Slashdot Mirror
Code Red II: Shells for the Taking
sigurdur writes "It seems there is a new and more malicious version of Code Red out there. This one seems to try and copy cmd.exe into a position where it is accesible to us all - the scripts directory. So far I have seen it reported on the intrusions-list at incidents.org where they also just put up a notice about this third generation Code Red worm." I still think sircam is more annoying since it affects every email user, and not primarily poorly administered websites. But imagine how much bandwidth Code Red and Sircam have wasted in the last few weeks?
I kind of find myself wondering, which wastes more bandwidth: the virus itself of all of the discussion about the virus?
I'm assuming the virus wastes vastly more. That said, take a look at the way every news site is covering it, the large images they have accompanying the stories and the vast numbers of people reading them because MSN messenger tells them it's important. I don't know if there is any way of measuring the bandwidth wasted by each but it'd be an interesting ratio to see, if there was.
Unfortunately, it doesn't look like the root.exe installed by Code Red has Administrator privaleges, which iisreset.exe needs. Or at least, that's my guess, since it isn't working.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I think Code Red (and Sircam, which your average Joe will probably lump together with Code Red in his mind) will be the virus that breaks the camel's back. It's gotten constant publicity, it's coming back for a second round, and this time, it wants blood.
:-) Seriously, though, things may get slow, but I have a feeling vigilante efforts (counter-worms, Apache scripts that reboot infected attacking Win boxes, etc.) will keep this from happening.
What will happen? I don't know, but here are some possibilities:
Revolt against Microsoft software. We'd all love for this to happen, but their PR machine is probably too good. Still, we can always hope people realize that MS bears a large part of the responsibility here.
Lawsuit. Assuming the virus writers aren't found, the next logical targets will be Microsoft, and owners of a large number of infected hosts. Why it probably won't happen: suing Microsoft over this draws attention to the fact that your company's computer systems are insecure, and that your admins were too lazy/stupid to install the patch. Microsoft can always hide behind their patch, which was available well in advance, and claim that "everyone knows that bugs happen, and it's up to admins to keep up to date" (never mind that this contradicts their own marketing material--when has inconsistency ever stopped marketing before?). Suing somebody with a large bunch of infected hosts is also silly, since, to be infected by them, you have to be just as inept as them.
Government Intervention. Some state governors may push silly state bills, but they'll be irrelevant. What would really get interesting is if the Feds pass some sort of laws, either making people responsible for keeping their systems secure, or defining what kind of liability software manufacturers are exposed to in these circumstances (i.e., can you sue MS? For how much?). Why it probably won't happen. With Congress and Bush on vacation, not much will get done in at least the next month, and things will probably have come to a head before then. Only if this round does serious damage (perhaps the world's biggest DDoS against some high-profile targets, like Akamai), and another generation of Code Red pops up in September (just in time to catch all those college PCs with their pirated copies of Windows 2000 Server and high bandwidth), will this become a real possibility.
Internet Collapses. I really doubt it, I just had to say it to satisfy Cringley
So, which will it be, folks? This would make a great SlashPoll.
Is there a Windows command line equivalent to "shutdown -h now", by any chance? I know I really shouldn't do it, but I'd be so sorely tempted to write a script that would shut down any infected box that scanned mine.
The more I think about it, the more it seems like a permissible act of self defense. It does no harm to the infected box (if the worm doesn't write itself to disk, as I've read, it actually helps) and prevents the infected box from being used to perpetuate more abuse.
Hmm . . .