Slashdot Mirror
Code Red Reporting That Doesn't Suck
marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."
"sadly untypical security flaw".
Yeah, that still has me scratching my head.
I liked the story on saw yesterday on the BBC Sci-Tech web site (which I can't find today) which said that because Code Red goes away if you reboot, and because IIS is so much more unstable than other web servers, the spread has been slowed because of how often people have to reboot their servers anyway.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
This is the nature of worms: they advertise exactly what is vulnerable, and advertise exactly how they're vulnerable.
Agreed. I have 71 hits over the last 3 days, many more than the first outbreak. 19 on wednesday, 33 yesterday and 19 so far today (10:40 Eastern).
Maybe the thing is getting through its random IP generation faster??
I don't have time to patch my servers against code red!
I'm too damned busy reply to all of my email. You'd never believe how many people have been sending me files asking for my advise!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
In the UK, this time of year is sometimes refered to as "The Silly Season" in the media.
All the poloticians are away on summer holidays.... most of the decent journalists take a break aswell. This leaves the papers a little thin on decent news (er, like, theres nothing happening in the world at all. honest guv. No civil war in sri lanka. No erupting volcano on sicily. No siree). Basically, its the time of year when two-bit journalists regurgitate 2-week old stories, and the papers are full of "and-finally" articles....
If you had a worm that propogated through the DNS servers on the net, then at some point activated to disrupt the DNS services, that would come about as close to bringing the net down as you could get, for practical purposes. Between Bind and Windows DNS, you could do some real damage. So while I agree that the media coverage of Code Red was pretty sensationalized, I don't think that the net at large is all that invulnerable.
Hot Damn! It's the Soggy Bottom Boys!
According to the Beeb current thinking is that a train crash in a tunnel caused a fire which damaged data cables used by ISPs which were in the tunnel, which caused the slowdown, not Code Red at all.
Let's look at the incentives for someone at Microsoft releasing the worm:
1. Instead of looking foolish because they have a bug in their software, they look like the hero who fights off an internet threatening hacker. (cough, cough)
2. Microsoft gets a lot of visibility with the government.
I'm sure there are more, and it's probably a stretch, but makes a good conspiracy theory.
"The best laid plans of mice and men gang oft agley..." - ROBERT BURNS
Gee, just a massive DDoS against the US Government. Yeah, not malicious at all. I mean, even if you think this is a worthy social goal, you'd have to honestly believe your audience is a bunch of morons (ok, we are talking about Time magazine here, but still) to say that with a straight face.
What they need is a source that dumbs things down enough to be broadcast on your local Fox afilliate while still keeping it accurate. Soundbite-friendly, not very technical, clear about the details. Most people don't know what you're talking about if you say "IIS vulnerability", but if you say "The Code Red Virus will hack the internet" then most people can get a handle on that.
It's not just about hype - it's lack of understanding. Anchors aren't good at telling people something when they don't understand it themselves, so it needs to be explained to them.
I, unfortunately, already have hardly any free time to start up a site providing a service like this, but I'd be willing to contribute to someone else's - anyone up for it?
Anyone know of a site that gives a good technical explanation of the worm? I'd like to know if it shows up as a process of its own or if it is part of the IIS process. Also, can it be killed without a reboot. What about if you received two separate probes (potential infections)? Would you have two processes trying to spread the worm?
How perfectly goddamn delightful it all is, to be sure. - Charles Crumb
There was this article in the Baltimore Sun.
It's true.
There's an interactive version of the map too !
-- unix is for people without a social life - Patrick van Eijk
To my surprise, I found another good article about Code Red on BBC News Online:
BBC News | SCI-TECH | Code Red 'was never a threat'
At long last, people actually see that Code Red is just an IIS worm exploiting an IIS bug that was fixed two months ago! It quotes Graham Cluley of Sophos, one of the most clued in people in the antivirus companies.
Unpatched systems are not just a problem in the Microsoft world, of course: remember all the Sendmail 8.6 and SMI-SVR4 and 8.8 (nasty buffer overflow/relaying/take your pick) installations or old versions of BIND or Apache that litter the Net, and sigh. Microsoft had a patch out within days of the vulnerability getting posted to bugtraq, and all the open source products would do the same - or release a new version.
Admins that don't keep up with patches or new versions are the real problem here - that's why we have so many open relays, or rooted RedHat 6.x machines. Does linuxconf still make open relays by default? It did for a long time.
The ineffable rubbishness of IIS does need to be taken into account here - I'd rather use Apache. However, admins that don't keep up with the security patches mailing list (or bugtraq) for NT or Linux or xBSD or anything is in serious danger of being rooted whenever anything like Code Red or the Morris worm or just your neighbourhood script kiddie comes along. And that is a seriously bad thing.
I have a DSL line and windows 98 which is protected by ZoneAlarm.
Over the last 2 days 90% of the attempted accesses to my machine are to the HTTP port, whereas a month a go I can't remember see these type of alerts.
Something surely is brewing
You don't find it ironic to complain about this on *Slashdot*, do you?
b.
--
"Just believe everything I tell you, and it will all be very, very simple."
Is /. the only news site that covers the SirCam virus? I actually got a copy of the damn thing the other day, and I'm glad I don't use Outlook. I'm also glad that I had a resource like /. to tell me what it looked like before I got the damned thing. The mainstream media needs to look more at a virus that DOES affect the casual MS user (95/98/ME) instead of an NT-based worm like Code Red that falls flat on it's face.
Blog Prophyts - Right On, Man
Code Red is getting sensationalized partly because of the suggestion that it came from China. The media desperately wants to make a big deal out of the so-called "war" between US and Chinese hackers, but they're thwarted by the fact that nothing much has actually happened.
Was the story hyped by newsmakers and others who would benefit from such an event? Probably. Was anyone harmed by the hype? No (unless you count late-night patching). If anything, it got sysadmins everywhere into action to fix a hole that could have resulted in a real problem
kill_9_1
Code Red is providing a convenient excuse to the feds to call for further regulation of the internet.
"Our economy DEPENDS on the internet!" they'll cry. "We can't let our country be reduced to rubble by some malicious hacker!"
And of course the press buys right into it. The DMCA, bills to punish users of school networks and computers, laws with stricter penalties for hackers than murderers... expect it to accelerate. Worms like Code Red just give the feds the ammunition they need in the court of public opinion.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
For my money (or lackthereof), and i hate to jump on the bandwagon and mention linux in every /. story, the real living, breathing OS is not windoze...I'll go for an OS that is constantly improving itself.
Anyway, i dont really buy the point because it's like finding somebody with no white-blood cells and sending them out to get a cold, and afterwards saying that it was a good thing for them to go to the hospital.
My two sense(s).
|---------------|
practically an AC
Consider the following scenario: a new worn, let's call it Code Blue, exploits the same security hole as Code Red. However, rather than attacking randomly any IP address, it would first just sit there and wait. As soon as it got a probe from the original Code Red (which statistically happens about 3 times per hour), it would "fight back" by infecting the attacking machine and replacing Red with Blue. The newly infected machine would behave similarly.
After about 11 hours of propagation, the new worm would have infected a significant percentage of the vulnerable machines, without revealing its presence in an obvious way. It would only attack machines which are known vulnerable (and hence probably badly maintained), and probability of anybody noticing would be incredibly small. Then after, some twenty hours, it would start to do some fun stuff...
From the BBC's news page about codered :
"What might also hamper the ability of the virus to spread is the relative unreliability of Microsoft web servers.
The Code Red virus lurks in the memory of a web server and is cleared when the computer is rebooted.
As Microsoft servers crash more often than many of their counterparts, this might limit the spread of the malicious code. "
yes, www.dotcomforwardslash.com is my real URL.
Plain and simple, the reason that these worms/viruses/etc get so much media attention is that the general public is, more or less, ignorant about what goes on underneath that box that gives them their email. Hence, they hear something that makes the investment they have made into this email fetching device seem not so secure, and panic. The media lives and dies on this sort of story. Y2K anyone? It's a pure and simple ratings bid, and actual substance is immaterial in technological issues, since little of their audience would understand it in the first place. Furthermore, a catchy name like Code Red is ripe for a media blitz!
Root DOWN
grep what -i sed?
nobody (statistically) really cares - for that matter, 99% of the population has no reason to care about code red anyway. SirCam should be getting the attention, but "Code Red" has a much more sensational name. Hence, the media blows it out of proportion
I want transparency effects. I want so much transparency, I can see the back of my monitor! http://www.andrew.cmu.edu/
Its saddening to say this:
The machine in question is merely a poor attempt to replicate the Marketing Department of a certain monopoly to make people think Bushie is a smart cookie. Marketing attempting to make people think this company's sotware is the only smart way to do business. If you hadn't noticed he similarites think about it, it's frightening.
However, just because the pages imply that it is the Government doesn't mean it actually *is* the government.
If We the people would wake up & read the foundations of our government we would realize *WE* are the government & if we don't like what's going on we are obligated to *change* what we don't like.
Too many laws are on the books, so it's back to basics for me.
But I digress...
Your complaints about being offended offend me.
A machine at a research lab at school runs apache. In the access_log, from July 18-20, it had 18 attempts from a Code Red infected machine to spread the worm. (Naturally the attempt fails, cuz it's apache) But from August 1st through 'til about 9pm (EDT) last night (Aug 2), 36 attempts. So the question is - If the worm is spreading slower, why is it this one system has had more attempts of spreading this time around than the first?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Smoke on the water.
Hacked by Metal Heads.
What is pirate software? Software for inventory of stolen treasure?
From everything I've read about such programs, you'd have to be careful that the dominant "species" didn't become the one that could pretend that it had infected a bunch of systems....
---- I made the Kessel Run in under 11 parsecs.
i dont mean to be a bitch or anything like that, but to enter the eye of a storm you have to either pass through the eye wall (where the storm is strongest), or fall out of the sky (which i hear also sucks without the proper prep). just so you know
On Aug. 1, my cable modem-based site registered 7 hits from Code Red-infected machines.
On Aug. 2, there were 32 hits.
As of 8:37 AM EDT on Aug. 3, there have been 19 hits - more than half of yesterday's total in just over 1/3 of the time.
Average time between hits (eyeball guess) is 0.5 hours, and will probably decrease by the day.
I'm going away for the weekend. I wonder what those hit totals will look like come Monday night.
Code Red may not cause any trouble to the White House, but I don't think many people will be laughing in, say, 1.5 weeks if hit counts (and, by extension, infections) continue to increase at their current rate, or on the 21st when it tries launching another DDoS.
Someday, you're going to die. Get over it.
Finally, someone rational talks about code red. I really enjoyed reading the useful information that was in this article, even though there was some babble to go with it. Now I just want to know where the other news sources got the "billions of dollars of damage" information from. Maybe this was all just a big scheme by the government to hide a bunch of money going into secret research projects. You know, like the $20k toilet and the $50k hammer...
~ now you know
Do you still believe in virus alerts you find on mainstream media? or is it hidden just y2k-syndrome bubbling to the surface of nothing?
"Love, work and knowledge are the well-springs of our life. They should also govern it." - W. Reich
IIS stands for Internet Information Services - that includes FTP and HTTP. IIS is usually used as a webserver, but you can also use it as a FTP server and various other servers, all through the same "friendly" interface. You can install IIS without the webserver and with various other interfaces.
My install of Win2K (hey, I'm at work, writing ASPs - it's a paycheck, layoff) has the following IIS options:
IIS is just Microsofts server platform, it isn't just a webserver - that's why you have to install it with a FTP server - it contains some core files along with pretty graphical management software. If it helps, think of it like inetd - it also does configuration and other management "stuff." (I'm not sure exactly what the "Common Files" are and what they do - I think they're mainly the configuration/management utilities though.)
You are in a maze of twisty little relative jumps, all alike.
Did anyone else notice that Chris Taylor could be the offspring of Chairman Mao and Robin Williams?
The word 'columnist' (communist) on a red background only enhanced the illusion.
Why is it that many people who claim to support standards have such atrocious spelling and grammar?
Finally, a news article that was not innacurate or written specifically to cause panic. I don't know how many average people will read this article but I hope quite a few do. The more of these truthful (a nasty word in most of the press) articles the better, in fact I would encourage all of you to write to this man thnaking him for the article and to link to the page if you have a website. Maybe if he gets enough positive mail, and the page gets enough hits, Time will let him write more major articles. A little truth in the press can't hurt Linux or the Open Source movement.
"
Good ol' evolution. Once such Virii become frequent, the anti-virii people will need to code intelligent agents that can recognize a virus based upon its components. Instead of exact signatures we need intelligent pattern matching. For these kinds of virii, a signature might be
if it has 6 or more of the following components, then it might be a virus.
Also, frequency counts (and the like) on structures in the code might come in handy. Has anyone ever done freq counts on code structures and come up with general templates for network apps vs word processors, spreadsheets vs video games, virii vs non-virii ? I think i know what i'm going to do for the rest of the day instead of working...
-f
www.blackant.net
The author obviously wasn't a script kiddie. It takes a good amount of brains to code that little beast.
It was obviously a warning. It was not a perlscript that did some silly exploit, it was a hand crafted and well designed virus that did what it was supposed to do, scare the shit out of us.
--
"For Microsoft, this was the kind of publicity you just can't buy. ... they also had their name inextricably linked with the well-being of the Internet itself"
This is quite an interesting point that Taylor makes. The FUD-monster in the back of my mind is thinking up future scenarios where Microsoft could privately release worms/virii to rally support from the public.
I'm just waiting for the next major worm to have pop-up ads.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
A worm can't take a big chunk of the Internet down. A lowly backhoe, on the other hand...
It's at http://www.security.nl/misc/codered-stats/kaart.jp g.
-- unix is for people without a social life - Patrick van Eijk
Exactly.. I can't believe how many 'general press' outlets are playing up this concept that Microsoft will save the Internet. One would think since the press likes to focus so much on negativism, that they would actually say something along the lines of "after 25 years of the Internet, Microsoft threatens its existence 15 times in six years". Particularly since AOL/TW *is* so much of the press.
Intelligent Life on Earth
With all the media coverage one should think that the affected server should be fixed by now... However, I'm still getting hit a few dozen times oer day. (Not that I'm running any version of IIS :-)
Are you serious? This was the computing equivelant of Jon Katz covering, uhmmm, Cats. Sure, it made the Feds look like the miserable, inept, slugs that they've made themselves out to be, but it didn't offer any answers. Anyone can go on a tyrade making a mockery of any suit and pseudo-suit, I do it all the time, as a matter of fact. . .
Whoa, uhmmm, scratch everything after the start of the little gray box up there.
"From of old, there are not lacking things that have attained Oneness." - Lao Tzu
Why the media picked Code Red (maybe it was the name... Mountain Dew has been getting alot of pr... hmm... conspiracy??? ;-)), over sircam is beyond me. Lets see...
Code Red only affects windows 2k... and only windows 2k thats running IIS. Thats not a very sizable market.
Sircam affects anyone too stupid to be careful (which is pretty sizable... just think about how dumb the average person is and remember that 50% of the population is stupider than that).
Ironically has anyone noticed that its the the virus,worms,etc that are aimed at people that cause more damage than those aimed at the technology (if you call windows that). Kinda makes me wonder why we're pushing for AI when we're having enough trouble finding NI. Just a thought...
can't sleep slashdot will eat me
"Also, it's complete crap that MS came out of this looking good. It was another high-publicity security hole for one of their systems."
You know that and I know that, but what Joe Newspapereader knows is that an "Internet virus" was stopped by "Microsoft security." Joe N. doesn't know that a relatively small portion of the Net is run by Microsoft servers, and that only those servers are affected, and that the total effect on the Net even if every M$ server in the world stopped working at once would be minimal. Joe N. knows "Virus bad, Microsoft good."
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
Along the lines of other comments, you have *no one* to blame but yourself for this one. If I installed RH6.2 and walk away from it should I expect it not to be hacked? No. What about Microsoft? No, again.
You chose to run Microsoft. No one forced you to. Choosing to run a server means that you take responsibility for it and the problems it creates. Crying because you made a shitty decision for what OS to run doesn't get you sympathy from the rest of the marginally qualified technical populace. Further, there was a patch released for this exploit two months ago. Again, you should have taken your responsibility seriously and patched your servers.
I'll assume for shits and grins that a person at your company is worth $100 per billable hour and that at least 80% of those 100 man hours could have been converted to billable hours. At that rate your company lost $8,000 because someone chose to run Microsoft, but more imporantly and the real cause, failed to patch their servers when Microsoft released patches.
(Please note that I use 'you' and 'yourself' in this comment in relation to the original poster's company, not him personally.)
Finally, someone gets it right. I sincearly hope Time takes the author of that article and makes him Senior Internet Consultant or the like. There's not enough intelligent technology reporting in the news these days.
I've seen 57 hits on my cable modem in the past week. That's about double what I saw from the last iteration. The number of sites that have been infected (according to incidents.org) has already passed the last iteration as well.
It would be nice if the press could get some real experts in security and the Internet to talk about this thing, not press-seeking wannabes.
check out: How Code Red Works
Of course, with our luck, they'd hire some photogenic smooth-talker to spin the corporate line - "Open source is communism! Napster is theft! Buy Microsoft or you're going to go to hell when you die!" etc.
*****
There are many people in this country who, through no fault of their own, are sane.
I mentioned the Index Server patch to a sysadmin at an unnamed ISP about 6 weeks ago and actually talked about the implications of it if it was ever exploited. He evidently didn't act on it as yesterday, I saw this huge press release shouting: "ISP saves it's customers AFTER they were attacked by Code Red Worm"
!? Now if that isn't turning lead into gold, I don't know what is...
If the media knew what they were actually reporting about, they would've cottoned on to the fact that this should've never happened and the ISP was at fault. Furthermore, it shows that nothing is as big a security hole as a rubbish sysadmin.
I have to agree, this is a very insightful article, but i'm not sure about the end;
(Quoting )
'Apart from that, the whole red-alert reaction only demonstrated that there's seemingly infinite space on the Feds' faces for more egg.'
Do they Feds have egg on thier face?
I'm not so sure, real egg would be getting infected whilst giving the dire warnings of what would happen, but in this case I think they are only slightly blushing.
GCM d+ s+:+ a- c++ U? P! L E-- W++ NM+ V PS- PE+ Y+ PGP- t 5+ X?+ R+++$ tv+ b+ DI++++ D---- G e
There have already been worms/viruses/etc. like this, but just not on the net (that I know of...probably there have been though). Instead of "chromosomes" you'd have features (sleep for this long, deliver this type of payload, infect this type of system, etc.). When these things detect each other they'd take some random (or perhaps not random? maybe determined by some fitness test) features from each and create a new "child", and send it off in the world. These would be very polymorphic, and there would probably not be as much of a distinct signature to identify them by, slipping right by virus scanners. Viruses have also employed encryption and various other randomizations to become polymorphic and undetectable by virus scanners.
It's 10 PM. Do you know if you're un-American?
What you need to do is disable the W3SVC (World Wide Web Publishing Service) in Services, or disable the Default Web Site in ISM if you don't want that box serving up HTTP.
http://www.caida.org/dynamic/analysis/security/cod e-red/index.html
... this guy ruined the end of War of the Worlds for me! I was going to read that just as soon as I found out what happened at the end of Titanic!
What gives? How are they getting 150,000+?
What would be everyone's take on a strike back box? That is a machine which is set up for the sole purpose of detecting infected servers, and "inoculating" them against this virus? Of course, these computers are already known to be susceptible to the kind of attack Code Red uses. I know that this could get a person in some pretty deep trouble with the law, but what if these strike back machines were the only way to stop this virus? Not that I think that Code Red can't be stopped any other way, just what if the fact that it is being changed with a purpose means that we can't just take a passive "you should always patch your computer" stance? That is, it could use a completely different exploit next month.
. when in danger or in doubt, run in circles scream and shout --Robert Heinlein
So why not hire somebody that has alot of on-camera experience, all they're doing is reading..
Free Mac Mini
Chris Daylor in TIme, makes a few good points. IF you look at biological virology, and compare it to computer viruses, the similarities are striking.
.com, web pages for .net, etc...). Better viruses are on the horizon, and I'm amazed we havn't started to see them already.
Viruses can either stealthily infect every computer available to it then after a gestation period, attack and destroy the computer in some way (NetHazard level 1) or as soon as it infects a computer it can simply wipe the drive and be done with it (NetHazard level 5) but this doesn't give it any time to infect other systems. As such a NetHazard 5 virus would (in virology lingo) 'burn itself out' in a short period of time.
We've seen our first highly infectious virus recently, in Code Red, but we havn't seen one so highly infectious that also causes the patient to bleed out and die. In short, we ain't seen nothn' yet.
I'm waiting for a patient virus writer to perfect his software first, before releasing it, because so far, although Microsoft software is a favorite virus target, virus writer seem to employ the same software development model as Microsoft, in that they just let their code loose on the net without debugging or optimizing it. Imagine what email (read: Outlook) viruses could do if the writers stopped to use proper grammer in their messages, or taylored the attachment type to the domain from which the infected computer is sending the message (office docs for
--CTH
--Got Lists? | Top 95 Star Wars Line
It wasn't a "massive DDoS against the US Government". He/She could have done it (looking up IP-addresses via DNS isn't all that difficult, is it?), but he/she chose just to flood a specific address (-range?). It was too easy for the whitehouse.gov-staff to avoid the "attack"; it looks like Code Red was just a warning, an experiment, or the author just wanted to get some attention in the media.
I honestly can't believe it was meant as a "real attack".
In this analysis: "We've designated this the .ida "Code Red" worm, because part of the worm is
designed to deface web pages with the text "Hacked by Chinese" and also
because code red mountain dew was the only thing that kept us awake all last
night to be able to disassemble this exploit even further."
And of course there is This!
The ultimate network admin tool needs HELP!
The damage Code Red has done (apart from flooding the Net and seriously fsck'ing up some routers) or was intended to do is a DDoS against a fixed IP-address (of a not-really-important server). It was stopped by simply changing IPs and DNS-entries.
The damage Code Red could have done is much more:
Well, I could go on for a while, but I think you get the point: I just can't believe Code Red was designed to do real damage (or a real DDoS). Even a Script Kiddie could do much, much "better"...
Journalists, sometimes, ask experts whenever they don't know the subject that well. Unfortunately, the experts that advertise themselves as such have a great vested interest to not be biased. Check this article from The Register about the most wonderful quotes related to the Code Red costing billions in damage. You've gotta love those experts
IF you look at biological virology, and compare it to computer viruses, the similarities are striking.
I'm waiting for the first worm to appear that has a quasi-genetic structure.
Create a population of worms, and give each worm a few chromosomes, and some code that allows it to propagate using strategies determined by its genetic material. Give the worms an initial state that allow it to exploit some basic M$ vulnerabilities, and release a few hundred.
Every time a worm infects a new system, it looks for any other genetic-based worms. They've also been successful in infecting the system, so get the worms to mate and produce a new generation of a few tens of individuals from their genes (plus a few modifications).
Rinse and repeat.
A number of posts here say something along the lines of "Code Red is malicious, it tried to attack the Whitehouse!". Sorry, I don't buy it. This is the type of damage a truly malicious virus does:
The thing is so benign it should be called a worm, not a virus. Anybody who things otherwise obviously has not seen the effects of a real virus attack on an organisation, or tried to clean up the consequences.
But you must remember, in this business, there is no such thing as 'bad press'. Just having your name mentioned, means people hear about you. If they hear about you, and don't hear about anyone else, you become the 'only' choice available for a particulr service. I had this happen when I was just getting started in the ISP business, and didn't know jack about unix security. My CEO called in the media, cause we got broken into! I got to be on the 6 o'clock news, the other ISP in town (there were only a couple in my city then) laughed thier asses off at us, but then the phone started to ring. People wanted us to check thier systems for the same vulnerabilities that we had been victimized with! And, oh, by the way, how much would a T1 to the Internet be with you guys?
Are we getting the picture here?
It cost us a few days of overtime, and we 'lost face' with the 'true unix professionals' (we were a networking var, not a unix house, so our network kicked butt, but our servers were not ver well setup), but the NET result was, we gained a LOT of business from that 'negative' press...
The prospect of (currently) 290,000+ hosts flooding an IP address that's blackholed on one end doesn't mean that the guy who was supposed to be on the receiving end of all that is going to feel a thing, but if the upstream providers haven't blackholed everything as well, there's a few trunks that could be saturated by, you know. 290,000 hosts packetflooding. And if some hacker with a brain releases a smarter new virus in the next two weeks to piggyback off of/replace Code Red, what then?
I'll agree that we haven't and probably won't hit THE MELTDOWN OF THE INTERNET AS WE KNOW IT, but then again... we're more than two weeks away from this going into hibernation.
I've done my part by inadvertently corrupting my IIS metabase, so I'm protected from these nasty worms.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
My logs show 46 attacks from 44 IP addresses, starting Aug 1. My site is not well known, so this is random scanning. If a machine is vulnerable and on the net, it's going to get this. That said, the cries of "the internet is going to meltdown" now sound like the dire Y2k predictions. (Or Bob Metcalfe's bleating about internet 'gigalapse'.)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
The fact that the attack was easily foiled does not in any way diminish its scale, or the potential seriousness of the problem.
Yes, it tends to show that the author was just a script kiddie, but authors of worms and virii still do lots of damage.
The real scary part of the story, which no news media have touched upon, is the swiss-cheese nature of M$ security that makes these problems a part of our daily lives.
Jon Acheson
All opinions expressed herein are my own, and not those of my employers, who are appalled.
Are we really surprised? The media loves to play to the man in the street's fear that the net can easily be taken down. No one ever brings up that the core protocols of the net are built to route around problems. From the Michaelangelo virus to Y2K, they glom on to every story and predict the imminent death of the web. We of the techies know better. We know that it would take nothing short of a massive world-wide failure of the power grid and oil delivery infrastructure to truly take the net offline.
The truth about Scientology, Xenu, and you: Operation Clambake
I wrote a perl script that automatically generates a page that lists all attacks on my server.
http://www.kryptolus.com/red.html
You can see the IP and time.
On another note, a part of my employer's network got hit by about 20,000 attacks within 2 days.
--
Violators will be prosecuted and prosecutors will be violated.
I liked his observation that this has been turned into good PR by MS. "Code Red is awful, but don't worry, we'll save you! The FBI ae behind us on this, so don't worry"
~~~~~ BigLig2? You mean there's another one of me?
I didn't say I didn't agree with his points. I actually think Microsoft deserves every last bit of it. There's a difference AFAIK between pointless bashing and bashing.
Bah, all this was just a poor attempt to be humourous(sp?).
One shall speak only if what one has to say is more beautiful than silence
I guess a better question is -> How are they tracking the number of infected hosts?
Great Article, too bad that pop-up window when I backed out just put time magazine on my list of "sites i won't visit without a /. article link"
Too bad it came out after the fact. I think it's easier for the media to say "The end of the world is coming!" because people tend not to give backlash if bad things don't end up happening. If this guy wrote the article beforehand and the internet did die, he would have taken a lot of heat about being wrong. It was easy for him write this article after the fact. Then again, the point of his article wasn't to inform us that nothing happened, it was to say why these things aren't really bad to begin with.
So, exactly which of these comments was undeserved Microsoft bashing?
Those all seem to be right on target to me. Or was it the comparison to Stalin? Give the guy room for a little journalistic allusion :)
Your right to not believe: Americans United for Separation of Church and
...which is probably most Americans...
Stolen from the article:
"For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department --which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace -- but they also had their name inextricably linked with the well-being of the Internet itself."
Which is *exactly* what it is, except that in this case there isn't any Nazi menace to stand up to. My bet is that this will be seen as a way to soften the DOJ/Microsoft schism in the public's eye and make all those pesky state lawsuits go away that much quicker.
History is *filled* with bait-n-switches like this, which most people pick up on about as frequently as they do retail prices going up two weeks before a big sale. Study the past. Without it, you'll never see the future.
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
The author must be a slashdot reader for sure. :).
You can flawlessly see that because of the pure MS-bashing style at work in his prose
Other than that, I liked the article more because of the style than because of the content, but well, that's just me.
One shall speak only if what one has to say is more beautiful than silence
It could replicate itself across thousands of servers ? usually because the owners were never aware that Microsoft software had turned their computer into a server in the first place.
We set up a simple win2k file server and specifically did not want IIS installed. There are a LOT of things on 2000 server that depends on it and if you check them on during the install, it will silently recheck IIS again. Want to just run an ftp server? It installs IIS.
We had to go back and uncheck IIS three separate times during the install. Another server done by another tech had IIS after I specifically put in a work order NOT to install it. He swears he didn't. I believe him.
It's as bad as the original various linux distro installs enabling every damn service under the sun (no pun intended) during an install.
Don't believe me? Just watch your code red hits on your web server and go to the sites that nail you. Most of them have either the default page or "directory listing denied" message. They are not big corporate servers for the most part that I've seen... That leads me to believe that a lot of these people don't even know IIS is running on their server...
How can we expect good tech reporting when the whole of the news business is going down the pooper? Look at what CNN is about to do to Headline News. They have hired an actor to anchor the news. Now some news organizations would have played it safe by hiring someone with more than two years of reporting unde their belt. But CNN knows that outdated concepts like "experience," "journalistic integrity," and "fact checking" no longer apply in the 21st century's news entertainment business.
And people will watch, no doubt. And these people will get the kind of crappy, poorly-researched, panick-stricken news that they deserve.
I work a few blocks away from where the train accident was. Yes, a freight train carrying HCl derailed on the 18th and caught fire (and burned for many days) in a tunnel under downtown Baltimore. A major water main break also resulted. A bunch of buildings were flooded, and it knocked out a few of WorldCom's fiber links. Here's the brief ZDNet story, if you're curious.
However, I must say we didn't see much internet slowness as a result of either.
From the article:
There was no malicious intent.
Except to trash whitehouse.gov, using servers and networks all over the world to do so.
In the vast world of potential Internet viruses and worms, Code Red is a grade Z microbe.
If people hadn't woken up and smelled the patch, it would have been a grade B (if not A) pain in the butt. Like Y2K, there was too much hype, but the hype helped; a self-defeating prophecy.
It would have to go through a significant amount of mutation before it became any sort of serious threat to the Internet's health.
Significant, but not huge. There's been lots of discussion about how bad the next generation may be.
At its broadest definition, all hacking is white-hat hacking.
This statement is nonsense. There is certainly such a thing as white-hat hacking, and certainly too much hacking is portrayed as far darker than it really is, but there's a huge difference between the white hats and the jerks behind Code Red.
At most, Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge.
Um, these machines were supposed to be servers.-)
We should be wary about what any software does to our machines. Point well taken, though.
Stupid job ads, weird spam, occasional insight at
Forgive me for being 'uncool' by disagreeing, but this article is horrible. No malicious content to the virus!? It's initial intent was a DOS attack on whitehouse.gov. It was rather lame in it's attack, but that was still malicious. Also, it's complete crap that MS came out of this looking good. It was another high-publicity security hole for one of their systems. No matter how it was handled this still made them look bad to the general public. Also, there was a considerable slow down on some Internet backbones due to the whitehouse.gov attack; and some slowdown on a few backbones Wednesday afternoon due to attacks by a variant of this worm attacking other gov't sites. I don't mean this as an attack on anyone, but just remember that no matter how you feel about a certain topic, don't let you feelings and opinions cloud the facts.
"Don't hate me because I'm right...Hate me because I'm an MCSE."
The BBC is running a story about how the bandwidth loss during the first Code Red attack was actually due to a train crash.
I haven't seen this anywhere else, can anyone corroborate?
I have to agree with the questioning of "good reporting"; yes, it was nice to see that someone realizes that Microsoft was running to the rescue of a problem they created, but the worm did cause some very real problems that Taylor glossed over.
At my company, we had to take our webservers down twice as we knew that something was happening, but couldn't figure out what. By the time we realized what the problem was, about 100 man hours were diverted from usefull projects to scouring our machines trying to figure out the nature of the compromise and how to proceed (I'm a programmer, dammit, not a sysadmin). Projects were delayed, an ignorant management got pissed off, and I got stuck doing a thankless job.
Oooh praise time. Yeah, the Code Red virus event. I got extremely irritated by the news media on this one. Promising the 'downfall of the internet' etc etc. Fact is, the majority of the internet runs on UNIX, which has evolved from a network environment to an internet environment steadily and sensibly over 25 years. MicroSoft windows NT has not done this, it's 'evolved' in the space of a couple of years, and is affected by every virus under the sun because it uses the Win32/DOS MZ executable format that everyone is so fond of coding virii for. Hopefully this will convince people to stop paying extortionate amounts for crappy MicroSoft webservers and get a sensible OpenBSD server with FP2000 extensions (if you must have them) instead. Keep the GUI on the desktop, servers do not need a rediculous GUI stopping you from properly managing processes etc.
:P...).
Well thats what I think. Bubbye.
Weevil
Anyway. The weird thing about the Media is that it has concentrated on the malicious people who created the virus. I have not seen anyone comment on why it is always Microsoft servers that seem to appear in the news; only a few months ago there was the great MS Administrator Password fiasco. Then there was I Love You and so on.
It'd be nice if someone created some software to check for dDoS worms on servers. All you need is a packet sniffer to track incoming and outgoing packets and hunt for millions of outgoing packets that werent originally to an IP that hasn't requested anything.
The idea of an 'immune system' mentioned at the start of that article intrigued me. It would be very nice if someone like McAfee created a system that automatically pushes upgrades to registered antivirus software running on servers as soon as an outbreak is detected, so that the software could instantly do a quick search for that one virus and deal with the problem each hour for several days or something (although several days is a bit of a wishfull uptime for microsoft servers, Ho Ho Ho Ho etc
ghaa.
I don't know if anyone else has mentioned this (/. loading reeeeeeeeallllly slowly at the moment; some pages are /.ed for me at the moment), so, just in case...from the article:
If you could create something that attacked Cisco router software, for example, you really would cause a global Internet meltdown.
Now, I realise fully that that isn't what happened, but wasn't one of the unexpected side-effects of Code Red that it caused a spot of bother for some particular Cisco models?
http://www.economist.com/agenda/displayStory.cf
The technology articles at the economist are without peer in the mainstream media. Their article on Code Red provides a higher level overview and makes some good observations.
I'm surprised no one made mention of the free advertising for Mountain Dew.
Just think, if we didn't have all these viruses running around making sure we secure our systems then someday when we invade another planet of inferior beings, one of their cable system operators could write a computer virus that would infect our systems and shut down our shields and then where would we be?? Therefore, we need a lot of these viruses so that when we do go attack other planets we won't be defeated. It's pretty simple I think.
"All I ask is for a chance to prove that money can't make me happy."
One sentence explanation for ignorant management: "We shouldn't have used IIS on Windows".
Your right to not believe: Americans United for Separation of Church and
With all the talk of doom and gloom leading up to 12:00 UTC 8/1/01 and the lack of internet meltdown, I think the media is disappointed. They didn't get to say "I told you so" so now they are downplaying the whole thing. This second wave of Code Red activity is indeed worse than the first wave. I've been getting hit by 4-5 unique hosts _per_hour_ with Code Red scans. This is way more than the first wave, just like the objective (i.e. facts and figures) reports are saying. All these probes are not squelching my bandwidth or otherwise affecting me, but it goes to show how ubiquitous these things can get. Just imagine if each of the machine that has probed me was instead set to ping flood my box. Not a pretty thought.
-- Never hit a man with glasses. Hit him with a baseball bat.
I just read this one here:
I copied my favicon.ico (a penguin icon for MS IE and Konqueror to save along with a bookmark) as default.ida. Now, whenever I get probed, I send out a little portrait of Tux. ;)
Ok, I know that doesn't accomplish anything useful, but it does cut down on the 404's in the logfile at Librenix!
Geeky modern art T-shirts
If they had chosen to run RedHat 6.2 instead, about the same number of billable hours would be needed to maintain security.
What was your point?
You don't need a genetic structure, what you describe could be obtained by modifying the existing Code Red worm to make a random change to the GET request it uses to spread itself. Say, once every 100 attempts to spread, it makes some random change to one character of its 'child'. As in real life, the vast majority of such changes would be either deadly or would end up in the long string of NNNNNNNs and have no effect. Once in a great while, a variant would turn out 'fitter' than its parent, for example by disabling the limitations that keep the parent in check or becoming somehow less visible to human observation.
Give it a year to run, and who knows what could happen?
--
My other computer is your IIS server.
Then, having the web site unreachable could have been a very serious problem.
Look, everybody! It's Captain Obvious! We're saved!
Not to say that I think this article was mere FUD. I think the guy is right. Good thing for him he doesn't work at MSNBC.
As a tech-savvy guy, I often get asked, "Why do people do this?"
I realise that this is not the motivation for every virus or worm, but generally, each one raises some awareness in the consumer. The popular viruses get around and a lot of people see it. Every time, they "update" their virus scanner and feel safe until the next one. What I tell people is that it shows the inherent security problems in Windows. I chase that with, "What if a your company's competitor writes a virus targetted at your's and nobody else's? They have the power to grab all of your intellectual property and no virus scanner out there will save you because they only deal with 'popular' viruses. Once the damage is done, it's done. Virus scanners only superficially 'fix' the problem. The *real* threat is the inherent insecurity in Windows/Outlook that Microsoft seems unwilling to fix. These viruses you see are warnings and nobody is realising that. Few people are aware of the real problem."
This usually enlightens them. The big problem, as I see it, is that the popular media isn't saying it. As long as they aren't, the problem will continue to exist... *sigh*
Then again, I *am* known as the second most paranoid person at my place of work (the biggest paranoiac doesn't trust the use of kernel modules, and that is probably the only difference). I may be totally off base, but if you think I'm not, then, by all means, answer the inevitable question appropriately.
** I apologise for any incoherence in this post. I drank more than usual today as we were let out early to "enjoy" the day
When I read the first report about CodeRed (right here on /.) I laughed aloud -- not just because Microsoft got a pie in the face again, but because I knew that people would be calling their ISP (I work in dialup tech support) freaking out, when it was evident that this exploit would never see their non-NT machines. What really cracked me up was when I took a call from a customer who said the previous tech she'd talked to attributed the slowness of her computer to CodeRed instead of, say, that BonziBuddy she had running. Previous people have correctly stated that CodeRed (named after a soft drink) has garnered more headlines than Sircam, and I don't recall the media messing their pants when Magistr was rampant mere days earlier... and I've taken a hell of a lot more calls from people with Magistr in their mail than Sircam, regardless of statistics.
Another media mistake (beside the fin du temps talk about the power of CodeRed) is telling how smart this virus is. This was a benign test; had it been aimed at a canonical name instead of an IP, this could have been baaad. Smart is the Sircam virus, which mocks life more than most computer virii -- examples, it provides its own SMTP server so isn't reliant per se on one email program ['per se' because it still has to reference the address book created by M$ mail products, meaning if you never use Outlook/OE you don't have an address list it knows how to steal] and has the lifelife qualities of infant mortality [1 in 100 cases wipe the hard drive, thus can't spread] and survival of the fittest [in some cases, creating a second instance under a different name in a different location to bolster its continued existance] plus that cockroach-like quality of being run from the Recycle Bin. And it does evolve/mutate due to environment [mostly due to teaming up with other virii and virus checkers in attacking the virus make it unrecogniseable to the checker itself -- see this article].
And the irony stated by the author, about Microsoft riding to the rescue when it was their swiss-cheese product that caused the problem in the first place, made me smile. Where else can you buy a poison and its antidote in the same place? I wouldn't blame Microsoft for trying to put a positive spin on the solution rather than the cause -- they have other battles to fight [cough*XP*cough] which will take more than mere spin control.
Laughter is the Spackle of the Soul.
My logs indicate that I've received over 200 req.'s today for /defult.ida - to one machine.
If the IP's are 'randomly' generated this number seems pretty high. Atleast for me it's becoming annoying.
Now, as I understand it from my logs (and I may be wrong) code red scans for MS IIS administrative scripts (specifically /default.ida) using an HTTP 'get' request.
If we all create a file /default.ida with a large size will we not be able to launch a DOS attack on the offending IIS servers?
Pls feel free to correct me.