Slashdot Mirror
Code Red Goes The Way Of Y2K
beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?
- The first version of the worm appeared on July 13 or so.
- It had an unseeded random number
generator, so the IP's it scanned were a fixed sequence -- BUT it
contained the code to seed the random number generator; this code
was disabled.(*)
- Its DoS attack was set to bomb a particular fixed IP address, AND
not even send the bomb packets if that IP could not be reached
- It contained code to deface web pages served making its presence
very visable well before the bombing attack was scheduled to take
place
- It contained code to deactivate its spread if a particular
file (c:\notworm) was present.
- It contained code to deactivate its spread after the "attack phase"
began
- On July 19, a second version was introduced.
- The second version re-enabled the random number generating
seed but was otherwise no less shackled than the first version.
- This version spread exponentially, with growth finally being
limited by the number of susceptible servers connected to the internet and
the fact that it reached the time of the "attack phase"
- This version infected over 359,000 hosts in under 14 hours.
(*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.
The trick is that so many of the so-called experts mis-understood the nature of the worm.
Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.
What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.
So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.
Jeff
SO not as explosive as expected BUT, we're already at just about 80,000 infected hosts already and its only 2PM! I'm sure there are PLENTY of vulnerable servers still out there. My 3 web servers have been hit 13 times so far. That's 3 IPs hit between 4 and 5 times each. Not huge, but for such a tiny IP section, scary all the same
Top Most Bizarre/Disturbing Error Messages
Relax, all you MS sysadmins. Nothing Really Bad is going to happen. Just sit tight and all this will blow over, like Mellisa did. Educate your users and continue upgrading to W2K. Sleep, now.
Friends don't help friends install M$ junk.
We could talk about the Microsoft Sircam virus, or the Microsoft CodeRed worm, or even the Linux Ramen worm. Forever sear into the minds of the ever-forgetful public the platform which fell victim, PR which most companies and organizations will try valiantly to avoid.
Why? The tbale below shows 115,568 hosts infected today. Funny part is the #'s don't add up - if you add the # of hosts for each hour in teh table above you get close to 200K, not 115K - makes no sense at all.
Actually, my guess is the top table shows how many infected hosts were SEEN during that hour and the table below highlights the totla # of unique IPs infected since the start of the day?
Top Most Bizarre/Disturbing Error Messages
I got precisely one Code Red attack on my home linux box (via cable modem). Last time around, I had upwards of 25 attacks.
Heard an interview with a Microsoft spokesperson this morning. Interesting how the terms 'Windows', 'NT', 'Windows 2000' and 'IIS' didn't come up once. Gotta protect those brands, I guess.
(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)
Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.
That is, of course, assuming that Gibson was right yesterday when he said it will still be active....
And don't start hyping sircam - I'm enjoying reading private documents ; )
And nothing happens!! - So, this means it was a waste of time/money patching up the servers then? As with Y2k, If the time/money wasn't spent sorting out the systems, things could have been as predicted.
(To be fair, buffer overflows can happen to anybody, and it's not MS's fault that some sysadmins don't install updates. Just interesting to hear a real pro take charge of an interview.)
n /MS01-041.asp
Q 298/0/12.ASP
NT/2000 are chocked full of buffer overflow vulnerabilities. Some have no patches available. How many more exist that are yet to be discovered? These known ones establish a pretty poor reputation that is difficult to get rid of. See this article from BugTraq:
BindView Security Advisory
--------
Multiple Remote DoS vulnerabilities in Microsoft DCE/RPC deamons
Issue Date: July 30, 2001
Contact: tsabin@razor.bindview.com
Topic:
Many Microsoft DCE/RPC servers are vulnerable to remote DoS attacks
Overview:
Many DCE/RPC servers don't do proper parameter validation, and can be crashed by sending an improperly formatted request.
Affected Systems:
At least the following services are known to be affected. More servers are likely to be vulnerable. For a complete list of what Microsoft has patched, see their security bulletin mentioned below.
W2K SCM (services.exe)
NT4 SCM (services.exe)
NT4 LSA (lsass.exe)
NT4 Endpoint mapper (Rpcss.exe)
W2K Endpoint mapper (svchost.exe (fixed by ms00-066))
SQL Server 7 (sqlservr.exe)
W2K's DHCP Server
W2K's IIS Server (inetinfo.exe)
Exchange 5.5 SP3 (STORE.exe)
Exchange 5.5 SP3 (MAD.exe)
NT4 Spooler (spoolss.exe)
W2K License Srv (llssrv.exe)
NT4 License Srv (llssrv.exe)
Impact:
An unauthenticated remote attacker that can talk to the endpoint on which the server is listening can crash the server. In some cases, the servers may either restart themselves, or be restarted by the OS.
Details:
By sending successively larger and larger requests containing nothing but nulls to every operation on every interface supported by a DCE/RPC server, it's often possible to find a particular request that will crash a server. Note that it's not technically necessary to run through every possible request to crash a given server. Each server has a particular request (or requests) which crashes it. Once the proper request has been found by grinding through all the possibilities, only that request is needed to crash the server.
The exact endpoints on which a server listens will vary from service to service. Many listen on named pipes, which are accessible via TCP port 139 or (on W2K) 445. Other services, e.g. Exchange, typically listen on both TCP and UDP ports above 1024. Those services which do not listen on named pipes can usually be enumerated via the endpoint mapper, using rpcdump. rpcdump comes with the NT resource kit. A free version is also available on the RAZOR web site in the rpctools package.
If COM Internet Services has been installed and enabled, then these attacks may be possible over port 80, as well. This is not a default configuration, however.
Workarounds:
Firewall off as much as possible.
Recommendations:
Install the appropriate patches from Microsoft.
Do not install COM Internet Services.
References:
Microsoft's security bulletin:
http://www.microsoft.com/technet/security/bulleti
Microsoft's patches:
The patches vary, depending upon the service.
See the security bulletin for details.
Microsoft's Knowledge Base article:
http://support.microsoft.com/support/kb/articles/
Code Red would have started with about 200,000 existing infected machines, except that:
It will not stop the worm from growing, but it will play a role in controlling the code red.
If this incarnation of the worm were really malicious, it would try more than 100 addresses. (though incident.org said that the rng in the latest version is stronger). A relatively benign worm like this is better for the weak sysadmins in the long run, because otherwise they would not have known of this relatively simple security hole.
Troll Like a Champion Today
Because we, and the press, like getting all those juicy documents from Senator X, Company Y, and Miss (or Mr) Hot Pants in Marketing at BigCorp Intl. If we started raising hell about SirCam, the flow would dry up and we'd have to go back to work.
Best Slashdot Co
For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale] [logarithmic scale]
At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there
:)
This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!
During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.
Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post.
Intelligent Life on Earth
OK - I'm confused. Incidents.org is finally recovering from teh /.ing it got this morning. The data on top tracking by hour now says there were 48,489 infected hosts from 1-2 EDT (up from 41,968 the hour before) But the 'Total Infections Today' in teh tabel below says 99,716. So what gives. If the upper table is showing how many infections happened in a given hour (ie the total isn't 48K, but 48K NEW infections happened), it still doesn't add up. Adding all the hourly totals gives you 177,591 infected hosts, not 99,716. It doesn't make sense....
Top Most Bizarre/Disturbing Error Messages
The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers. The news story I heard made no mention of the systems affected, simply summarizing it as "Webservers everywhere". No, this isn't intended to be Microsoft-bashing, but what would have been the situation had it gone off and the world realized that only a certain server configuration was affected? Would that have been glossed over in the same way that the vulnerablilty was?
It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?
- Relativistic? That's barely Newtonian!
Yes, but you can bet it would be a horrible public relations disaster for Honda.
This deserves to be the same for Microsoft, for exactly the same reason.
D
Ever hear the weather service worry about issuing a warning when one was not needed? You do. Why do they worry about it? The answer is because when a warning REALLY needs to be issued and that F5 tornado IS on the ground, people may loose their life because they ignore the warning. They don't want to risk not issuing a warning, but if there's a possible severe storm heading our way, they want to make sure it's severe before issuing the warning (hence weather spotters, advancing NEXRAD and other things of this sort). If they just issued a warning for every cell that has a possiblity of being severe, then the poeple may dismiss a valid warning.
Why does this compare to the Code Red thing? If you hype the virus too much, if the attack is benign or doesn't happen, then when a real bad virus hits and spreads across the net, the people will ignore it and open the stupid attachment or not patch the computer. The media needs to start being responsible and until the media becomes less liberal and less concerned about getting ratings, we will have to live with over hypeness such as Y2K and the Code Red. And when the big one comes, because the media cried wolf so many times, the un-thinking populus will suffer. Also, there were people worrying about their PeeCee's at home when this thing has no danger to the common schlub running Windows 98 or ME. The worst that can happen to them is they have no access or slow access to the internet. The common schlub cares more about the price of gas on the corner then if his internet connection works. (I on the other hand would be freakin! ;) )
Gorkman
I mean, these DOS attacks are not really all that damaging. If you want to cause some damage then you alter a few words in word files and web pages, change a few numbers in spreadsheets and databases every few days.
Data *corruption* is far more damaging than blitzing a server or formatting a hard disk. It's where the real danger lies.
You DOS a server, they move it to a different address. You format a hard disk, they restore from last nights backup but if you modify a couple of files here or there and If you reset the modification date then they won't even notice until all the backups are corrupt as well.
They now have to check *every* document, spreadsheet and database by hand to see if it's been modified and then try to find an unmodified version in the backup. It could get very nasty if the documents/spreadsheets/databases have *also* been updated legitimately in the meantime, mixing legitimate information with junk.
So, I'm not worried about files being deleted or servers being DOSd. I have backups, I can move servers, it's a minor inconvenienience at worst.
I'm worried about trojans/worms which search boxes and *change* information.
Deleted
How about this (admittedly cheesy) analogy...
Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know