Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
Fact: the same things almost never hold true for proprietary software.
Fact: Free software does not "produce more secure software than the proprietary world" per se, though such a poorly-worded phrase is often used in place of the truth, which is that free software, compared to proprietary software, i.e. when comparing software distributed to end-users (as versus in-house use only), has a greater opportunity to reach high assurances of being secure when comparing categories of software in which security is important.
For example, compare your personal ability to vet the security model of qmail vs. any of Microsoft's mail-server offerings. "They" can assure you of MS's "security", just as "we" can assure you of qmail's. But, of the two, only qmail allows you to legally examine the source before ever having to enter into a contract allowing you to do so; to discuss findings with others, out in the open; to beat up on it in a test installation before committing to a purchase (and remember that such purchase is typically followed by a strong urge to justify said purchase, rather than prove it to have been an incorrect decision); and so on.
Fact: that "people with infected IIS are not admins" is irrelevant. Given MS's position in the marketplace, I suspect they could easily ensure that only true admins would be allowed to run IIS on the Internet. (After all, they use imposing legal language to bind "licensees" to contractual requirements designed to improve MS's bottom line and warm cuddly feelings of "protecting their IP", right?) At least, they could surely make it less likely that non-admins might "accidentally" deploy IIS on an Internet-exposed host. Why don't they do this? Because they prefer playing both ends against the middle, as most businesses do -- "anyone can buy and use our products" on the marketing end becomes, on the customer-service end, "you must be doing something wrong". (Yes, there are those who claim GNU/Linux is "ready for the desktop" and such like that. Why believe them? Why not investigate these claims for yourself? I claim that since everyone has the freedom to do that with free software, such claims have nowhere near the "guilt" for security breaches that a company like MS does when it makes similar claims about what, to most everyone else in the world, is a black box -- its proprietary software.)
Fact: While it is indeed not always true that people are paid to fix free software, the exact same thing is the case for proprietary software.
The difference is, if you're depending on a free-software product that isn't being maintained by someone for $$, you have the option of hiring someone to do the work.
Whereas, if Microsoft decides, as it surely will down the road, to stop paying its programmers to fix IIS, or Windows 2000, or DOS 5.whatever, you'll be out of options if you have failed to follow the M$-recommended upgrade path.
Fact: Red Hat does not, and has never, represented the security-conscious administrator's #1 choice for a default system installation of GNU/Linux.
Fact: If you find Red Hat's choice of configuration (which I think has been improving lately; I've been using it for years) unacceptable, you have many other choices for where to obtain distributions, versions, and configurations of the Linux kernel specifically, the GNU system generally, and other free-software systems as well.
Challenge: name three vendors from which you can obtain the Microsoft Windows 2000 or Windows NT kernel in a distribution as fundamentally different from Microsoft's as Debian's, or SuSE's, is from Red Hat's.
Okay, make it two vendors. Okay, make it one vendor other than Microsoft. I'd sure love to know if they license their kernel to other software-distributor outfits to wrap with their own chosen apps, using their own chosen configurations, etc.
(And note I haven't even mentioned OpenBSD yet!)
Fact: to preserve their advantage in IP investment and security, proprietary-software distributors have an incentive to create packages as large, complex, monolothic, and, therefore, difficult-to-reverse-engineer, as possible. Free-software authors, like any software author, tend to create large, complex, monolothic programs due to natural tendencies, but they don't have nearly the bottom-line incentive to do so. That is, as their expertise, their sensitivity to security and complexity issues, might lead them to producing simpler, cleaner, more "transparent" products like qmail, they won't be rebuffed in their attempts to go down that road by managers and lawyers saying "we can't make it that easy on our competitors to reverse-engineer our IP".
Consideration: most proprietary software, especially in wide (therefore profitable) circulation, especially the sort of software where Internet-exposed security is an issue, performs some kind of license-checking to prevent "piracy" ("unauthorized coveting of intellectual privilege" is IMO a better phrase), whereas hardly any free software does that sort of thing. Which choice poses a greater security risk to the overall system, in terms of things like resistance to viruses, worms, etc., degree of inviting reverse-engineering of obscured code, etc.?
Opinion, mine: in the end, proprietary software stands opposed to secure software, because for software to be secure, it has to be easy to publically validate as secure (i.e. be validated by any third party without contractual agreement, thus allowing that party to speak freely about security concerns), whereas, for that software to be usefully proprietary, it must be obscured, intentionally, by the distributor.
Observation: The current method of choice proprietary software vendors use to obscure the IP they release into the wild is to compile and link it down to machine code and cross their fingers. With non-programming forms, they have to resort to even less workable forms, such as encryption. ("Less workable" because compiling to machine code generally makes the end product run faster, and because today's dominant software-development paradigm is predicated on the need to be able to strip out source and other "redundant" code, whereas encrypting other forms of software tends to make them less immediately useful to the end user, who then needs a more sophisticated engine to reveal the purchased IP.)
That some vendors are increasingly resorting to the legal system, rather than on complexity alone, to keep their IP obscure, does not change my claims at all -- however the software is obscured, the very act of obscuring it defeats the goal of making it secure.
(Though, as with firearms, to the degree laws are used to prevent access to source code, access to source code becomes something much more closely associated with those contemplating lawbreaking, rather than those merely very interested in learning about, and gaining expertise in, the relevant technologies. "When source code is outlawed, only outlaws [and government] will have source code." Think about the security implications of that situation, and ask whether you wish to visit houses, office buildings, and skyscrapers whose blueprints are "secured" in the same fashion.)
Practice random senselessness and act kind of beautiful.
There are many other options when using srings in C, you are not required to use a limited array of char.. in this day, if you are security concious, you should consider all the possibilities when writing a program.
The point of the interlock is to form a dependence. Purpose: to ensure the survival of the worm in a hostile environment. Survival is of paramount imporance. Any kind of payload must come second.
The artificial society would take advantage of the fact that to cleanly kill it off the real-world enemy, us humans, would have to enter into correspondingly interconnected communication and trust
Payload is a whole other topic, where destruction of data is the least interesting one, though I agree that data-corruption is amongst the most evil payloads.
Belief is the currency of delusion.
This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?
Cheers,
Jim in Tokyo
-- My Weblog.
Blame the bozo who designed strncat!
This may not be the cause of this particular overflow, but it causes a very large number of them.
The main reason you'd use strncat rather than strcat is to avoid buffer overflows, yet instead of the obvious choice of feeding it the buffer size, you have to feed it the maximum number of characters to add. So to use it to prevent buffer overflows, you not only need to remember the buffer size, you have to track the current string length!
Avoid strncat! Even if you understand it, someone who changes your code might not.
Make something more intuitive:
char *buf_strcat(char *dest, char *src, size_t buflen){
char *cur=dest;
int i=0;
while(*cur && i<buflen-1){cur++; i++;}
while(*src && i<buflen-1){*cur++ = *src++; i++;}
*cur='\0';
return dest;
}
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
I've had similar thoughts. I've been reading Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence and with the Code Red outbreak, I've taken to reading it with malware in mind.
What I've come to realize is that a worm could become real scary if its author, like me, were to be a fan of multi-agent systems. There's a plenthora of research on agent-to-agent communication, just waiting for that big experiment to take place.
Ponder this: interlock. The worms work together to reach a situation in which a host cannot be cleaned without data from another host, and vice-versa, thus making disinfection extremely hard
I've been sketching on scenario where relationships are created via the infection plus one level. if A infects B (first level of interconnect), then B would tell A about every other host it infects in turn (second level). These hosts would form a cluster, where each member is free to initiate contact with another and request services.One of these could be the encryption or decryption of data. Hosts would say "Please encrypt this data (hands it over) and return the encrypted result". Say host A tells host B this. Suddenly we're in a situation where we cannot simply disinfect host B, because if we do we'll lose the key that decrypts data on host A! Of course, the worms would negotiate the complement, and host A would contain the key to unlock data in host B. We then expand this scenario to a great interconnection between members of the cluster. We can strengthen the connections by allowing unrelated hosts to negotiate interlocks.
In the same vein worms can negotiate and divide the search-space between them. Each worm could contain a compressed/simplified representation of the IP-search-space (just a couple of masks maybe? Haven't thought too hard about it). Relatives would communicate which parts have been scanned as to not duplicate (too much) work. This then becomes a parallell binary search!
I think I'm gonna have to write a short doomsday article too, there's just so much cool things that someone wicked could do.
Belief is the currency of delusion.
To have that link on Slashdot that will cause the user's machine to be shutdown because of the hole on IIS is ridiculous. If you wanted to help inform the lazy people and admin's out there that still have that hole open on their system, it would have been MUCH more responsible to have a message stating "Click here to test your machine for this backdoor". I really have lost allot of respect for the people at Slashdot. This is completely irresponsible and foolish.
The fact of the matter is ALL systems have security weaknesses and limitations. This is true for both Linux and Windows, or any piece of software that has ever been written. All it takes is to subscribe to any of the excellent security mailing lists that are on the net to realize this. As a matter of fact, the last copy of the excellent SANS Security Alert Consensus (www.sans.org) lists more new vulnerabilities in Linux than Windows. Of course, the opposite is true often enough. But really, what it the point of those kinds of comparisons other than juvenile brouhaha.
This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.
I'd rather have someone respond than be modded up.
Comment removed based on user account deletion
Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.
However part of the problem is the use of huge monolithic programs, which attempt to do everything including the "kitchen sink". For quite a while with Windows we have been seeing what amount to explots through "bells and whistles". Frquently where most people don't even know something is even there...
When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
"It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."
Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.
And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...
I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.
=== The price of freedom is eternal vigilance
Its true that Microsoft put out a patch before the virus took off, so that's a good thing. But Microsoft releases patches all the time, and that is a bad thing. I'm on the security mailing list from MS, and I get at least 3 or 4 alerts a week. I'm also on the slackware list, and I have received 3 or 4 alerts in the last six months.
The reason for this is because Open Source projects tend to fix their security bugs before they are released. If Apache shipped with something that allowed this kind of remote exploit in one of the 2.0 betas, there is a better chance that someone else out there will see it. What is the chance that someone can do an independent security audit of Windows XP?
Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.
Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.
-Mike
PS: how do we know that "Microsoft fixed the problem before there was a problem", anyway? The patch came out before this big worm hit, but how many servers were quietly compromised in the last year?
This is spot on. Changeover to IPv6 (with its larger address space) would have stopped Code Red before it even started. A worm would take years on IPv6 to find another host to infect. IPv6 would put an end to random port scanning too.
I highly doubt software makers will ever be held liable...
Particularly in the x86 market, there is such an abundance of 3rd party hardware that goes into most systems. This usually means 3rd party drivers. And because these all have to work together, who's to say that it wasn't a bug in Windows that caused that video driver to fail? Or was it a bug in the driver itself? Who is to be held liable here?
I don't think it is such a stretch to say that some software makers could (and maybe should) be held liable for their software. Such as in the case of the over-radiation that caused deaths. Last I checked, I didn't see the IIS bug causing anyone to croak and that last BSOD didn't give me any serious medical problems either. If traditional PC software makers were held liable for their software, the PC software market would simply collapse. And beyond that, the few companies left that could afford the added costs of this liability would be left to charge outrageously high prices for the software that they were able to sell.
So, at first, this maybe sounds like not such a bad idea. But after thinking about it, I'd definitely be against it (for the most part).
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
Microsoft fixed the problem before there was a problem.
I disagree. Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.
I like to play children's songs in minor keys.
"We're all sons of bitches now." --J. Robert Oppenheimer
Your absolutely right.
.. At least until their ports get blocked by their ISP.
The reason that some slashdot posters don't want to blame the virus writer is because they're quite happy with Code Red because it makes MS look bad. The enemy of their enemy is their friend
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
The only people that think they are getting something secure when they buy/download any operating system are the unwashed masses. The ones that don't know any better. These are the same people that allow the Code Red-style worms to spread.
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
You see, as an admin in charge of machines running IIS and other Microsoft software, I am subscribed to several alert lists, including Microsoft's security list. And when Microsoft releases a patch for anything that can be used to "arbitrarily execute code of the attacker's choice" on a port not blocked by my firewall, I immediately install that patch. The end.
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
"And like that
I rarely use C's or C++'s overflowable library routines. If I do it's only in a quick hack. One dosen't need to use the standard library routines.
When you buy a house, you know for a FACT that glass will break when hit with a hammer.
Windows is sold as shatter proof glass..
This means it will not break.
Linux is sold as theft resistent..
This means it can break but it's difficult to gain entry..
Microsoft says:
When Windows breaks "well all software breaks"
When Linux breaks "See it breaks.. everyone breaks..."
Linux says:
When Windows breaks "Where is the patch?"
When Linux breaks "Here is the patch"
Security experts say:
"Get the operating system patched ASAP..
If you have the source code.. fix it yourself NOW don't wait for an offical patch"
Microsoft security experts say:
"Wait for an offical patch.. don't do it yourself"
RL security experts say:
"Fix it now.."
RL theafs say:
"BWAR.. Break Window And Run.... thwarts any security system....
Wait a while. If they don't fix the window quickly they'll soon forget...
Once they relax.. walk in the openning and walk out.." (taken from a 1980's text file on how to steal...)
From TV:
"We have to wait for Microsoft to relase a patch and then we have to test the system to be sure it works correctly and all the apps continue to work correctly." - Microsoft certifyed System admin being interviewed by a reporter...
I don't actually exist.
Michael writes, So, Microsoft has given you a mop to clean up the mess they made.
No, Microsoft gave us a mop to clean up after the mess the Code Red author(s) made.
You see, more than a month before Code Red came out, Microsoft gave us the patch for the security breach that allowed Code Red to take place.
"And like that
Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.
You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.
What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.
Two other points:
Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.
You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!
In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.
> I mean at some point not everyone in the
> world can be a computer expert,
A computer is a tool. You have to learn how to use it properly. Do you go around demanding that 747's be made so easy to fly that every office worker could do it ?
> so are you recommending that people that
> aren't shouldn't have a computer?
If they are not willing/able to bring themselves up to the necessary level of competence to run general-purpose computers, yes. Give me a manually operated medium-format or 35 mm SLR camera, and I'm just as helpless as a Mac or Windows user at a unix commandline. If it ain't point-and-click, I'm totally lost. That doesn't mean I'm stupid; just that I'm not competent to use a particular tool.
> There wouldn't be a computer industry if it
> weren't for the "stupid" people needing
> computers to help out thier jobs and lives.
> What we need to do is constructively help make
> the experience good and safe for everyone.
That's where WEB-TV are aiming at. They are to the general-purpose computer what the point-n-click camera is to professional equipment. The great majority of people aren't geeks. That's not disparagement; merely admitting that Joe Average is no more competent to operate a general purpose computer than I am to manually operate a medium-format camera. It's not an admission of stupidity, just an acknowledgement that different people have different competencies.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
I hope it's Microsoft-certified to work, at least.
And disabling your web server as an option to keep your web server free from infection is so ingenious that I completely lack the words to describe the ingenuity behind it.
There is absolutely no reason to panic.
08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net
These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)
But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.
None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.
So far today 08/11/01 at 10:00am I've had 69 probes.
As far as I can see, getting all these systems disinfected and patched hasn't even started yet.
t_t_b
I'm on PJ's "enemies" list! Are you?
well, not really, the IPv6 address space will be largley unused. but the areas that are used will be well known, it would be very easy to specify the good ranges to scan.
-- free as in swatantryam - not soujanyam.
There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles.
The major difference in this case, and the reason that any case against Microsoft would ultimately lose (at least for the Code Red attack), is that Microsoft released a patch well before Code Red came out.
Ford and Firestone, on the other hand, tried to cover it up for as long as possible.
"And like that
It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins.