Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Redux

Posted by michael on from the carpetbombing-the-new-economy dept.

I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage. Code Red [?] is hitting cable modem networks especially hard, as the new variants scan "nearby" IP's in preference to random ones, which has apparently caused enough damage and network congestion that AT&T's residential broadband division (MediaOne) has cut off port 80 across their network to try and halt the spread of the worm, or so several submitters reported. Newsforge has a story about various reactions to the worm, and reader nettdata sent in an interesting story about the worm becoming the main course at a dinner of security specialists.

15 of 472 comments (clear)

  1. Man, I wish... by Rimbo · · Score: 5, Insightful

    I wish that RoadRunner San Diego would do that! All they've done so far is to send two "Virus Alert" e-mails out to people, imploring them to install the patch if they run Win2k or WinNT.

    I really think that it's the responsibility of a machine's owner to lock down his/her system from attack. Ignorance of the rule is no excuse. If you put a machine on the net, and it's not secure, it becomes a danger for everyone.

    The easiest thing to do is to shut down the access to machines that are infected. That way, you have their undivided attention when they call you up and say, "My cable's not working!" You simply respond... "Yes, we shut it off, because you wouldn't take care of business."

    You're not lame for running IIS if you've patched it. You're lame if you aren't paying attention to the patches out there.

  2. It is only Medium DAMAGE! by thufir · · Score: 2, Insightful

    I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

    Maybe because they don't! You are thinking in terms of security hole. With a virus it is different, you are more concerned about data loss.

    A virus can inflict low damage, ie: print a message on the screen that you are stupid, or a high DAMAGE rate of deleting your whole hard drive. Medium is a good measurement of this one, as it only has the POTENTIAL for data loss.

  3. Re:Medium damage by Tackhead · · Score: 5, Insightful
    > > I don't understand why Symantec classifies a "remote root" exploit as only "medium" damage.

    Well, given the choice between having j00r box r00ted and having something like WinCIH blank out your BIOS and wipe out your FAT...

    For security, it's critical. But the amount of data loss is minimal until after someone telnets to the open port and blows away your drive.

    Finally, consider Symantec's core market -- not the guy running a brokerage firm on a farm of IIS boxen, but home and office users of PCs worried about the virus that'll wipe out their pr0n collection. Joe Win95er really isn't at risk from Code Red II, apart from wondering why "the Internet is slow" if he's on RoadRunner.

    Considering Symantec's core audience, and what this worm could be doing to compromised systems, and yeah, I'll buy "medium".

  4. OT: pedantic correction by rkent · · Score: 2, Insightful
    I don't know if it works, I don't have a Win boxen to test it on...

    Okay, if you're going to use the archaic, tongue-in-cheek unix-guru term "boxen," at least bother to learn that its denotation is plural.

    And now back to your regularly scheduled worm discussion.

  5. Re:BIG NEWS: by analog_line · · Score: 2, Insightful

    We won't see something that destroys hardware last too long, because destroying hardware doesn't promote the expansion of the virus. Something that slows you down but doesn't kill you outright is far more likely to stick around long enough to get spread. Code Red, Code Red 2, and other "worms" are far more virus-like than most "viruses". Melissa, SirCam, and the like are merely trojans. They require users to interact with them. Code Red, Code Red 2, and the original Internet Worm replicate of their own volition and go out and find other infectable systems so they can repeat the process. Sounds a lot more like a biological virus to me.

  6. Re:It's about time... by Waffle+Iron · · Score: 3, Insightful
    I fear that at the end of the day, one of the casualties of this worm will be home-hosted web servers of any kind. IIRC, most cable modem contracts forbid running servers. However, as far as I can tell, this policy hasn't been enforced.

    I'll bet that it gets strictly enforced from now on, killing all the fun even for people like me who run Apache on OpenBSD.

  7. Two Reasons..... by C.Lee · · Score: 0, Insightful

    > I don't understand why Symantec classifies a "remote root" exploit as only "medium"
    >damage. Code Red^[?] is hitting cable modem networks especially hard,

    >
    >
    1) Microsoft asked (told) them to.

    2) Their software doesn't do squat against worms like Code Red.

  8. Twenty-four hours. by ktakki · · Score: 5, Insightful


    grep ida access_log | cut -d" " -f1 | sort | uniq | wc -l

    139


    Looking over the infected hosts, it seems that half are broadband clients (RR, Bellsouth, Verizon, @Home, etc.), a third are overseas (with .de, .tw, and .kr most prevalent), and the remaining sixth are US corporations, including some Fortune 500 hosts.

    I see Code Red as a big boon to jobhunters, especially those looking for SA work. Right there in your logs is a list of companies that are hiring, whether they know it or not.

    I guess the big question is this: do you root their box before the first interview or after?

    k.

    --
    "In spite of everything, I still believe that people are really good at heart." - Anne Frank
  9. It is "medium" because hysteria won't help us by Pac · · Score: 4, Insightful

    It's been already shown that Code Red will not bring the Internet down. And it was never very much of a mortal threat to the majority of the users out there, because those are not running IIS (or any http server, for that matter). And until the more recent versions, the worm was not even a menace the files in the infected system (the recent versions, by installing a backdoor, would allow for a malicious invader to do a lot more damage).

    The kind editor should also remember his math and Netcraft nice figures. IIS installations represent some 25% of the servers out there. Most of those are already patched by now. Even when they were not patched Code Red got only 6-7% of them (considering 4 million servers/250 thounsand infected).

    Code Red is certainly a local problem in networks where it finds a nice ecologival niche. Cable modem networks are likey to suffer due to their archtecture and their own flaws. Other networks will suffer down the road.

    But the main point is that this particular the worm is out of the way for nmost of us (if it ever was in the way) and will only affect the bandwidth locally.

    It is almost time to reduce its risk rating to low.

  10. You misunderstand the danger by Illserve · · Score: 3, Insightful

    Yes, pre-existing worms disappear and no worms of that variety can infect, but in the few minutes of life it had on your system, CodeRed had full access to download other, newer, unpatched, programs that otherwise would be unable to get onboard.

    I reiterate, the only safe path is to install on an airgapped machine, or on a well secured LAN. But if you have to download it from the internet, there is a chance that *anything*, not just CodeRed, will be hiding somewhere by the time you patch.

  11. Code red growth spurts by Anemophilous+Coward · · Score: 5, Insightful

    We might be in for another growth spurt...when the hundreds of thousands of college students return to campus and plug in their computers. A good portion of them have probably been unattatched to the network, or will be brand new machines just for school. Working at a University, we aren't looking forward to this potential new stream of *fun*.

    One possible saving grace is that most of our students come back after the worm is supposed to sleep (20th of the month). However, it might wake again come Sept. 1st. Not to mention any server out there with bad dates ready to spew it around.

    On another note, I've notified several people in other departments that they've been hit with the CR II version. They say "well, I'll just apply the patch". Wrong, that will stop your computer from trying to broadcast the worm. Unfortunately, the patch doesn't clean up the trojan explorer.exe and registry settings. I tell them "you'll need to reformat the whole computer, and they laugh". Well, at least I can be first in line to berate their IT department for not taking that suggestion when their whole networked gets compromised from another backdoor installed during the computers 'open' state.

    -A non-productive mind is with absolutely zero balance.
    - AC

  12. Re:Create a Good Virus? by Amerist+A'Toll · · Score: 2, Insightful
    Taking into account that someone else has already mentioned the concept of Code Blue, i.e. a reverse-infecting worm that takes over Code Red boxes and renders them non-scanning and prevents reinfection. This could be quite possible -- but there are many ethical concerns, and if not that, the creator of Code Blue, should they be caught and not the progenetor of Code Red may take all of the heat anyway.

    Amerist A'Toll

    --
    "What are dreams when we are but the dreams of dreamers yet to be born?"
  13. Re:It _is_ quite benign. by maunleon · · Score: 2, Insightful

    The problem really is that it opens you up, then it broadcasts it to all your neighbors. Kinda like breaking your door down and putting a "Help Yourself" sign in front of the door.

  14. Re:Against the DMCA? by Anonymous Coward · · Score: 0, Insightful
    Doesn't looking at the code and trying to figure a way around the usage of this program violate the DMCA?

    Is the virus a copy protection measure? No. Now go away, please.

  15. Lazy vs. Stupid by Ratbert42 · · Score: 2, Insightful

    Something's been bothering me about all the people criticizing the IIS admins for being too lazy to apply a month-old patch. Personally, I admin an IIS server that didn't have the patch applied, but Code Red didn't affect it. Why not? Because when I set up IIS in the first place I followed the security checklist. Unmapping .ida and other unused server extensions was right there on the list. Any decent Microsoft weenie should have done the same. If you're not stupid in the first place, sometimes you can get away with being lazy.