering 16 IP addresses). No effect, of course, but it is funny to see in the logs. Almost 400 hits in one day last month.

Re:Are you sure you want to delete The Internet?

[billh]

Don't think I've seen the 'set nat add ent 10.0.0.2'. Could you explain?

Fortunately, my 678 had 2.4.1 on it when I got it. Flashing the bios in one of those things can be a risky venture.

Misunderstanding of the behavior of the worm...

[igjeff]

The trick is that so many of the so-called experts mis-understood the nature of the worm.

Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.

Jeff

Re:Misunderstanding of the behavior of the worm...

[Fishstick]

I know, I especially liked some of the "technical explanations" that the media attempted in explaining this thing. My favorite...

The worm -- a determined sort of software virus that affects computers running certain types of Microsoft operating systems -- has struck twice before...

... was courtesy of Reuters (via Yahoo in this link)

At least they didn't pass up the opportunity to use a cute little turn of phrase in their headline! :-)

Re:Misunderstanding of the behavior of the worm...

[MrBogus]

What other MS admins need to worry about is keeping track of any future additions to their machines. If they, or someone else, adjusts Windows components on that server, this particular hotfix needs to be reinstalled.

That is true -- Either this or another index server hotfix needed to be reinstalled after doing a SP2 upgrade for example. Trying to figure out what Hotfixes are installed or need to be installed is not straight-forward.

However, what IIS admins really need to do is disable the "Application Mappings" that they are not using. This will eliminate the need to apply hotfixes for the significant number bugs in non-core IIS components which aren't widely used.

(To do this, open up the IIS management GUI, look at the Site properties, Home Directory, Configuration. You'll see the mapping from .ida/.idq to idq.dll. Remove these and you are safe from any future Index Server hacks. While you are there, remove the rest of the DLL mappings that you do not need.)

Re:When will they learn?

[baptiste]

When will virus/worm authors learn that publicitiy (at least initially) is their ENEMY?

True, but what will surprise me is if some other worm doesn't show up today. While everyone is watching to see if Code Red hits, what better time to release a really stealth worm that doesn't deface the main page and hides the best it can to spread itself somewhat slower - and have it set to DDOS (using DNS of course, not hardcode IP) on teh 18th instead - now that would be funny.

Looking at the numbers...

[Magus311X]

It seems to be growing at about 70% an hour, but it is slowly leveling off. Anyone care to do the Calculus and plot the curve?

I'm going to put the number of infections at 6 - 8 PM a 250,000 - 450,000 hosts just by running some rough numbers in my head and taking into account whether or not pathces where applied. Thats a lot ...
-----

Re:Looking at the numbers...

[peccary]

You can't accurately predict the curve if you don't know the size of the vulnerable population. It will tail off at some point, I expect quite a bit lower than the 359,000 infected hosts previously. If we're starting a pool, sign me up for 178,901 infected hosts.

Re:Snapple virus wouldn't sound very scary

[baptiste]

Actually, it got its name from teh guys who did the initial analysis late at night and they drank a lot of Code Red to stay awake. BUt it sure was descriptive and catchy once this took off

Re:Use the data, Luke!

[baptiste]

Yes but looking at it now (12 EDT) I see a gradual rise in packet loss and a drop in reachability - now that may be normal lunch hour jams, but the gradual increase tells me this is just getting rolling. Its not a matter of if, but how much, I'm seeing more scans as time goes by - trick is how bad it really gets and where it tops out at.

Increase in HTTP hits on my firewall

[AndroidCat]

After a few weeks with none, I'm starting to see an increasing number of attempts on my HTTP port. I believe this is the port Code Red goes after on unpatched MS IIS boxes

date,time,source,transport
2001/08/01,00:39:43 EDT,64.224.192.128:4482,80,TCP (flags:S)
2001/08/01,09:29:53 EDT,203.239.44.55:2464,80,TCP (flags:S)
2001/08/01,09:43:29 EDT,61.157.184.52:4273,80,TCP (flags:S)
2001/08/01,11:25:13 EDT,217.126.188.106:53726,80,TCP (flags:S)
2001/08/01,11:54:00 EDT,193.70.29.42:2668,80,TCP (flags:S)
2001/08/01,11:56:41 EDT,210.119.9.196:4754,80,TCP (flags:S)
2001/08/01,12:22:11 EDT,64.81.148.7:3924,80,TCP (flags:S)
2001/08/01,12:29:15 EDT,61.144.181.223:1319,80,TCP (flags:S)

I admit that's it's not exactly Internet-stopping volume, but if everyone is getting this, that's bound to be a lot of traffic. And note that if I was running an unpatched IIS, I'd be Code Red's bitch by now. (Or somebody's bitch if my ports 111, 139, 515, 31337, etc were open to exploits.)

Re:Good advertising for MS

[Rand+Race]

Yup, I had four emails waiting for me this morning from execs telling me to get the patch from Microsoft for our webserver... our BSD-Apache webserver. Two of them actually requested I patch the OS X file server as well. None of them asked me to patch the only Microsoft server we have, the SQL server... not that it matters.

Hell, I've had users coming up to me all day asking if I patched their workstations... not only does the worm not effect workstations we're an advertising agency, our workstations are all Macs!

Re:is this it?

[b1t+r0t]

Code red uses NNNNNNN, not AAAAAAA. Here's my favorite hit so far:

61.131.51.74 - - [01/Aug/2001:15:59:39 +0000] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 316 "-"

Why is it my favorite hit so far? Because I really was "hacked by Chinese"!

inetnum: 61.131.51.72 - 61.131.51.79
netname: NANAN-SHISHAN-SCHOOL
descr: Shishan middle school of Nan'an
descr: town of Quanzhou city of Fujian
descr: province
country: CN
admin-c: MD47-AP
tech-c: MD47-AP
mnt-by: MAINT-CHINANET-FJ
changed: milizi@sina.com 20010526
source: APNIC

Not really y2k

[Punto]

For me it actually felt the opposite of y2k.. With y2k all the media was "it's the end of the wold!! we were right, those damn computers are evil!!!", and I was "no big deal, just add some bytes".

With red code, I was 'microsoft is going down!! yeah!', but I didn't see much 'media inpact' (who won the 'predict the headlines' contest).

Nothing happened, but this time I was dissapointed. ;)

Re:I don't know about you

[Cato]

I also had an incredibly slow ping time and loss rate to yahoo.com about 9.00 BST (8.00 GMT, 3.00 EST) today - 380 ms pings, and 60% loss rates. Normally I get 180ms pings to yahoo.com and almost no packet loss, so something was definitely happening. Local UK sites were OK, and it wasn't my provider according to a traceroute (I have an ADSL line).

So maybe something did happen - however, the various survey sites report that nothing really major happened, so this was probably just a coincidence (maybe too many people hitting yahoo.com at the same to see if it was still up?)...

Re:But what about the media?

[b1t+r0t]

For the record, Code Red doesn't actually infect the routers, but does trigger a known crashing bug in the IOS web server that was discovered a few months ago. So it will stop an un-upgraded router dead in its tracks.

I've been hit seven times so far according to my Apache access logs, and a possible three other times on another machine with no web server, but a logging firewall block on port 80.

At least two of the hits are from an @home and a DSL customer. Perhaps by crashing the un-upgraded Cisco DSL routers they're actually doing a service by preventing DS-Lusers' home machines from being able to spread the worm. Not to mention blocking all the skript-k1dd13 IRC DD0S w4r3z that are already running on said lusers' machines.

An interesting anecdote is two weeks ago when I called my ISP, their phone answered with a message about Code Red, and then I overheard a tech support guy in another cubicle at the ISP telling someone to power-cycle their router.

Nope, Code Red is still with us.

[BlueUnderwear]

Code Red gone? Errhm, not really. I got 4 hits on my webserver at home this afternoon, 2 and a school I help administrating, 1 at another school, 3 at our Linux club's computers, and 2 more at another computer of the club. Whereas we didn't get any hits on any of these sites the first time around (mid July). It's alive, and kicking! Rumors are also that www.java.sun.com's outage today might have been due to Code Red, but don't ask me how. Sun hopefully isn't running IIS, or are they? Or maybe it just knocked out one of their Cisco routers...

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> Hmm. The first host infects X others, and then all the children attempt to infect the exact same X? That would be known as NO growth.

It would still grow, unless the RNG had a real short cycle. True, the children would infect no new hosts, but the root worm would... until it is killed, and then the next oldest will take over. Each copy of the worm will infect the sites in a certain sequence (for example 2, 3, 5, 7, 11, 13, 17, ...) which would be infinite (or rather 2^32). The problem would be that it would be the same sequence for each copy of the worm. I.e. Worm number two would also first start with site 2 (itself), then 3, 5, 7, etc. just as number one did. Given enough time the whole 2^32 bit space would still be probed, but only the very first worm would contribute to this. The others would only redo sites which the root already has checked.

A more in-depth description can be found here

Re:Nope, Code Red is still with us.

[daviddennis]

The original version was in fact hard-coded with a specific sequence of IPs, so you are in fact correct.

It was modified by parties unknown to be more flexible and go anywhere. So in theory the threat is now much greater.

Hope that helps.

D

Re:Nope, Code Red is still with us.

[BlueUnderwear]

> I read in the early reports (not sure if it has been invalidated or corrected now), that the random number generator did not reseed itself on each infection. Thus, the IPs generated where the same.

> A variant of the original worm supposedly corrected this error.

I heard about that one too, but the way I heard it was that the initial variant was so inefficient that it went by unnoticed, except by eEye.

The version that was seen spreading exponentially July 19th was already the "fixed" version.

Indeed, if each worm uses the exact same sequence, the spread is linear. Rather than fanning out, each instance would try to re-infect the exact same sites that its parent already has infected, hence linear, rather than exponential growth.

Re:Nope, Code Red is still with us.

[Tim+Doran]

Each time we go to our weekend house...

Yeah, life is tough, alright. Weekend house?!?

;)

Re:Don't speak too soon

[gimpboy]

i got hit 17 times during the hayday (july 19th). i was hit once last night around 7. i've been hit 5 times since 11:40 (its 12:18 right now). since it grows exponentially it's similar to cancer. it starts off slowly and you dont notice it once its big enough to notice it you're almost dead. this is going to be a fun few days.

The Reason Code Red gets the Klaxons

[cnelzie]

The reason is simple. Everyone wants to get potentially damning documents from anyone. If the internet grinds to a halt then you would't be able to get that information from SirCam.

--
.sig seperator
--

Re:More media crapola

[b1t+r0t]

I know that virtually everyone who reads this site will agree that this is a load of crap, so let me just summarize my reaction: "To save the Internet, it was necessary to destroy the Internet."

When in actuality all we need to do to save the internet is to destroy Microsoft.

I wonder if...

[djocyko]

incidents.org will soon be reporting how quickly they were personally attacked by the SlashDot worm (in a nice pretty 3d line graph). That's something I would like to see.

NEW DATA [was Re:Geometric growth.]

[baptiste]

Finally got Incidents.org to respond, they posted new data (looks like the hours shifted though):

• 11AM - 22,001
• 12PM - 32,502
• 1PM - 41,968

SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same

Re:How do they know 22,000 servers were infected..

[david+duncan+scott]

They describe it in broad terms, but it boils down to log entries and unique source IP's.

I think the security folks should modify code red

[Greyfox]

They need to modify the worm to make it download the MS Security patch, install it and reboot the system. Although that could be significantly more damaging to those IIS server than the worm currently is. At least Code Red doesn't have the potential to leave your system in a non-working state. I've heard tell that a lot of those MS security patches don't get installed because they do more harm than good (I have no personal experience with that though; no "you're bashing windows" flames, please. I'm not.)

Re:Premature Announcement...much?

[frantzdb]

I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st.

20:00 EST == 00:00 GMT

--Ben

Re:Don't you get it!??

[baptiste]

Watching people run IIS is like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.

ROFLMAO!

Re:No, let it blow!

[Zico]

The patch was available for a month before Red Code struck, so how does this show how irresponsible Microsoft is compared to worms that have hit other operating systems? Why has Linux been struck with worms of its own? Does that mean a "closed source, NDA distribution model" is superior, then? Besides, just like with desktops, most web servers on the internet run Windows, so it's not too surprising that more of them get attacked, especially since not only are there more, they're usually used for more important data/applications, especially when it comes to e-commerce.

No, let it blow!

[twitter]

Hush! Let this thing blow up and get as bad as it will. I'll suffer a few days of slow net service so that the world might learn how irresponsible MS is and how bad their wares are. Of course, even if this is fought tooth and nail, it will still show up how inferior a closed source, NDA distribution model really is. Leave MS to worn their people.

Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.

Don't you get it!??

[mcrbids]

It only takes ONE infected system to kick it all off!

It has most DEFINITELY kicked off again - logs on my primary server indicate at least one hundred hits from this bug.

Already, that's almost as many as last time, and there are 18 more days of this.

For me, it's almost like watching a violent, firey thunderstorm. Sure, it'd suck if lightning actually HIT me, but I'm quite safe.

Kinda sick, isn't it?

I don't know about you

[stebalo]

But my connection SUCKS today.

I was thinking it was related to the worm.

But remember, the last time it struck, it grew exponentially for 7 days until it really hit its stride.

Re:I don't know about you

[11thangel]

I dunno about you, but my connection ALWAYS sucks. American Residential Internet: when it goes down, there is almost never a logical explanation. (i.e. a train crashed in baltimore and melted a fiberoptic cable, bringing down my internet 200 miles away)

Re:I don't know about you

[imipak]

• It looks (from the Incidents graph, at about 2035 UTC Wednesday) like it'll top out at about 60,000 known infected hosts;
• If nothing happens, it could just mean (as with Y2K) that the hype was justified, because everything got fixed, which is why nothing happened;
• To the people saying "yeah, MAE-east is screwed" etc - look at the average response time charts Nothing very dramatic there...
• Er, we were all right about this. Even the trolls ;)

Re:I don't know about you

[mike_the_kid]

This is not really a joke, though some will see it as MS bashing:

Code Red would have started with about 200,000 existing infected machines, except that:

• How many of those upatched 2000 / NT boxes do you think have been up for the whole time since the worm went into remission? Remember rebooting will remove the worm from memory (though you would probably eventually be reinfected.)
  
• If any 2000 box is not being kept up to date on its patches and is running IIS, what do you think its uptime is going to be like? I say not good.
  

It will not stop the worm from growing, but it will play a role in controlling the code red.

If this incarnation of the worm were really malicious, it would try more than 100 addresses. (though incident.org said that the rng in the latest version is stronger). A relatively benign worm like this is better for the weak sysadmins in the long run, because otherwise they would not have known of this relatively simple security hole.

Re:I don't know about you

[LinuxHam]

At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there

This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!

During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.

Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post. :)

Re:I don't know about you

[gmhowell]

To answer your joke/non-joke, where I work, we only have to reboot our Win2k servers about once per month. WinNT about once per week (And they are set to do it slightly more often. Also note, MS apologists, that these were set up under no SP for Win2K and SP 4 for NT. We haven't changed those policies since newer SP's have come up. We just don't need the uptime. Also note that several of those machines are running non-MS software, or more than one MS service, two situations commonly claimed to cause NT/2K stability problems. FWIW, it seems that the problems are in garbage collection.)

Anyway, it's quite possible to run an MS server for a long time without a reboot. The other trick is, unless ALL of the MS servers were rebooted at the same time (and kept down long enough to clear out some packets from the nets) there will always be a machine ready to infect another, when the latter comes back up from the reboot.

I definately agree with your last comment. While these various and sundry viruses have seemed bad, they certainly don't seem engineered to 'bring down the internet'. There's far too many simple mistakes that were made (hard-wiring the White House IP for example. Your example of only hitting 100 other machines for another.)

For that matter, if one really wants to bring down the net, why not find a good, solid method to bring down Apache (preferably on any OS)? As has been stated, it runs far more sites.

A solution to the problem?

[pongo000]

For years, virii in the medical industry have been associated with people or places. So, the poor town of Coxsackie, NY has its place in history as the origin of the Coxsackie (hand-and-foot) virus. Drs. Epstein and Barr will forever be associated with the virulent virus that bears their name. Why not name computer viruses/worms/self-propagators after the systems for which they are targeted?

We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.

Re:But what about the media?

[Tim+Doran]

"The malicious program can only be stopped if enough Web site operators install Microsoft's software patch, which plugs the security hole the worm uses to attack. "

This is what I was talking about above - Microsoft is handling this beautifully, from a PR perspective. News accounts in my area made it sound like Microsoft invented (innovated? ;) a fix to this out-of-control virus, and everyone needs to download their patch to protect themselves.

Didn't sound *at all* like MS was fixing a bug in their software. We should all be grateful - Microsoft saved the web out of the goodness of their hearts.

Prepare for the next time this happens

[sg3000]

Just so we can all prepare for the next time this happens, what's the proper way to pronounce "IIS"?
( ) "aye-aye-ess"
( ) "two-ess"
( ) "aye-ayes"
( ) "aye-iz"

(Of course I don't know how to say it! I run Apache/Linux and Apache/Mac OS X.)

Re:But what about the media?

[Pinball+Wizard]

only affects MS IIS servers

Not only that, but only those IIS servers that haven't been patched. I don't know of anyone running IIS who doesn't at least get the Microsoft Security Bulletins. If there is a patch available for anything you'll hear about it on the mailing list. I didn't really worry about this one at all.

I have to wonder though - with both Code Red and Sircam, as well as a number of other virii - the damage inflicted by these programs was much less than it could have been. Its as if the virus writer wanted to grab lots of attention(I'm sure having the national media talk about your creation is very gratifying to these people) rather than inflict as much damage as possible.

Re:A bit premature?

[baptiste]

The other interesting thing is the # of probes I got from the Eeye Scanner starting yesterday afternoon a few hours before 8PM EDT - From IPs on totally different nets (ie it wasn't a local ISP admin doing it) Looks to me like some folks were looking for seed hosts to get things rolling again. Even more interesting is the probes wern't being done sequentially since I didn't see scans across my web server IPs, they were more random.

The news...

[cdipierr]

On two local news channels last night they gave the helpful tip of "If your system seems slow and infected, just reboot and it'll be fixed, but you can download this patch if you really feel like it..." ... Argh, is it that much to ask for the news channels to get it right for once? We don't need to keep this up every month.

How inferior is easy to judge

[twitter]

Until upgrading and patching is as easy as:

1. Editing a textfile /etc/apt/sources.list
2. apt-get update
3. apt-get upgrade
and free software is retrieved from any of hundreds of mirror sites around the world, closed source distribution will continue to be second or third rate.

A pay for each copy in a box approach to distribution just sucks rocks.

A subscription to closed source junk is almost as bad. It can't be updated as quickly and well, it costs money. Do I really want to pay for my telnet client every month? If you buy microsoft OS, you have bought the same telnet client two or three times in the last four years. Same old bugs, same old look, same limits, yawn.

MS has got a record of inconvenient and extortionate distribution. Their dedication to the pay per each copy on each machine model and "aggresive" competitive measures to break other people's software has left them with nasty co mingled code that sysadmins are rightly hesitant to patch, ever. They have consistently denied any failings by blaming user and sysadmin ignorance and lazyness. People, not just crackers, have noticed that MS stuff won't work and every piece comes at a price. In the end despite all you wrongly say, the proof is in the kaputting. As yet another virus blows over them and anoys everyone, the inferiority shines through.

It's obvious

[cnkeller]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Because Code Red dealt with the White House, which is a national symbol and easily recognized by all the world. Never mind the fact that the white house web site was never in any danger of being taken off-line. Joe & Billy Bob don't know no stinking eye-pee addressess are. High profile attacks get the news...not that secret memo detailing a new flavor of Tang....

Re:But what about the media?

[Omnifarious]

This isn't true. The routers it affects are largely the routers for people's home DSL installations. Having those routers crash isn't a huge deal for the Internet as a whole, but most home users aren't equipped to deal with the problem.

Re:Incidents.org mini-mirror

[baptiste]

Well, be careful - teh top table says 'Hosts Infected' which I take to mean 48,489 NEW hosts were infected that hour (the next hour is up and its like 52,273 for 14:00-15:00 EDT)

Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.

Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?

Yep. Gone with a whimper.

[Tim+Doran]

I got precisely one Code Red attack on my home linux box (via cable modem). Last time around, I had upwards of 25 attacks.

Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

Re:Yep. Gone with a whimper.

[FatOldGoth]

Well, I'm monitoring the firewall logs for a class C subnet right now, and I'm seeing a hit every two minutes on average. It's not as bad as the 19th of last month, but it's been building steadily throughout the day. I got no hits between 00:00 and 09:00 BST, but they started shortly after that and have been escalating slowly.

I'm hoping this is the peak right now, as the last wave ate up a third of the incoming bandwidth on my company's Internet pipe at its height.

Re:Yep. Gone with a whimper.

[FatOldGoth]

Just in the time that's passed since I posted that last comment the hit rate has climbed to two or three every minute. I really hope this peaks soon, as otherwise this pipe's going to be completely clogged by tomorrow.

Waaaah! No /.! I'll have to go back to working or something!

Re:Yep. Gone with a whimper.

[gorilla]

Buffer overflow's happen more to people who program in certain styles. If you have a methodology of good design, limited privilages, and isolation between unrelated modules, then you are not going have a problem with buffer overflows. On the other hand, if you have a methodology of hot programming (ie without design), then testing to detect the bugs, then you are going to be suspectible to this sort of bug.

It's only just started!

[Dr_Cheeks]

Code Red propagates itself throughout the month until somewhere near the end (19th, IIRC) when it starts to attack whitehouse.gov.

Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.

That is, of course, assuming that Gibson was right yesterday when he said it will still be active....

And don't start hyping sircam - I'm enjoying reading private documents ; )

Re:It's only just started!

[blakestah]

How does one do that, without activating the worm? I got lots of these, but when I save the attachments and poke at them with emacs, it's all gibberish.


Try piping it through strings.

Re:It's only just started!

[jamesdood]

Yeah, on the securityfocus incidents list there are people gettting probed every few seconds on class B subnets.. My single webserver has been probed 6 times so far this morning, I think it is ramping up. Hopefully most people have patched their boxes (or even better installed Apache!) I don't think this will have a huge impact but it is going to infect more machines over the next few days (Seeing how it only started showing up on July 11th and then wasn't a "big" deal until the 19th!) .

Re:It's only just started!

[Moonshadow]

Approximately the first 137k is the virus's executable code. If you'll look towards the end of the file, you'll find the document there in plain text for you to read.

I forget the exact number, but of you strip off the first X bytes with a hex editor, you can open the document regularly.

Billions of dollars spent...

[tonywestonuk]

And nothing happens!! - So, this means it was a waste of time/money patching up the servers then? As with Y2k, If the time/money wasn't spent sorting out the systems, things could have been as predicted.

Re:Billions of dollars spent...

[Lizard_King]

this means it was a waste of time/money patching up the servers then?

I can't think of a situation where it would be a waste of time (read money for you biz folks) to apply a patch to a server. Unless you think it takes less time ($$) to restore your machines or rebuild your machines if they get compromised.

MS NT/2000 buffer overflow vulnerabilities galore.

(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)

NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:

BindView Security Advisory
--------

Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact: tsabin@razor.bindview.com

Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
Overview:
Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.

Affected Systems:

At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.

W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)

Impact:

An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.

Details:

By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.

The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.

If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.

Workarounds:
Firewall off as much as possible.

Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.

References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulletin /MS01-041.asp

Microsoft's patches:
The patches vary, depending upon the service.
See the security bulletin for details.

Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/Q 298/0/12.ASP

Code Red = Code Dud

[tenzig_112]

Another near disaster passes us by and I have to say that I'm more than a little dissapointed.

I got all revved up in late '99, waiting for the death cults and survivalists to do their thing. But everyone was remarkably quiet about it all.

Y2K = all hype and no looting. California Power Crisis = same. Code Red = Same. I promised myself I wasn't going to get excited this time. But with all the coverage, I got suckered into it again.

What am I going to do with my Honda generator that I bought in '99, sold in 2000 and bought back again two weeks ago?

Here are some links to stories about similar dissapointments:

Foretold Apocalypse Refuses To Occur

Survivalist Emerges From Y2K Bunker, Says "Oh, Crap"

Code Red is getting more press than Sircam...

[BlueUnderwear]

... because reporters usually protect their sources. And witht the wealth of confidential documents that they're getting from Sircam, they're not going to rat on it, won't they?

Re:But what about the media?

[MWoody]

Granted, I haven't been following this too closely, but didn't it also spell doom for certain flavors of Cisco routers? Although, I suppose those in charge of the routers tended to be better equipped to deal with problems than those merely running IIS by default.

Sad but true

[Mdog]

I'm sure I'm not telling anybody here anything new, but the reason code red is getting more attention is because:

• The name is cooler
  
• Snowball effect
  

I don't know about the rest of you, but I'm rooting for the virus.

Re:Am I the only one besides beanspace...

[baptiste]

Incidents.Org is reporting expotential growth

And now thanks to a slashdotting isn't even responding :) I wanna see the 12 o'clock total! Its like watching a game :)

Re:Code Red...unneeded hype.....

[grammar+fascist]

Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning.

My father works for the National Weather Service, and this is exactly the reason they have so many checks they have to go through before they issue a warning or a watch. (Not that it takes long to get through them, but they do check themselves on it very well.)

I suppose the big difference is that when people don't listen to the NWS they tend to die. (I still remember when my dad came home just devastated when some people in a national park were drowned in a flash flood that he put out a watch for.) Still, you're absolutely right.

The problem is that there's no central authority that most people know of to go to for this sort of accurate information. There's nobody competing with the NWS on the weather. The news states the information they get from the NWS exactly as it comes (with some embellishment to add entertainment value). If those media people could quote and point to actual security experts (not just the loudest), we'd be much better off.

Re:When are virus/worm writers going to get seriou

[baptiste]

I'm with you here, but I think its the ego thing - they want the publicity - a worm like you describe wouldn't generate the instant news coverage they crave - a worm liek you describe wouldn't because half the admins would think it was data corruption, not a worm - it would generate news on /., etc but not the national news media.

DDos attacks get the buzz and thats what they crave. But I have to agree - when worm writers get really serious, it'll make Code Red look like childs play.

Viewing other people's files for gratification

[Dr_Cheeks]

Word documents are easy if you don't care about formatting - just look at the end and the text should be there. And I heard (elsewhere on /.) that the exact amount of crud to stip off the front is 137216 bytes, but I've not bothered testing that out yet.

I got a .zip yesterday (the second file I've got so far) that had been turned into a .pif, but when I looked at the archive under Linux I had no problem viewing it, and was even able to listen to the really lame midi file in there without needing to do a damn thing to the infectious file.

Basically, you're pretty safe poking around at these under Linux (they're aimed at Win/Outlook users after all). Though since I don't have a permanent net connection and I do have ps -aux and kill -9 I can rest pretty safe : )

A picture paints a thousand sniggers

[Rogerborg]

The best take on this I've seen today is over at User Friendly.

Sheesh

[Mike+Hicks]

Look, it's not going to destroy the internet. It's not going to be a tempest in a teacup either. incidents.org reports 22,000 infections at this point. I've recorded 4 hits so far this morning (though I got nearly 30 the last time around).

For the media to go nuts, it took press conferences and press releases from the FBI and Microsoft. Those big organizations aren't making the same noise about Sircam (or Sklyarov, or...).

Another site with real time stats.....

[baptiste]

Incidents.org is major hosed (ie slashdotted)

Dshield.org has some stats going too. Looks like 23,400 infections as of around 10AM EDT....

Re:Another site with real time stats.....

[baptiste]

My bad - their DB is for all infections reported not just Code Red - the 'Code Red Real Time Stats' thing underneath threw me - it just links back to incidents.org :( Links are supposed to be UNDERLINED people!

Re:Affects more than just IIS servers

[unitron]

Imagine if the Ford/Firestone mess had been reported as "If you own an SUV your tires are dangerous".

Re:Huh?

[unitron]

Have you tasted Code Red? I think they make it out of worms.

Red Code vs Sircam -- The MS-FUDyard wars

[Rotten]

Hey!
That's a show I'd like to see!

Re:People underestimate the bandwidth of the 'net

[baptiste]

200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles

Well, perhaps, but remember, this beast has 100 threads going at once trying to infect machines. And you count is a bit low - the counts I've seen, and disclaimed as LOW - were 360K infected hosts. That's 3.6 MILLION processes choosing random IPs anywhere in teh world and sending a couple hundred bytes. Thats a WHOLE lotta connections. SO it can have an impact.

People underestimate the bandwidth of the 'net

[iabervon]

All of these infected hosts ramping up with attacks on other servers and sending gratuitously inefficient traffic takes up a lot of bandwidth... but not compared to the bandwidth the 'net has these days. 200,000 hosts (high point last month) sending lots of tiny packets is probably less traffic than slashdot readers viewing videos from articles.

Having those hosts sending packets that break routers and printers is more of an issue, but those have generally been fixed last month, because they couldn't very well just have been left off until the thing went dormant.

The internet's infrastructure has grown significantly in capacity (although not necessarily in smart physical placement) since it was easy to DOS the whole thing with a worm (or with the start of the school year, for that matter), and it's happened in response to actual use of the bandwidth. All of the clients generating web requests easily overcome the traffic all of the servers running IIS could possibly generate, not to mention the traffic that goes over any large, bulldozer-accessible cable.

Its warming up...

[aralin]

My apache logs show for today already more code red attempted attacks than for all the last month together. What about someone finally posting how to edit the apache config files to just discard and mainly do not LOG these attacks. Since if it will really grow out of proportion, it will trash a lot of partitions on disk of many unix servers...

Is Internet Security an Oxymoron?

[Alien54]

Cringely has an intersting article on the future of the Internet entitled:

Internet Winter - Why Internet Security is an Oxymoron

There is this interesting factoid:

Still, did you know that 41 percent of images attached to British business e-mail messages are pornographic? Does that say more about business or the British?

He seems to have bought the Steve Gibson line to some degree although he is more reasonable. The problem is that the scenario Cringely paints is likely to be painted as unlikely because it is so unbelievable. Sadly, this does not make it any less likely in fact. As he says:

At this point, I'm supposed to write, "Ah, but here's what we do about it," only I can't. Our vulnerability is too great and our lack of defensive talent too profound. There are ways to protect systems and networks against these kinds of attacks, but no depth of will to really fight them. The Internet is already such an ingrained and incompetently managed part of our lives that it is already too late."

The Reason Why...

[toupsie]

The reason that "Code Red" has been covered more in the media than "Sir Cam" is simple. Which one sounds more dangerous? "Code Red" sounds like what happens before we launch nuclear warheads at the Ruskies while "Sir Cam" sounds like a rejected name of a Pokemon. In the news media, danger and sex sell. Just look at the Chandra Levy coverage.

If you are virus writer and want the media to pay attention to your creation, I would suggest the following scary names:

1. Hailstorm (oh wait Microsoft is already using that)
2. Super Explode-O-Matic Death Bringer
3. Kiddie Pr0nB0mb
4. DefCon 4 Ultra Hurt Machine
5. Keyboard Ebola
6. Belgium (According to DNA)
7. AOL Outlook IIS VBS Player
8. HMO Claims Adjuster
9. Lizzie Grubman SUV White Trash Compactor
10. NASDAQ

What is really telling about Sir Cam vs. Code Red is that my mail server has bounced over 2,500 copies of Sir Cam vs. Apache recording 19 log entries of 'default.ida' from Code Red. Game, set, match, Sir Cam.

No one is talking about SirCam

[wiredog]

Because we, and the press, like getting all those juicy documents from Senator X, Company Y, and Miss (or Mr) Hot Pants in Marketing at BigCorp Intl. If we started raising hell about SirCam, the flow would dry up and we'd have to go back to work.

Re:No one is talking about SirCam

[Bearpaw]

Probably part of the hype is also because it [gasp!] targeted the White House (servers). If the White House is involved, it must be important.

Answer

[phaze3000]

Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention?

Because Steve !! Gibson !!! didn't rant about Sircam..

I wish the media would vet these so-called 'experts' before blindly accepting everything they say.

Re:Answer

[Rogerborg]

• I wish the media would vet these so-called 'experts'

Uh, they do. They go through a painstaking process of deciding which one will give the most attention grabbing copy for the least effort. Good old Steve!! even inserts his!! own CAPITALS!! and SHRIEKS!!! for them !!!

Let's face it, anything you read in a medium supported by advertising is designed to grab eyeballs, not impart truth. And yes, that includes /.

SirCam?

[ScottyB]

What, you mean you really didn't want my advice on what I thought of your pr0n collection (the "stuff" directory you sent me)?

*sniff* *sniff* but I thought our friendship had gotten that closer

More graphs

[Mike+Hicks]

For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale] [logarithmic scale]

Use the data, Luke!

[cyways]

I was curious to see whether there was any discernible hiccup in Internet service as a result of the feared revival of Code Red. A quick trip to Matrix.net's average performance page suggests not. A quick glance at the graph for the past twenty-four hours shows a dip early this morning, but once you look further down at the weekly or monthly graphs, you see that today's blip is not much larger than ones seen at the end of July when the worm was supposedly sleeping.

What I find more remarkable is the poor performance of the root name servers. They drop something like 20% of all the packets they receive from the testing servers!

Remember Quake?

[sterno]

Am I the only person who remembers a few years back how the release of a new version of Quake (I think Quaker 2) was going to cause brownouts on the Internet? Everybody loves stories of apocalyptic scale carange, so the media will feed it to them whenever they can. Is Code Red overblown? Of course! It'll still cause some problems, but on the bright side, the publicity is causing people to fix it. So anyhow, I think I'll just not worry about it and play Quake 3 so I can destroy the Internet in a fun way :). ---Steve

Huh?

I just bought a Code Red from 7-11 about 15 minutes ago! There's a whole shelf full! What are you guys talking about?

Re:Huh?

[Neon+Spiral+Injector]

Man, what ever you do, don't eat the worm.

7 this morning, so far

[jonabbey]

I've seen 7 probes from Code Red on my home linux box in the space of three and a half hours, and one probe on our work server.

Interestingly enough, we were scanned by what purports to be a network security scanner here at the university last night, using a variant form of the probe. Looks like our network security folks were hunting for open servers before the storm hit.

OK - it doesn't add up! [was Re:NEW DATA]

[baptiste]

OK - I'm confused. Incidents.org is finally recovering from teh /.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....

A bit premature?

[baptiste]

I'd say its a bit premature to say this is all over. I doubt it'll be as bad as before - but remember, CRv1 was slow to spread due to the lack of a random IP seed. Once CRv2 came out it spread like wildfire.

I've seen 5 scans across 2 servers so far from five unique hosts - Last time I got between 20 and 30 per server. But its just getting started. So it may very well continue to spread at a slower rate due to the # of hosts that have been patched - but there are still plenty of vulnerable hosts out there. On Jul y19th, my scans didn't really pick up till the afternoon - I have no idea when v2 hit the net, but its the whole snowball effect, it starts slowly then picks up speed rapidly.

I think it'll be a lot less of a problem than the media wants to believe, but I think it'll still be a significant problem.

But what about the media?

[Aerog]

The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers. The news story I heard made no mention of the systems affected, simply summarizing it as "Webservers everywhere". No, this isn't intended to be Microsoft-bashing, but what would have been the situation had it gone off and the world realized that only a certain server configuration was affected? Would that have been glossed over in the same way that the vulnerablilty was?

It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?

Re:But what about the media?

[peccary]

Some high-end Cisco hardware is NT based, and runs IIS, and had this flaw -- not just the 675 and its ilk.

Re:Affects more than just IIS servers

[daviddennis]

Yes, but you can bet it would be a horrible public relations disaster for Honda.

This deserves to be the same for Microsoft, for exactly the same reason.

D

What about Mountain Dew sales?

[b1t+r0t]

It would be interesting to look at the sales of Code Red Mountain Dew (so when are they going to make Code Blue?) and how they have been affected by all the publicity generated by the worm. This is the kind of publicity that money just can't buy, other than by passing out free cases of soda to cube farms full of programmers.

CodeRED 2.0

[deathcow]

Funny that the dilr0d programmed the worm to attack an IP address instead of a DNS name. I hear this months release, CodeRED 2.0, is going to go after the entire 10.0.0.0 network.

Re:is this it?

[baptiste]

Yes, that's Code Red. If you see x.ida?AAAAAAAA, that is a vulnerability scanner from EEye Software which probes for the vulnerability but doesn't infect anything - used by net admins to hunt down vulnerable servers on their network - and also, it seems based on teh spike in x.ida hits I got last evening, used by people looking for seed hosts for Code Red round 2.

Good advertising for MS

[DrCode]

Sure, we in the Linux community think of this as another strike against Microsoft. But the way the news is being reported, the message to the general public is:

1. The internet is being threatened.
2. Microsoft is providing the fix.

Re:Oh, Phew...

[billh]

You have a low enough UID to have a clue, so I'm curious, why do you have Apache resolving IPs in the log? Low volume server, or maybe you know the magic to make the resolution fast enough for Apache not to care? (I'm assuming Apache, anyway).

I've been hit twice more since I started reading this story. 53 Code Red checks on my 16 IPs now. Heard from a couple of people with Cisco 678s, too. They aren't very happy today.

Oh, Phew...

[waldoj]

So I guess I don't have to worry about all of these in my logs, huh?

ool-18bf4a76.dyn.optonline.net - - [01/Aug/2001:12:01:01 -0400] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNN[fucking lameness filter]NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858 %ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%u cbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u53 1b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 332

Phew. Thanks guys. I'll just ignore those, then.

-Waldo

Re:It's not over.

[baptiste]

Some of this most widely used 'RESIDENTIAL' ie DSL routers on the Internet. The request causes the firmware to freeze in older firmware (the routers have embedded web servers in tehm for administration) SO its not going to cause backbone routers to go offline

Data integrity defences

[tjwhaynes]

You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.

They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.

That's why you should be running an integrity checking system, such as Tripwire, to keep tabs on files which change on your system. Run in conjunction with something like LIDS where you can stop a file being editted while allowing log records to be appended, or where all your logs are sent to another machine as a backup (or even to a line-printer), you know precisely what has changed and when, regardless of the change dates.

Quite frankly, if the MD5sums on my files change without the dates changing, that's a pretty big hint that you have been compromised. Time to reach for the backups.

Cheers,

Toby Haynes

Re:Same Here

[stilwebm]

I talked to my parents last night who had both come to the conclusion that they could not connect to the internet (they have DSL) because AOL had shut down to avoid the worm. The funny thing was, it turned out the SirCam virus was responible for their scewed up TCP/IP stack.

Shouldn't answer a troll, but...

[Midnight+Ryder]

When was the last time your Microsoft Windows server lasted a week without re-booting? I know people who re-boot their machines daily, "just in case."

Been quite a while - the last 'reboot' was an unintentional shutdown due to hardware failure. It's been up 3 months since that failure - and no, it's not suseptable to the CodeRed worm, since I see no need to run unused services on my machine (in this case, the Index service is where the voulnerability is at - and it's turned ON by default.)

Code Red...unneeded hype.....

[Chanc_Gorkon]

Yeah the problem could have been serious if we all had our heads buried in the ground, but most of us, even the dumb ones have heard about this. In my town they even talked about it on Talk Radio. While I agree that there was some need for a warning/alert, I feel, because of the nature of the virus, there was TOO much hype.

Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning. They don't want to risk not issuing a warning, but if there's a possible severe storm heading our way, they want to make sure it's severe before issuing the warning (hence weather spotters, advancing NEXRAD and other things of this sort). If they just issued a warning for every cell that has a possiblity of being severe, then the poeple may dismiss a valid warning.

Why does this compare to the Code Red thing? If you hype the virus too much, if the attack is benign or doesn't happen, then when a real bad virus hits and spreads across the net, the people will ignore it and open the stupid attachment or not patch the computer. The media needs to start being responsible and until the media becomes less liberal and less concerned about getting ratings, we will have to live with over hypeness such as Y2K and the Code Red. And when the big one comes, because the media cried wolf so many times, the un-thinking populus will suffer. Also, there were people worrying about their PeeCee's at home when this thing has no danger to the common schlub running Windows 98 or ME. The worst that can happen to them is they have no access or slow access to the internet. The common schlub cares more about the price of gas on the corner then if his internet connection works. (I on the other hand would be freakin! ;) )

When are virus/worm writers going to get serious?

[Colin+Smith]

I mean, these DOS attacks are not really all that damaging. If you want to cause some damage then you alter a few words in word files and web pages, change a few numbers in spreadsheets and databases every few days.

Data *corruption* is far more damaging than blitzing a server or formatting a hard disk. It's where the real danger lies.

You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.

They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.

So, I'm not worried about files being deleted or servers being DOSd. I have backups, I can move servers, it's a minor inconvenienience at worst.

I'm worried about trojans/worms which search boxes and *change* information.

Re:It is alive

[baptiste]

Which is strange - I thought CRv2 defaced the pages of english based sites - or were these non english based sites. Maybe this is a new variant that doesn't put the hacked by chinese page up - instead tosses the default page in (or doesn't do anything to the main page)? Also - many folks use virtual servers and forget to do anythign with the default server which an IP access will route to. No telling. BUt it would be interesting to see if a new variant is on teh loose.

Affects more than just IIS servers

[CausticPuppy]

How about this (admittedly cheesy) analogy...
Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.

More media crapola

[Erbo]

This morning, David Coursey on ZDNet AnchorDesk is recommending that we guard against future "threats" like Code Red by setting up "national firewalls" and an Internet "border patrol" to ensure that THe Net will "become a real civil society in which rules matter and violators are punished."

I know that virtually everyone who reads this site will agree that this is a load of crap, so let me just summarize my reaction: "To save the Internet, it was necessary to destroy the Internet."

Eric

Re:Why?

[Alien54]

Because nobody at CNN has been infected with sircam yet.

Actually, Sircam is an agent for CNN, ABC, National Enquirer, etc.( and the other media.) Sircam is a reporters dream. All those gigabytes of confidential documents, being sent at random.

I wonder how many wind up in the hands of CNN, ABC, Fox, etc?

Same Here

[Delirium+Tremens]

My INCOMPETENT DSL provider (that whishes to remain Anonymous) has been severely hit by the worm. My 1500+ Mb/s connection has been down since July 20th, and I've been forced to put my old analog modem back to use, with its RELIABLE 56 Kbaud speed.

Thank you soooo much, Telocity!
Or is it DirectTvInternet, now?
(Oops, I said it...)

Why Code Red is hot and SirCam is old news

[selan]

• Users perceive SirCam as just another virus. User reaction: Silly me, I got another virus. When will I learn not to open attachments?
• On the other hand, users see Code Red as a scary worm. User reaction: Ohmiga, I got HACKED!
• The perception is that Code Red is an external threat, but SirCam is the fault of the users who open the attachment.

The good side effect of all the hype is that all those vulnerable servers out there are getting patched and more destructive worms won't use this vulnerability in the future. I think that's the real reason that security experts are hyping Code Red so much--they want people to patch their servers.

It's out there

[Rupert]

... but how fast is it spreading?

I don't think we'll know until at least tomorrow. Remember, this thing is going to stay in propagation mode for another 18 days.

I checked my Apache logs first thing this morning - nothing. Since 3pm UTC I've had a couple (one from China, one from Korea) of hits (compared with 19 last time). Asking around the office of others with home web servers, this seems typical, per IP address.

Premature Announcement...much?

[Julius+X]

I think that its WAY too early to be saying anything about Code Red yet. I dunno why the Washington Post, et. al. were making a so-called 8:00pm deadline...considering it wasn't supposed to start until the 1st anyway--not the 31st.

If we remember from last time, the spread didn't start to go insane until 1-2:00pm...which would make the net slow down right...about........now.