Slashdot Mirror
Code Red Reporting That Doesn't Suck
marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."
"sadly untypical security flaw".
Yeah, that still has me scratching my head.
I liked the story on saw yesterday on the BBC Sci-Tech web site (which I can't find today) which said that because Code Red goes away if you reboot, and because IIS is so much more unstable than other web servers, the spread has been slowed because of how often people have to reboot their servers anyway.
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
This is the nature of worms: they advertise exactly what is vulnerable, and advertise exactly how they're vulnerable.
I don't have time to patch my servers against code red!
I'm too damned busy reply to all of my email. You'd never believe how many people have been sending me files asking for my advise!
Prevent linux based DDOS's!
http://linux.denialofservice.org/
In the UK, this time of year is sometimes refered to as "The Silly Season" in the media.
All the poloticians are away on summer holidays.... most of the decent journalists take a break aswell. This leaves the papers a little thin on decent news (er, like, theres nothing happening in the world at all. honest guv. No civil war in sri lanka. No erupting volcano on sicily. No siree). Basically, its the time of year when two-bit journalists regurgitate 2-week old stories, and the papers are full of "and-finally" articles....
If you had a worm that propogated through the DNS servers on the net, then at some point activated to disrupt the DNS services, that would come about as close to bringing the net down as you could get, for practical purposes. Between Bind and Windows DNS, you could do some real damage. So while I agree that the media coverage of Code Red was pretty sensationalized, I don't think that the net at large is all that invulnerable.
Hot Damn! It's the Soggy Bottom Boys!
Gee, just a massive DDoS against the US Government. Yeah, not malicious at all. I mean, even if you think this is a worthy social goal, you'd have to honestly believe your audience is a bunch of morons (ok, we are talking about Time magazine here, but still) to say that with a straight face.
What they need is a source that dumbs things down enough to be broadcast on your local Fox afilliate while still keeping it accurate. Soundbite-friendly, not very technical, clear about the details. Most people don't know what you're talking about if you say "IIS vulnerability", but if you say "The Code Red Virus will hack the internet" then most people can get a handle on that.
It's not just about hype - it's lack of understanding. Anchors aren't good at telling people something when they don't understand it themselves, so it needs to be explained to them.
I, unfortunately, already have hardly any free time to start up a site providing a service like this, but I'd be willing to contribute to someone else's - anyone up for it?
Anyone know of a site that gives a good technical explanation of the worm? I'd like to know if it shows up as a process of its own or if it is part of the IIS process. Also, can it be killed without a reboot. What about if you received two separate probes (potential infections)? Would you have two processes trying to spread the worm?
How perfectly goddamn delightful it all is, to be sure. - Charles Crumb
I have a DSL line and windows 98 which is protected by ZoneAlarm.
Over the last 2 days 90% of the attempted accesses to my machine are to the HTTP port, whereas a month a go I can't remember see these type of alerts.
Something surely is brewing
You don't find it ironic to complain about this on *Slashdot*, do you?
b.
--
"Just believe everything I tell you, and it will all be very, very simple."
Was the story hyped by newsmakers and others who would benefit from such an event? Probably. Was anyone harmed by the hype? No (unless you count late-night patching). If anything, it got sysadmins everywhere into action to fix a hole that could have resulted in a real problem
kill_9_1
Code Red is providing a convenient excuse to the feds to call for further regulation of the internet.
"Our economy DEPENDS on the internet!" they'll cry. "We can't let our country be reduced to rubble by some malicious hacker!"
And of course the press buys right into it. The DMCA, bills to punish users of school networks and computers, laws with stricter penalties for hackers than murderers... expect it to accelerate. Worms like Code Red just give the feds the ammunition they need in the court of public opinion.
-S
--- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
For my money (or lackthereof), and i hate to jump on the bandwagon and mention linux in every /. story, the real living, breathing OS is not windoze...I'll go for an OS that is constantly improving itself.
Anyway, i dont really buy the point because it's like finding somebody with no white-blood cells and sending them out to get a cold, and afterwards saying that it was a good thing for them to go to the hospital.
My two sense(s).
|---------------|
practically an AC
Consider the following scenario: a new worn, let's call it Code Blue, exploits the same security hole as Code Red. However, rather than attacking randomly any IP address, it would first just sit there and wait. As soon as it got a probe from the original Code Red (which statistically happens about 3 times per hour), it would "fight back" by infecting the attacking machine and replacing Red with Blue. The newly infected machine would behave similarly.
After about 11 hours of propagation, the new worm would have infected a significant percentage of the vulnerable machines, without revealing its presence in an obvious way. It would only attack machines which are known vulnerable (and hence probably badly maintained), and probability of anybody noticing would be incredibly small. Then after, some twenty hours, it would start to do some fun stuff...
From the BBC's news page about codered :
"What might also hamper the ability of the virus to spread is the relative unreliability of Microsoft web servers.
The Code Red virus lurks in the memory of a web server and is cleared when the computer is rebooted.
As Microsoft servers crash more often than many of their counterparts, this might limit the spread of the malicious code. "
yes, www.dotcomforwardslash.com is my real URL.
nobody (statistically) really cares - for that matter, 99% of the population has no reason to care about code red anyway. SirCam should be getting the attention, but "Code Red" has a much more sensational name. Hence, the media blows it out of proportion
I want transparency effects. I want so much transparency, I can see the back of my monitor! http://www.andrew.cmu.edu/
A machine at a research lab at school runs apache. In the access_log, from July 18-20, it had 18 attempts from a Code Red infected machine to spread the worm. (Naturally the attempt fails, cuz it's apache) But from August 1st through 'til about 9pm (EDT) last night (Aug 2), 36 attempts. So the question is - If the worm is spreading slower, why is it this one system has had more attempts of spreading this time around than the first?
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Smoke on the water.
Hacked by Metal Heads.
What is pirate software? Software for inventory of stolen treasure?
From everything I've read about such programs, you'd have to be careful that the dominant "species" didn't become the one that could pretend that it had infected a bunch of systems....
---- I made the Kessel Run in under 11 parsecs.
On Aug. 1, my cable modem-based site registered 7 hits from Code Red-infected machines.
On Aug. 2, there were 32 hits.
As of 8:37 AM EDT on Aug. 3, there have been 19 hits - more than half of yesterday's total in just over 1/3 of the time.
Average time between hits (eyeball guess) is 0.5 hours, and will probably decrease by the day.
I'm going away for the weekend. I wonder what those hit totals will look like come Monday night.
Code Red may not cause any trouble to the White House, but I don't think many people will be laughing in, say, 1.5 weeks if hit counts (and, by extension, infections) continue to increase at their current rate, or on the 21st when it tries launching another DDoS.
Someday, you're going to die. Get over it.
IIS stands for Internet Information Services - that includes FTP and HTTP. IIS is usually used as a webserver, but you can also use it as a FTP server and various other servers, all through the same "friendly" interface. You can install IIS without the webserver and with various other interfaces.
My install of Win2K (hey, I'm at work, writing ASPs - it's a paycheck, layoff) has the following IIS options:
IIS is just Microsofts server platform, it isn't just a webserver - that's why you have to install it with a FTP server - it contains some core files along with pretty graphical management software. If it helps, think of it like inetd - it also does configuration and other management "stuff." (I'm not sure exactly what the "Common Files" are and what they do - I think they're mainly the configuration/management utilities though.)
You are in a maze of twisty little relative jumps, all alike.
Good ol' evolution. Once such Virii become frequent, the anti-virii people will need to code intelligent agents that can recognize a virus based upon its components. Instead of exact signatures we need intelligent pattern matching. For these kinds of virii, a signature might be
if it has 6 or more of the following components, then it might be a virus.
Also, frequency counts (and the like) on structures in the code might come in handy. Has anyone ever done freq counts on code structures and come up with general templates for network apps vs word processors, spreadsheets vs video games, virii vs non-virii ? I think i know what i'm going to do for the rest of the day instead of working...
-f
www.blackant.net
The author obviously wasn't a script kiddie. It takes a good amount of brains to code that little beast.
It was obviously a warning. It was not a perlscript that did some silly exploit, it was a hand crafted and well designed virus that did what it was supposed to do, scare the shit out of us.
--
"For Microsoft, this was the kind of publicity you just can't buy. ... they also had their name inextricably linked with the well-being of the Internet itself"
This is quite an interesting point that Taylor makes. The FUD-monster in the back of my mind is thinking up future scenarios where Microsoft could privately release worms/virii to rally support from the public.
I'm just waiting for the next major worm to have pop-up ads.
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Why the media picked Code Red (maybe it was the name... Mountain Dew has been getting alot of pr... hmm... conspiracy??? ;-)), over sircam is beyond me. Lets see...
Code Red only affects windows 2k... and only windows 2k thats running IIS. Thats not a very sizable market.
Sircam affects anyone too stupid to be careful (which is pretty sizable... just think about how dumb the average person is and remember that 50% of the population is stupider than that).
Ironically has anyone noticed that its the the virus,worms,etc that are aimed at people that cause more damage than those aimed at the technology (if you call windows that). Kinda makes me wonder why we're pushing for AI when we're having enough trouble finding NI. Just a thought...
can't sleep slashdot will eat me
Finally, someone gets it right. I sincearly hope Time takes the author of that article and makes him Senior Internet Consultant or the like. There's not enough intelligent technology reporting in the news these days.
I've seen 57 hits on my cable modem in the past week. That's about double what I saw from the last iteration. The number of sites that have been infected (according to incidents.org) has already passed the last iteration as well.
It would be nice if the press could get some real experts in security and the Internet to talk about this thing, not press-seeking wannabes.
I have to agree, this is a very insightful article, but i'm not sure about the end;
(Quoting )
'Apart from that, the whole red-alert reaction only demonstrated that there's seemingly infinite space on the Feds' faces for more egg.'
Do they Feds have egg on thier face?
I'm not so sure, real egg would be getting infected whilst giving the dire warnings of what would happen, but in this case I think they are only slightly blushing.
GCM d+ s+:+ a- c++ U? P! L E-- W++ NM+ V PS- PE+ Y+ PGP- t 5+ X?+ R+++$ tv+ b+ DI++++ D---- G e
There have already been worms/viruses/etc. like this, but just not on the net (that I know of...probably there have been though). Instead of "chromosomes" you'd have features (sleep for this long, deliver this type of payload, infect this type of system, etc.). When these things detect each other they'd take some random (or perhaps not random? maybe determined by some fitness test) features from each and create a new "child", and send it off in the world. These would be very polymorphic, and there would probably not be as much of a distinct signature to identify them by, slipping right by virus scanners. Viruses have also employed encryption and various other randomizations to become polymorphic and undetectable by virus scanners.
It's 10 PM. Do you know if you're un-American?
http://www.caida.org/dynamic/analysis/security/cod e-red/index.html
So why not hire somebody that has alot of on-camera experience, all they're doing is reading..
Free Mac Mini
Chris Daylor in TIme, makes a few good points. IF you look at biological virology, and compare it to computer viruses, the similarities are striking.
.com, web pages for .net, etc...). Better viruses are on the horizon, and I'm amazed we havn't started to see them already.
Viruses can either stealthily infect every computer available to it then after a gestation period, attack and destroy the computer in some way (NetHazard level 1) or as soon as it infects a computer it can simply wipe the drive and be done with it (NetHazard level 5) but this doesn't give it any time to infect other systems. As such a NetHazard 5 virus would (in virology lingo) 'burn itself out' in a short period of time.
We've seen our first highly infectious virus recently, in Code Red, but we havn't seen one so highly infectious that also causes the patient to bleed out and die. In short, we ain't seen nothn' yet.
I'm waiting for a patient virus writer to perfect his software first, before releasing it, because so far, although Microsoft software is a favorite virus target, virus writer seem to employ the same software development model as Microsoft, in that they just let their code loose on the net without debugging or optimizing it. Imagine what email (read: Outlook) viruses could do if the writers stopped to use proper grammer in their messages, or taylored the attachment type to the domain from which the infected computer is sending the message (office docs for
--CTH
--Got Lists? | Top 95 Star Wars Line
IF you look at biological virology, and compare it to computer viruses, the similarities are striking.
I'm waiting for the first worm to appear that has a quasi-genetic structure.
Create a population of worms, and give each worm a few chromosomes, and some code that allows it to propagate using strategies determined by its genetic material. Give the worms an initial state that allow it to exploit some basic M$ vulnerabilities, and release a few hundred.
Every time a worm infects a new system, it looks for any other genetic-based worms. They've also been successful in infecting the system, so get the worms to mate and produce a new generation of a few tens of individuals from their genes (plus a few modifications).
Rinse and repeat.
All you cpus are beloning to Pepsi
CNN news August 1, 2003:
The information technology word is still recovering from PepsiCo's suprise take over of the operating system market. In other news, PepsiCo is increasing the number of cans of soda bundled with each new pc. Consumers are expected to make up the difference in price. AOLTimeWarnerCoke is qouted as saying,"those bastards".
âoeWho knew something as harmless as willful ignorance could end up having real consequences?â
My logs show 46 attacks from 44 IP addresses, starting Aug 1. My site is not well known, so this is random scanning. If a machine is vulnerable and on the net, it's going to get this. That said, the cries of "the internet is going to meltdown" now sound like the dire Y2k predictions. (Or Bob Metcalfe's bleating about internet 'gigalapse'.)
"that's not encryption - it's a new perl script that I'm working on..." - from some Matrix parody
The fact that the attack was easily foiled does not in any way diminish its scale, or the potential seriousness of the problem.
Yes, it tends to show that the author was just a script kiddie, but authors of worms and virii still do lots of damage.
The real scary part of the story, which no news media have touched upon, is the swiss-cheese nature of M$ security that makes these problems a part of our daily lives.
Jon Acheson
All opinions expressed herein are my own, and not those of my employers, who are appalled.
Are we really surprised? The media loves to play to the man in the street's fear that the net can easily be taken down. No one ever brings up that the core protocols of the net are built to route around problems. From the Michaelangelo virus to Y2K, they glom on to every story and predict the imminent death of the web. We of the techies know better. We know that it would take nothing short of a massive world-wide failure of the power grid and oil delivery infrastructure to truly take the net offline.
The truth about Scientology, Xenu, and you: Operation Clambake
...which is probably most Americans...
Stolen from the article:
"For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department --which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace -- but they also had their name inextricably linked with the well-being of the Internet itself."
Which is *exactly* what it is, except that in this case there isn't any Nazi menace to stand up to. My bet is that this will be seen as a way to soften the DOJ/Microsoft schism in the public's eye and make all those pesky state lawsuits go away that much quicker.
History is *filled* with bait-n-switches like this, which most people pick up on about as frequently as they do retail prices going up two weeks before a big sale. Study the past. Without it, you'll never see the future.
46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
It could replicate itself across thousands of servers ? usually because the owners were never aware that Microsoft software had turned their computer into a server in the first place.
We set up a simple win2k file server and specifically did not want IIS installed. There are a LOT of things on 2000 server that depends on it and if you check them on during the install, it will silently recheck IIS again. Want to just run an ftp server? It installs IIS.
We had to go back and uncheck IIS three separate times during the install. Another server done by another tech had IIS after I specifically put in a work order NOT to install it. He swears he didn't. I believe him.
It's as bad as the original various linux distro installs enabling every damn service under the sun (no pun intended) during an install.
Don't believe me? Just watch your code red hits on your web server and go to the sites that nail you. Most of them have either the default page or "directory listing denied" message. They are not big corporate servers for the most part that I've seen... That leads me to believe that a lot of these people don't even know IIS is running on their server...
How can we expect good tech reporting when the whole of the news business is going down the pooper? Look at what CNN is about to do to Headline News. They have hired an actor to anchor the news. Now some news organizations would have played it safe by hiring someone with more than two years of reporting unde their belt. But CNN knows that outdated concepts like "experience," "journalistic integrity," and "fact checking" no longer apply in the 21st century's news entertainment business.
And people will watch, no doubt. And these people will get the kind of crappy, poorly-researched, panick-stricken news that they deserve.
From the article:
There was no malicious intent.
Except to trash whitehouse.gov, using servers and networks all over the world to do so.
In the vast world of potential Internet viruses and worms, Code Red is a grade Z microbe.
If people hadn't woken up and smelled the patch, it would have been a grade B (if not A) pain in the butt. Like Y2K, there was too much hype, but the hype helped; a self-defeating prophecy.
It would have to go through a significant amount of mutation before it became any sort of serious threat to the Internet's health.
Significant, but not huge. There's been lots of discussion about how bad the next generation may be.
At its broadest definition, all hacking is white-hat hacking.
This statement is nonsense. There is certainly such a thing as white-hat hacking, and certainly too much hacking is portrayed as far darker than it really is, but there's a huge difference between the white hats and the jerks behind Code Red.
At most, Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge.
Um, these machines were supposed to be servers.-)
We should be wary about what any software does to our machines. Point well taken, though.
Stupid job ads, weird spam, occasional insight at
Forgive me for being 'uncool' by disagreeing, but this article is horrible. No malicious content to the virus!? It's initial intent was a DOS attack on whitehouse.gov. It was rather lame in it's attack, but that was still malicious. Also, it's complete crap that MS came out of this looking good. It was another high-publicity security hole for one of their systems. No matter how it was handled this still made them look bad to the general public. Also, there was a considerable slow down on some Internet backbones due to the whitehouse.gov attack; and some slowdown on a few backbones Wednesday afternoon due to attacks by a variant of this worm attacking other gov't sites. I don't mean this as an attack on anyone, but just remember that no matter how you feel about a certain topic, don't let you feelings and opinions cloud the facts.
"Don't hate me because I'm right...Hate me because I'm an MCSE."
The BBC is running a story about how the bandwidth loss during the first Code Red attack was actually due to a train crash.
I haven't seen this anywhere else, can anyone corroborate?
Oooh praise time. Yeah, the Code Red virus event. I got extremely irritated by the news media on this one. Promising the 'downfall of the internet' etc etc. Fact is, the majority of the internet runs on UNIX, which has evolved from a network environment to an internet environment steadily and sensibly over 25 years. MicroSoft windows NT has not done this, it's 'evolved' in the space of a couple of years, and is affected by every virus under the sun because it uses the Win32/DOS MZ executable format that everyone is so fond of coding virii for. Hopefully this will convince people to stop paying extortionate amounts for crappy MicroSoft webservers and get a sensible OpenBSD server with FP2000 extensions (if you must have them) instead. Keep the GUI on the desktop, servers do not need a rediculous GUI stopping you from properly managing processes etc.
:P...).
Well thats what I think. Bubbye.
Weevil
Anyway. The weird thing about the Media is that it has concentrated on the malicious people who created the virus. I have not seen anyone comment on why it is always Microsoft servers that seem to appear in the news; only a few months ago there was the great MS Administrator Password fiasco. Then there was I Love You and so on.
It'd be nice if someone created some software to check for dDoS worms on servers. All you need is a packet sniffer to track incoming and outgoing packets and hunt for millions of outgoing packets that werent originally to an IP that hasn't requested anything.
The idea of an 'immune system' mentioned at the start of that article intrigued me. It would be very nice if someone like McAfee created a system that automatically pushes upgrades to registered antivirus software running on servers as soon as an outbreak is detected, so that the software could instantly do a quick search for that one virus and deal with the problem each hour for several days or something (although several days is a bit of a wishfull uptime for microsoft servers, Ho Ho Ho Ho etc
ghaa.
I just read this one here:
I copied my favicon.ico (a penguin icon for MS IE and Konqueror to save along with a bookmark) as default.ida. Now, whenever I get probed, I send out a little portrait of Tux. ;)
Ok, I know that doesn't accomplish anything useful, but it does cut down on the 404's in the logfile at Librenix!
Geeky modern art T-shirts
You don't need a genetic structure, what you describe could be obtained by modifying the existing Code Red worm to make a random change to the GET request it uses to spread itself. Say, once every 100 attempts to spread, it makes some random change to one character of its 'child'. As in real life, the vast majority of such changes would be either deadly or would end up in the long string of NNNNNNNs and have no effect. Once in a great while, a variant would turn out 'fitter' than its parent, for example by disabling the limitations that keep the parent in check or becoming somehow less visible to human observation.
Give it a year to run, and who knows what could happen?
--
My other computer is your IIS server.
It also tries to set about 20 cookies. Really shitty site.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
That was cute. I wonder why it was modded 'off topic'? I wish negative moderation were reserved for posts that really threaten to flood us in crap. A post that replies to the front-page blurb may be marginally off-topic, but is it worth modding down?
As a tech-savvy guy, I often get asked, "Why do people do this?"
I realise that this is not the motivation for every virus or worm, but generally, each one raises some awareness in the consumer. The popular viruses get around and a lot of people see it. Every time, they "update" their virus scanner and feel safe until the next one. What I tell people is that it shows the inherent security problems in Windows. I chase that with, "What if a your company's competitor writes a virus targetted at your's and nobody else's? They have the power to grab all of your intellectual property and no virus scanner out there will save you because they only deal with 'popular' viruses. Once the damage is done, it's done. Virus scanners only superficially 'fix' the problem. The *real* threat is the inherent insecurity in Windows/Outlook that Microsoft seems unwilling to fix. These viruses you see are warnings and nobody is realising that. Few people are aware of the real problem."
This usually enlightens them. The big problem, as I see it, is that the popular media isn't saying it. As long as they aren't, the problem will continue to exist... *sigh*
Then again, I *am* known as the second most paranoid person at my place of work (the biggest paranoiac doesn't trust the use of kernel modules, and that is probably the only difference). I may be totally off base, but if you think I'm not, then, by all means, answer the inevitable question appropriately.
** I apologise for any incoherence in this post. I drank more than usual today as we were let out early to "enjoy" the day