Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red Reporting That Doesn't Suck

Posted by ryuzaki0 on from the excellent-work dept.

marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."

20 of 191 comments (clear)

  1. I don't have time to patch my servers against it! by skrowl · · Score: 5, Funny

    I don't have time to patch my servers against code red!

    I'm too damned busy reply to all of my email. You'd never believe how many people have been sending me files asking for my advise!

    --

    Prevent linux based DDOS's!
    http://linux.denialofservice.org/
  2. The Silly Season by Marcus+Brody · · Score: 4, Informative

    In the UK, this time of year is sometimes refered to as "The Silly Season" in the media.
    All the poloticians are away on summer holidays.... most of the decent journalists take a break aswell. This leaves the papers a little thin on decent news (er, like, theres nothing happening in the world at all. honest guv. No civil war in sri lanka. No erupting volcano on sicily. No siree). Basically, its the time of year when two-bit journalists regurgitate 2-week old stories, and the papers are full of "and-finally" articles....

  3. The Time guy is a moron. by novarese · · Score: 4, Flamebait
    How can you say this is good reporting???

    There was no malicious intent.

    Gee, just a massive DDoS against the US Government. Yeah, not malicious at all. I mean, even if you think this is a worthy social goal, you'd have to honestly believe your audience is a bunch of morons (ok, we are talking about Time magazine here, but still) to say that with a straight face.

  4. We need to properly inform the tabloid media by Dr_Cheeks · · Score: 5, Interesting
    How do the majority tabloid media find out about stuff like this? Well, either they hear about it from someone else (and thus Chinese Whispers ensues), or they go looking for info and run into technical stuff that's over their heads.

    What they need is a source that dumbs things down enough to be broadcast on your local Fox afilliate while still keeping it accurate. Soundbite-friendly, not very technical, clear about the details. Most people don't know what you're talking about if you say "IIS vulnerability", but if you say "The Code Red Virus will hack the internet" then most people can get a handle on that.

    It's not just about hype - it's lack of understanding. Anchors aren't good at telling people something when they don't understand it themselves, so it needs to be explained to them.

    I, unfortunately, already have hardly any free time to start up a site providing a service like this, but I'd be willing to contribute to someone else's - anyone up for it?

    --

  5. Hype? Maybe but.. by kill_9_1 · · Score: 4, Insightful

    Was the story hyped by newsmakers and others who would benefit from such an event? Probably. Was anyone harmed by the hype? No (unless you count late-night patching). If anything, it got sysadmins everywhere into action to fix a hole that could have resulted in a real problem

    --
    kill_9_1
  6. The excuse for government regulation by sdo1 · · Score: 5, Interesting

    Code Red is providing a convenient excuse to the feds to call for further regulation of the internet.

    "Our economy DEPENDS on the internet!" they'll cry. "We can't let our country be reduced to rubble by some malicious hacker!"

    And of course the press buys right into it. The DMCA, bills to punish users of school networks and computers, laws with stricter penalties for hackers than murderers... expect it to accelerate. Worms like Code Red just give the feds the ammunition they need in the court of public opinion.

    -S

    --
    --- What parts of "shall make no law", "shall not be infringed", and "shall not be violated" don't you understand?
    1. Re:The excuse for government regulation by RedX · · Score: 3, Interesting

      While we're talking conspiracy theories, take a look at Cringely's latest column, where he believes that MS will be leveraging these types of holes to create their own proprietary TCP/IP-like protocol that will be forced down our throats and will receive backing from the government. Sounds a bit far-fetched, but I wouldn't put anything past MS when it comes to them controlling markets that they have their fingers in.

  7. Has anybody thought about this? by EyesOfNostradamus · · Score: 5, Insightful
    The Code Red background noise could serve as cover for a much nastyer worm to be released.

    Consider the following scenario: a new worn, let's call it Code Blue, exploits the same security hole as Code Red. However, rather than attacking randomly any IP address, it would first just sit there and wait. As soon as it got a probe from the original Code Red (which statistically happens about 3 times per hour), it would "fight back" by infecting the attacking machine and replacing Red with Blue. The newly infected machine would behave similarly.

    After about 11 hours of propagation, the new worm would have infected a significant percentage of the vulnerable machines, without revealing its presence in an obvious way. It would only attack machines which are known vulnerable (and hence probably badly maintained), and probability of anybody noticing would be incredibly small. Then after, some twenty hours, it would start to do some fun stuff...

    1. Re:Has anybody thought about this? by martyb · · Score: 5, Informative

      There are still about 100.000 vulnerable (and by now... infected) machines out there.

      As of the time of my posting this, there are about 130,000 infected hosts. Go to:

      http://www.caida.org/dynamic/analysis/security/cod e-red/index.html
      to see the "Dynamic Graphs of Code Red Worm" page from CAIDA (Cooperative Association of Internet Data Analysis).
    2. Re:Has anybody thought about this? by friscolr · · Score: 5, Interesting
      Code Red first started wreaking havoc a couple days after the bugtraq post about the telnetd vulnerability - about July 19th, after the mutation which allowed it to truly randomly spread.

      There were no more posts about the telnetd vulnerability for a few days as the bugtraq list was saturated with Code Red information. I'm paranoid as fuck and assumed that Code Red was a cover up for the telnetd exploit which we'd later find out affected every single version of telnetd out there (including on routers and the like).

      But it didn't happen that way.

      It is a lesson in distraction, though: when a true hacker wants to really take over the net, a Sircam virus or Code Red worm will make a great cover for the true exploit. I'm sure Sun Tzu wrote something witty about this, as it is the same technique used by countless military tacticians (at least the ones who "won") - c.f. the amphibious build-up prior to the land invasion during the Gulf War, or Patton's fake army prior to Normandy Invasion during WWII.

      --

      -f
      www.blackant.net

    3. Re:Has anybody thought about this? by EyesOfNostradamus · · Score: 4, Interesting
      There are still about 100.000 vulnerable (and by now... infected) machines out there. Many are home machines connected via cable or DSL, whose owners may not even know that they run a web server. Another big contingent are countries such as China, Korea, Taiwan, where traditionally they take a more relaxed view about security.

      Code Red could be a good launch platform for some other nastyness. Make it multiple phase. First propagate under cover of Code Red. Then, after a set time (say, 24 hours) change phase, and use a different propagation medium (email, another exploit, whatever) and toss away Phase I code. The benefit: a much larger launching platform for the actual virus! And if Phase I code is cleaned away well enough, nobody will be able to understand where the virus suddenly came from, out of nowhere.

  8. An observation... by jeffy124 · · Score: 5, Interesting
    For whatever reason, I can't connect to Time.com to get the article, so I'll ramble about an observation I've made:

    A machine at a research lab at school runs apache. In the access_log, from July 18-20, it had 18 attempts from a Code Red infected machine to spread the worm. (Naturally the attempt fails, cuz it's apache) But from August 1st through 'til about 9pm (EDT) last night (Aug 2), 36 attempts. So the question is - If the worm is spreading slower, why is it this one system has had more attempts of spreading this time around than the first?

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
    1. Re:An observation... by Saint+Aardvark · · Score: 4, Informative
      Hey, folks -- mail those logs!

      From http://dshield.org/codered.html:

      As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

      Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

      grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

      --
      Carousel is a lie!
  9. Re:Good quote about now knowing its there... by _xeno_ · · Score: 3, Informative
    I feel I need to point out the following:

    IIS stands for Internet Information Services - that includes FTP and HTTP. IIS is usually used as a webserver, but you can also use it as a FTP server and various other servers, all through the same "friendly" interface. You can install IIS without the webserver and with various other interfaces.

    My install of Win2K (hey, I'm at work, writing ASPs - it's a paycheck, layoff) has the following IIS options:

    • Common Files and Documentation as items - the Common Files are required, Docs are useful
    • FTP Server
    • FrontPage 2000 Server Extensions (allows FrontPage to post pages via the HTTP server)
    • Internet Information Services Snap-In - some sort of managment utility
    • Personal Web Server - actually, a GUI for idiots who want to screw themselves over with bad IIS installs (it's basically a on/off switch for the webserver plus some pretty slides)
    • SMTP Service - an SMTP server
    • Visual InterDev plugin - same as FrontPage extensions, but for InterDev
    • World Wide Web Server - what most people call "IIS"

    IIS is just Microsofts server platform, it isn't just a webserver - that's why you have to install it with a FTP server - it contains some core files along with pretty graphical management software. If it helps, think of it like inetd - it also does configuration and other management "stuff." (I'm not sure exactly what the "Common Files" are and what they do - I think they're mainly the configuration/management utilities though.)

    --
    You are in a maze of twisty little relative jumps, all alike.
  10. Interesting Point: by Lizard_King · · Score: 3, Interesting

    "For Microsoft, this was the kind of publicity you just can't buy. ... they also had their name inextricably linked with the well-being of the Internet itself"

    This is quite an interesting point that Taylor makes. The FUD-monster in the back of my mind is thinking up future scenarios where Microsoft could privately release worms/virii to rally support from the public.

    I'm just waiting for the next major worm to have pop-up ads.

    --
    "My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
  11. Biohazard designations for the net - NetHazards by hillct · · Score: 5, Insightful

    Chris Daylor in TIme, makes a few good points. IF you look at biological virology, and compare it to computer viruses, the similarities are striking.

    Viruses can either stealthily infect every computer available to it then after a gestation period, attack and destroy the computer in some way (NetHazard level 1) or as soon as it infects a computer it can simply wipe the drive and be done with it (NetHazard level 5) but this doesn't give it any time to infect other systems. As such a NetHazard 5 virus would (in virology lingo) 'burn itself out' in a short period of time.

    We've seen our first highly infectious virus recently, in Code Red, but we havn't seen one so highly infectious that also causes the patient to bleed out and die. In short, we ain't seen nothn' yet.

    I'm waiting for a patient virus writer to perfect his software first, before releasing it, because so far, although Microsoft software is a favorite virus target, virus writer seem to employ the same software development model as Microsoft, in that they just let their code loose on the net without debugging or optimizing it. Imagine what email (read: Outlook) viruses could do if the writers stopped to use proper grammer in their messages, or taylored the attachment type to the domain from which the infected computer is sending the message (office docs for .com, web pages for .net, etc...). Better viruses are on the horizon, and I'm amazed we havn't started to see them already.

    --CTH

    --

    --Got Lists? | Top 95 Star Wars Line
  12. Sensationalized news? NEVER! by camusflage · · Score: 3, Insightful

    Are we really surprised? The media loves to play to the man in the street's fear that the net can easily be taken down. No one ever brings up that the core protocols of the net are built to route around problems. From the Michaelangelo virus to Y2K, they glom on to every story and predict the imminent death of the web. We of the techies know better. We know that it would take nothing short of a massive world-wide failure of the power grid and oil delivery infrastructure to truly take the net offline.

    --
    The truth about Scientology, Xenu, and you: Operation Clambake
  13. For everyone who didn't pay attention in History by Markvs · · Score: 5, Informative

    ...which is probably most Americans...

    Stolen from the article:
    "For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department --which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace -- but they also had their name inextricably linked with the well-being of the Internet itself."

    Which is *exactly* what it is, except that in this case there isn't any Nazi menace to stand up to. My bet is that this will be seen as a way to soften the DOJ/Microsoft schism in the public's eye and make all those pesky state lawsuits go away that much quicker.

    History is *filled* with bait-n-switches like this, which most people pick up on about as frequently as they do retail prices going up two weeks before a big sale. Study the past. Without it, you'll never see the future.

    --
    46. The Hobo smiles, his eyes glaze over, and he burps. "Beware the man who has lived longer than the Wasteland."
  14. Good quote about now knowing its there... by weave · · Score: 4, Informative
    I liked this bit from the article...

    It could replicate itself across thousands of servers ? usually because the owners were never aware that Microsoft software had turned their computer into a server in the first place.

    We set up a simple win2k file server and specifically did not want IIS installed. There are a LOT of things on 2000 server that depends on it and if you check them on during the install, it will silently recheck IIS again. Want to just run an ftp server? It installs IIS.

    We had to go back and uncheck IIS three separate times during the install. Another server done by another tech had IIS after I specifically put in a work order NOT to install it. He swears he didn't. I believe him.

    It's as bad as the original various linux distro installs enabling every damn service under the sun (no pun intended) during an install.

    Don't believe me? Just watch your code red hits on your web server and go to the sites that nail you. Most of them have either the default page or "directory listing denied" message. They are not big corporate servers for the most part that I've seen... That leads me to believe that a lot of these people don't even know IIS is running on their server...

  15. Overreaction to overreaction by Lumpish+Scholar · · Score: 5, Insightful

    From the article:

    There was no malicious intent.

    Except to trash whitehouse.gov, using servers and networks all over the world to do so.

    In the vast world of potential Internet viruses and worms, Code Red is a grade Z microbe.

    If people hadn't woken up and smelled the patch, it would have been a grade B (if not A) pain in the butt. Like Y2K, there was too much hype, but the hype helped; a self-defeating prophecy.

    It would have to go through a significant amount of mutation before it became any sort of serious threat to the Internet's health.

    Significant, but not huge. There's been lots of discussion about how bad the next generation may be.

    At its broadest definition, all hacking is white-hat hacking.

    This statement is nonsense. There is certainly such a thing as white-hat hacking, and certainly too much hacking is portrayed as far darker than it really is, but there's a huge difference between the white hats and the jerks behind Code Red.

    At most, Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge.

    Um, these machines were supposed to be servers.-)

    We should be wary about what any software does to our machines. Point well taken, though.

    --
    Stupid job ads, weird spam, occasional insight at