Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Goes The Way Of Y2K

Posted by timothy on from the code-blue dept.

beanerspace writes: "In spite of Michael Hyatt-like hype, the Washington Post now reports that the 8pm EST deadline for the Code Red worm came and went without grinding the internet to a halt. Darn, I was sorta hoping it would so I could take the day off and go fishing." Why is it that Code Red gets the trumpets and klaxons, while Sircam continues to spread private documents(!) with considerably less attention? Update: 08/01 03:41 PM by T : On the other hand, incidents.org's graph shows a different picture of Code Red's progress, as several readers have pointed out. That's a pretty little curve there, isn't it?

11 of 407 comments (clear)

  1. Worm Author's Restraint by Travis+Fisher · · Score: 5, Interesting
    Has anyone stopped to notice how much restraint the worm writer is showing? Think a second. The person writing this thing was not an idiot. It required serious technical skills and probably a large investment of time and energy. Anyone who says "Oh, the worm author was so stupid for using a hard-coded IP addresss for whitehouse.gov" or "They must have been dumb to forget to seed their random number generator" is not looking carefully. The worm has always been carefully, purposefully shackled by its creator not to do too much harm. Did you read the eEye analysis? Or the CAIDA or Staniford stastical studies of the worm's spread? Some facts:
    • The first version of the worm appeared on July 13 or so.
      • It had an unseeded random number generator, so the IP's it scanned were a fixed sequence -- BUT it contained the code to seed the random number generator; this code was disabled.(*)
      • Its DoS attack was set to bomb a particular fixed IP address, AND not even send the bomb packets if that IP could not be reached
      • It contained code to deface web pages served making its presence very visable well before the bombing attack was scheduled to take place
      • It contained code to deactivate its spread if a particular file (c:\notworm) was present.
      • It contained code to deactivate its spread after the "attack phase" began
    • On July 19, a second version was introduced.
      • The second version re-enabled the random number generating seed but was otherwise no less shackled than the first version.
      • This version spread exponentially, with growth finally being limited by the number of susceptible servers connected to the internet and the fact that it reached the time of the "attack phase"
      • This version infected over 359,000 hosts in under 14 hours.
    (*)I read this somewhere but can't relocate that source right now. The rest of the info comes directly from the sources linked above.

    The point? The worm author has carefully controlled the attack to cause alarm but not do real damage. When the initial version failed to cause serious alarm, it was loosened slightly from its shackles but still extremely restrained. More to the point? If the worm author -- or anyone else among the thousands with the technical skills to do so -- chose to, they could DoS basically the whole internet. According to netsizer.com, there are about 121 million internet hosts right now, so that gives a ratio of 1 infected computer to 300 hosts. That sounds like too small of a ratio to DoS all of them, but remember to shut things down all that has to happen is to saturate bandwidth, not overload servers. The only reason we're using the net happily today is that the worm author and others with those skills choose to restrain themselves.

  2. Misunderstanding of the behavior of the worm... by igjeff · · Score: 5, Informative

    The trick is that so many of the so-called experts mis-understood the nature of the worm.

    Once the worm went dormant, it stays dormant. So all of the worm infections that were out there as of July 19th were not a threat.

    What is is a threat is the possibility of the worm beginning to spread again, which is exactly what is happening. Within the past few hours, attempts have increased...to recently for the media to have picked up on it yet, but it is happening, the growth rate is exponential, just like July 19th, and it will get to be a significant problem within a matter of hours.

    So Cringley was somewhat right...while the systems with their clocks set wrong aren't inherently any greater of a danger than any other...they did allow the worm to go back into spread mode and become widespread again.

    Jeff

  3. It's only just started! by Dr_Cheeks · · Score: 4, Insightful
    Code Red propagates itself throughout the month until somewhere near the end (19th, IIRC) when it starts to attack whitehouse.gov.

    Remember; there was no major problem with Code Red until it was almost time for it to attack last time around because it hadn't infected enough hosts. This is not yet over and will get progressively worse throughout the month.

    That is, of course, assuming that Gibson was right yesterday when he said it will still be active....

    And don't start hyping sircam - I'm enjoying reading private documents ; )

    --

  4. Billions of dollars spent... by tonywestonuk · · Score: 4, Insightful

    And nothing happens!! - So, this means it was a waste of time/money patching up the servers then? As with Y2k, If the time/money wasn't spent sorting out the systems, things could have been as predicted.

  5. Re:I don't know about you by mike_the_kid · · Score: 5, Insightful
    This is not really a joke, though some will see it as MS bashing:

    Code Red would have started with about 200,000 existing infected machines, except that:
    • How many of those upatched 2000 / NT boxes do you think have been up for the whole time since the worm went into remission? Remember rebooting will remove the worm from memory (though you would probably eventually be reinfected.)
    • If any 2000 box is not being kept up to date on its patches and is running IIS, what do you think its uptime is going to be like? I say not good.

    It will not stop the worm from growing, but it will play a role in controlling the code red.

    If this incarnation of the worm were really malicious, it would try more than 100 addresses. (though incident.org said that the rng in the latest version is stronger). A relatively benign worm like this is better for the weak sysadmins in the long run, because otherwise they would not have known of this relatively simple security hole.
    --
    Troll Like a Champion Today
  6. No one is talking about SirCam by wiredog · · Score: 5, Funny

    Because we, and the press, like getting all those juicy documents from Senator X, Company Y, and Miss (or Mr) Hot Pants in Marketing at BigCorp Intl. If we started raising hell about SirCam, the flow would dry up and we'd have to go back to work.

    --

    Best Slashdot Co
  7. More graphs by Mike+Hicks · · Score: 4, Informative

    For those of you who like pretty graphs, look at caida's nearly-live graphs: [normal scale] [logarithmic scale]

  8. Re:I don't know about you by LinuxHam · · Score: 5, Informative

    At the beginning of this month, Code Red is supposed to start out with about 200,000 existing infected, unpatched machines and grow from there

    This was proven to be untrue by the 31st. I scored a 5, Insightful mentioning this on July 23rd, but by the end of the month the security firms had tried repeatedly to move clocks forward and to get the worm to reawaken, but it *never did*. Therefore, all the hype was unwarranted with respect to 8PM ON TUESDAY, TUESDAY TUESDAY!!

    During the first infection it took 6 days to get to 359,000 hosts, not 12 hours like CNN would say. If you check incidents.org, you'll see that 22,000 new infections have already happened by 11am ET on the 1st. While it's not as bad as you and I thought it was going to be.. restarting with 200,000 infected hosts, it is BY NO MEANS over.

    Please people, do NOT jump the gun, comparing this to Y2K. Besides, I think all the media coverage helped thwart all the y2k problems, but that's for another post. :)

    --
    Intelligent Life on Earth
  9. But what about the media? by Aerog · · Score: 5, Insightful

    The question is, why is it that Code Red was trumpeted as the "End of the entire Internet as It Is", with no mention that it only affects MS IIS servers. The news story I heard made no mention of the systems affected, simply summarizing it as "Webservers everywhere". No, this isn't intended to be Microsoft-bashing, but what would have been the situation had it gone off and the world realized that only a certain server configuration was affected? Would that have been glossed over in the same way that the vulnerablilty was?

    It's just like Y2K. It's a problem that is basically centred around a specific flaw that is NOT present in all computers, yet trupmeted by the media as "The Be All and End All" of computer problems "destined to destroy our information-superhighway society". Yet, when you look into it, it's not as large as it's supposed to be. Could this be the reason that the vast majority of the population is afraid to click the mouse too fast in fear that they "break" their computer?

    --

    - Relativistic? That's barely Newtonian!
  10. Re:Affects more than just IIS servers by daviddennis · · Score: 5, Insightful

    Yes, but you can bet it would be a horrible public relations disaster for Honda.

    This deserves to be the same for Microsoft, for exactly the same reason.

    D

  11. Affects more than just IIS servers by CausticPuppy · · Score: 5, Insightful

    How about this (admittedly cheesy) analogy...
    Say there's some bug that causes all Hondas on the road to stop running. It only infects Hondas though. But that sure would create a traffic mess for everybody, including those that don't drive Hondas.
    Now if thousands of IIS servers are clogging your ISP's routers, your Apache server would seem really slow to anybody trying to access it, if they can get there at all.

    --
    -CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know