Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Red II: Shells for the Taking

Posted by CmdrTaco on from the it-keeps-getting-more-and-more-comical dept.

sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

16 of 602 comments (clear)

  1. Re:The Breaking Point by nugatory · · Score: 3, Insightful
    So, which will it be, folks?

    None of the above.
    The two historical precedents that come to mind are:

    • The Grand Canyon midair collision on 30 June 1956
    • The sinking of the Titanic
    In both cases, technologies failed in ways that (in hindsight) were predictable and even inevitable consequences of growth beyond the their roots. In both cases, the response was moderate, incremental, and designed to preserve existing investments in these technologies. The lesson is that the "breaking point" for a widespread infrastructural technology is very hard to reach. And, like it or not, Windows is one of these technologies.

    Instead, what we'll see happen is more attention to security, taken in small steps. More people will subscribe to alert services, and they'll be willing to pay more for them. Bosses will start asking sysadmins what they've done for security today, and be more willing to sign purchase orders for security-related work. ISPs will pay a bit more attention to open ports on their home users, and some will scan their networks for known security vulnerabilities. OEMs configuring systems for naive users will discover that people will pay for a "safe out of the box" configuration, so they'll start to offer one. And so on, and so on....

    The normal state for an economically useful thing is to be stressed, but not stressed to the breaking point. This should be pretty obvious: if it's not stressed, it was uneconomically overbuilt. We are very far from the breaking point for Windows.

  2. Bandwidth by nick_davison · · Score: 4, Insightful
    But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?

    I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?

    I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.

    1. Re:Bandwidth by TrixX · · Score: 4, Insightful

      The bandwidth wasted by the virus is actually wasted, and useless.

      But if all the news, the discussion and similar are useful to make sysadmins a little smarter and make them use less vulnerable servers, or at least keep security patches up to date, I think that is not "waste".

  3. Re:I'm sorely tempted . . . by Phroggy · · Score: 5, Insightful

    Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  4. Re:The Breaking Point by Ridge2001 · · Score: 3, Insightful
    Does anybody remember a few months ago when everybody around Slashdot was feeling sorry for themselves because it seemed that Open Source software was getting hard hit by security problems?
    • sourceforge.com was hacked
    • themes.org was hacked
    • apache.org was hacked
    • the ramen worm
    • the lion worm
    • the knark rootkit
    Things were so bad that Microsoft felt cocky enough to make claim that open source software has "inherent security risks".

    Well, you can quite rightly laugh at Mundie now for his audacity, but it's ridiculous to start calling for lawsuits against software makers. Do you really believe there is never going to be another exploit targeting open source software? Do you want the creators of that open source software to be sued too when that happens?

    Microsoft is a big company, and it can afford lawsuits like that. But if, say, the creators of BIND were sued for an exploit, that would probably be the end of BIND. And it's unlikely anyone would be eager to write an open source replacement, with the threat of lawsuits looming over any potential open source project.

  5. The Breaking Point by tbo · · Score: 5, Insightful

    I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.

    What will happen? I don't know, but here are some possibilities:

    Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.

    Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.

    Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.

    Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley :-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.

    So, which will it be, folks? This would make a great SlashPoll.

    1. Re:The Breaking Point by nyet · · Score: 3, Insightful

      The security flaw was exposed to the public (not kept secret), and a patch was released & made available a full month before the main CR outbreak. They did everything they reasonably should have.

      Except that IIS still runs with admin priveledges. Nice try though.

    2. Re:The Breaking Point by Kris_J · · Score: 3, Insightful

      You forget ICE -- the rather romantic "Intrusion Countermeasure Electronics" -- an automated response to terminate unauthorised hack attempts. I'm currently running the IIS shutdown line as specified by other /. posters for every IP address that probes me (I'm on a dymanic 56k dialup, I should not be getting HTTP requests -- I never did before CodeRed). It would probably be trivial to automate the process, and POOF! your first ICE program.

  6. I'm sorely tempted . . . by Floyd+Turbo · · Score: 5, Insightful

    Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.

    The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.

    Hmm . . .

    1. Re:I'm sorely tempted . . . by Greyfox · · Score: 5, Insightful

      You want this: http://support.microsoft.com/support/kb/articles/Q 202/0/13.ASP Happy little command called IISRESET. I think an IISRESET /STOP is in order...

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    2. Re:I'm sorely tempted . . . by Floyd+Turbo · · Score: 3, Insightful

      C'mon now, I'm not talking about killing the guy, or even his box. I'm not talking about wiping his harddrive or even installing a fix without the owner's permission. I just want these damned things to stop eating up my bandwidth.

      And while I'm not going to get cracked by the worm myself, I am getting hammered by others in the same /8 as me who weren't immune. I'm also not thrilled about thinking what the author of this new version is going to do with all the boxes he's rooted.

      Given all that, I'm still having a hard time deciding that telling the offending machine to turn itself off isn't a valid, proportionate response to this sort of thing.

      OK, OK, I'm not going to do it, but man . . .

    3. Re:I'm sorely tempted . . . by Anonymous Coward · · Score: 1, Insightful

      Suppose that server is monitoring or controlling some mission-critical or safety-critical apparatus? It might be a server so that it can be monitored from a remote location. You might kill someone by shutting it down or rebooting it.

    4. Re:I'm sorely tempted . . . by Eric+S.+Smith · · Score: 2, Insightful
      Both legally and ethically the right thing to do is to notify the owner of the offending machine

      ...assuming that you can determine who that person is. And, ethically, if you were walking down the street with a fire extinguisher and saw somebody's garbage can on fire, would you really, uhh, leave them a message on their answering machine?

      The fire extinguisher in this case is ipconfig /release, I think. Bonus marks for picking the right interface on a machine with more than one NIC.

      --
      Mind the Gap
  7. Re:How to be a nice guy by Anonymous Coward · · Score: 1, Insightful

    too bad winnt machines dont have a "c:\windows" directory. On NT4 try "c:\winnt\profiles\administrator\desktop" and on win2k and winxp try "c:\documents and settings\administrator\desktop" you could also replace administrator in both of those paths with "all users" so that it shows up on the desktop on all users on the system

  8. Re:One simple HTTP request that nukes C: by Anonymous Coward · · Score: 1, Insightful

    This uncovers an NT problem: you can't erase a file that is in use. The del command will probably abort upon finding the first file that it can't delete.

    I've done this before to myself.

  9. Re:Ummm, no actuall by waveman · · Score: 2, Insightful

    Even more relaxed lobsters and nicer food if you float the lobsters in wine until they become unconscious. We did this once and the results were excellent