Slashdot Mirror
Code Red Reporting That Doesn't Suck
marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."
If you had a worm that propogated through the DNS servers on the net, then at some point activated to disrupt the DNS services, that would come about as close to bringing the net down as you could get, for practical purposes. Between Bind and Windows DNS, you could do some real damage. So while I agree that the media coverage of Code Red was pretty sensationalized, I don't think that the net at large is all that invulnerable.
Hot Damn! It's the Soggy Bottom Boys!
What they need is a source that dumbs things down enough to be broadcast on your local Fox afilliate while still keeping it accurate. Soundbite-friendly, not very technical, clear about the details. Most people don't know what you're talking about if you say "IIS vulnerability", but if you say "The Code Red Virus will hack the internet" then most people can get a handle on that.
It's not just about hype - it's lack of understanding. Anchors aren't good at telling people something when they don't understand it themselves, so it needs to be explained to them.
I, unfortunately, already have hardly any free time to start up a site providing a service like this, but I'd be willing to contribute to someone else's - anyone up for it?
Anyone know of a site that gives a good technical explanation of the worm? I'd like to know if it shows up as a process of its own or if it is part of the IIS process. Also, can it be killed without a reboot. What about if you received two separate probes (potential infections)? Would you have two processes trying to spread the worm?
How perfectly goddamn delightful it all is, to be sure. - Charles Crumb
I have a DSL line and windows 98 which is protected by ZoneAlarm.
Over the last 2 days 90% of the attempted accesses to my machine are to the HTTP port, whereas a month a go I can't remember see these type of alerts.
Something surely is brewing
Code Red is providing a convenient excuse to the feds to call for further regulation of the internet.
"Our economy DEPENDS on the internet!" they'll cry. "We can't let our country be reduced to rubble by some malicious hacker!"
And of course the press buys right into it. The DMCA, bills to punish users of school networks and computers, laws with stricter penalties for hackers than murderers... expect it to accelerate. Worms like Code Red just give the feds the ammunition they need in the court of public opinion.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
Plain and simple, the reason that these worms/viruses/etc get so much media attention is that the general public is, more or less, ignorant about what goes on underneath that box that gives them their email. Hence, they hear something that makes the investment they have made into this email fetching device seem not so secure, and panic. The media lives and dies on this sort of story. Y2K anyone? It's a pure and simple ratings bid, and actual substance is immaterial in technological issues, since little of their audience would understand it in the first place. Furthermore, a catchy name like Code Red is ripe for a media blitz!
Root DOWN
grep what -i sed?
nobody (statistically) really cares - for that matter, 99% of the population has no reason to care about code red anyway. SirCam should be getting the attention, but "Code Red" has a much more sensational name. Hence, the media blows it out of proportion
I want transparency effects. I want so much transparency, I can see the back of my monitor! http://www.andrew.cmu.edu/
A machine at a research lab at school runs apache. In the access_log, from July 18-20, it had 18 attempts from a Code Red infected machine to spread the worm. (Naturally the attempt fails, cuz it's apache) But from August 1st through 'til about 9pm (EDT) last night (Aug 2), 36 attempts. So the question is - If the worm is spreading slower, why is it this one system has had more attempts of spreading this time around than the first?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
"For Microsoft, this was the kind of publicity you just can't buy. ... they also had their name inextricably linked with the well-being of the Internet itself"
This is quite an interesting point that Taylor makes. The FUD-monster in the back of my mind is thinking up future scenarios where Microsoft could privately release worms/virii to rally support from the public.
I'm just waiting for the next major worm to have pop-up ads.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Why the media picked Code Red (maybe it was the name... Mountain Dew has been getting alot of pr... hmm... conspiracy??? ;-)), over sircam is beyond me. Lets see...
Code Red only affects windows 2k... and only windows 2k thats running IIS. Thats not a very sizable market.
Sircam affects anyone too stupid to be careful (which is pretty sizable... just think about how dumb the average person is and remember that 50% of the population is stupider than that).
Ironically has anyone noticed that its the the virus,worms,etc that are aimed at people that cause more damage than those aimed at the technology (if you call windows that). Kinda makes me wonder why we're pushing for AI when we're having enough trouble finding NI. Just a thought...
can't sleep slashdot will eat me
I have to agree, this is a very insightful article, but i'm not sure about the end;
(Quoting )
'Apart from that, the whole red-alert reaction only demonstrated that there's seemingly infinite space on the Feds' faces for more egg.'
Do they Feds have egg on thier face?
I'm not so sure, real egg would be getting infected whilst giving the dire warnings of what would happen, but in this case I think they are only slightly blushing.
GCM d+ s+:+ a- c++ U? P! L E-- W++ NM+ V PS- PE+ Y+ PGP- t 5+ X?+ R+++$ tv+ b+ DI++++ D---- G e
Including THE SICKEST SHOW ON TELEVISION Brass Eye
Beware the Ides of August, apparently.
GCM d+ s+:+ a- c++ U? P! L E-- W++ NM+ V PS- PE+ Y+ PGP- t 5+ X?+ R+++$ tv+ b+ DI++++ D---- G e
IF you look at biological virology, and compare it to computer viruses, the similarities are striking.
I'm waiting for the first worm to appear that has a quasi-genetic structure.
Create a population of worms, and give each worm a few chromosomes, and some code that allows it to propagate using strategies determined by its genetic material. Give the worms an initial state that allow it to exploit some basic M$ vulnerabilities, and release a few hundred.
Every time a worm infects a new system, it looks for any other genetic-based worms. They've also been successful in infecting the system, so get the worms to mate and produce a new generation of a few tens of individuals from their genes (plus a few modifications).
Rinse and repeat.
But you must remember, in this business, there is no such thing as 'bad press'. Just having your name mentioned, means people hear about you. If they hear about you, and don't hear about anyone else, you become the 'only' choice available for a particulr service. I had this happen when I was just getting started in the ISP business, and didn't know jack about unix security. My CEO called in the media, cause we got broken into! I got to be on the 6 o'clock news, the other ISP in town (there were only a couple in my city then) laughed thier asses off at us, but then the phone started to ring. People wanted us to check thier systems for the same vulnerabilities that we had been victimized with! And, oh, by the way, how much would a T1 to the Internet be with you guys?
Are we getting the picture here?
It cost us a few days of overtime, and we 'lost face' with the 'true unix professionals' (we were a networking var, not a unix house, so our network kicked butt, but our servers were not ver well setup), but the NET result was, we gained a LOT of business from that 'negative' press...
The prospect of (currently) 290,000+ hosts flooding an IP address that's blackholed on one end doesn't mean that the guy who was supposed to be on the receiving end of all that is going to feel a thing, but if the upstream providers haven't blackholed everything as well, there's a few trunks that could be saturated by, you know. 290,000 hosts packetflooding. And if some hacker with a brain releases a smarter new virus in the next two weeks to piggyback off of/replace Code Red, what then?
I'll agree that we haven't and probably won't hit THE MELTDOWN OF THE INTERNET AS WE KNOW IT, but then again... we're more than two weeks away from this going into hibernation.
I've done my part by inadvertently corrupting my IIS metabase, so I'm protected from these nasty worms.
Easy does it!
This comment has been submitted already, 276865 hours , 59 minutes ago. No need to try again.
There were no more posts about the telnetd vulnerability for a few days as the bugtraq list was saturated with Code Red information. I'm paranoid as fuck and assumed that Code Red was a cover up for the telnetd exploit which we'd later find out affected every single version of telnetd out there (including on routers and the like).
But it didn't happen that way.
It is a lesson in distraction, though: when a true hacker wants to really take over the net, a Sircam virus or Code Red worm will make a great cover for the true exploit. I'm sure Sun Tzu wrote something witty about this, as it is the same technique used by countless military tacticians (at least the ones who "won") - c.f. the amphibious build-up prior to the land invasion during the Gulf War, or Patton's fake army prior to Normandy Invasion during WWII.
-f
www.blackant.net
Code Red could be a good launch platform for some other nastyness. Make it multiple phase. First propagate under cover of Code Red. Then, after a set time (say, 24 hours) change phase, and use a different propagation medium (email, another exploit, whatever) and toss away Phase I code. The benefit: a much larger launching platform for the actual virus! And if Phase I code is cleaned away well enough, nobody will be able to understand where the virus suddenly came from, out of nowhere.
Oooh praise time. Yeah, the Code Red virus event. I got extremely irritated by the news media on this one. Promising the 'downfall of the internet' etc etc. Fact is, the majority of the internet runs on UNIX, which has evolved from a network environment to an internet environment steadily and sensibly over 25 years. MicroSoft windows NT has not done this, it's 'evolved' in the space of a couple of years, and is affected by every virus under the sun because it uses the Win32/DOS MZ executable format that everyone is so fond of coding virii for. Hopefully this will convince people to stop paying extortionate amounts for crappy MicroSoft webservers and get a sensible OpenBSD server with FP2000 extensions (if you must have them) instead. Keep the GUI on the desktop, servers do not need a rediculous GUI stopping you from properly managing processes etc.
:P...).
Well thats what I think. Bubbye.
Weevil
Anyway. The weird thing about the Media is that it has concentrated on the malicious people who created the virus. I have not seen anyone comment on why it is always Microsoft servers that seem to appear in the news; only a few months ago there was the great MS Administrator Password fiasco. Then there was I Love You and so on.
It'd be nice if someone created some software to check for dDoS worms on servers. All you need is a packet sniffer to track incoming and outgoing packets and hunt for millions of outgoing packets that werent originally to an IP that hasn't requested anything.
The idea of an 'immune system' mentioned at the start of that article intrigued me. It would be very nice if someone like McAfee created a system that automatically pushes upgrades to registered antivirus software running on servers as soon as an outbreak is detected, so that the software could instantly do a quick search for that one virus and deal with the problem each hour for several days or something (although several days is a bit of a wishfull uptime for microsoft servers, Ho Ho Ho Ho etc
ghaa.
You don't need a genetic structure, what you describe could be obtained by modifying the existing Code Red worm to make a random change to the GET request it uses to spread itself. Say, once every 100 attempts to spread, it makes some random change to one character of its 'child'. As in real life, the vast majority of such changes would be either deadly or would end up in the long string of NNNNNNNs and have no effect. Once in a great while, a variant would turn out 'fitter' than its parent, for example by disabling the limitations that keep the parent in check or becoming somehow less visible to human observation.
Give it a year to run, and who knows what could happen?
--
My other computer is your IIS server.