Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
As a sysadmin for a couple of Linux web servers, I have been monitoring this site and others to see what everyone else is doing about CR. Up to now, I have gathered that the general feeling was one of moderation: ie., to try to notify the sysadmin of the offending site and wait until they patched or fixed their equipment.
Now, the feeling seems to be shifting. According to this message and its threads, scripting a reply to reboot the machine is accepted as a response. I am still not comfortable with this but I am willing to go along with the group.
What does everyone else feel about this?
- 2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)
SinceHere's the scoop (more meat at K5):
Using your sig line to advertise for friends is lame.
So first Microsoft says this in the description of the tool:
Microsoft has developed a tool that eliminates the obvious damage that is caused by the Code Red II worm.
Then they say this:
MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE.
It should be noted that among other things in the CERT guidelines, they tell you to do a clean install of your OS after you've been comprimised. So what's the point of this tool if MS thinks you should just R&R your OS anyways?
I posted to
Has anyone begun to think that perhaps Microsoft themselves has planted CodeRed and variants out on the internet? Before you mod me down, read on:
CodeRed, the first version was fairly lame, and didn't infect beyond a separate IP block. Microsoft gets scared and realizes that their "iminent" release of WinXP might be blocked, or worse yet, shunned by the consumers. "Oh no, now we can't track all those stolen copies of Windows".
Then CodeRedII comes out, a bit nastier, going after more machines. Then Microsoft is denied their appeal.
CodeRedIII comes out, infection is much worse, and now opens the machine up to more attacks than before. It gets so deep into your Windows system that you must reinstall anyway. Not only that, but allows anyone who reads their logs to go in and cause damage ("polluting blame" as we say). Now compromised machines are being hacked in many more ways than just being opened up.
What does Microsoft recommend? You download this "patch" (audit tool) which you run and then it "cleans" (audits) your system, then as their own CERT document recommends, you reinstall your OS (i.e. find your original, licensed install media, and hit our website for the latest (intentionally trojaned) copies of drivers and IE/ActiveSetup installation tools).
What's a bit odd about this process though, is that Microsoft requires that you run their "cleanup" tool to purge the infection, THEN reinstall. If I'm going to fdisk and reinstall anyway, why do I have to run this "cleanup" tool? (audit?)
Curious that nobody has thought of this angle. Why do we not hear about hundreds of FBI agents tracking down the author of the virus in the Faroese Islands or whatever. Usually these people are caught within days of the outbreak. There hasn't been a single peep about any investigation in two full weeks. It's not like we don't have a HUGE audit trail, we all have dozens of logs. Plot it out, find the dates/times, narrow the search,and find them.
Oh wait, perhaps they're the same entity which supplied you with the infectable OS in the first place.
What was that they were saying about Linux being "potentially viral" a few weeks ago?
Prediction: before the year is out, you will see a "worm kernel" that incorporates thought-out techniques like this, with a modular interface for plugging in the latest exploits.
At that point, all you will need to do is take the latest remote-exec exploit, put a wrapper on it so it can talk to the worm kernel, and package it up.
You might have to write your own interesting payload to actually do the auxiliary stuff ("hacked by chinese"), but I imagine dedicated black hat types will have a few things ready to go at all times.
Once this becomes as common as the virus creation lab (chiba city!), the time to infection after something new gets posted to bugtraq will become unbelievably small.
QUESTION: If Joe/Jane Consumer running whatever OS/Apps that exist suffered as a result of the Microsoft Code Red I & II Worm can he/she sue Microsoft for losses???
IMPORTANT NOTE: Joe/Jane Consumer did NOT sign/accept/whatever an EULA associated with Microsoft Web Server. Joe/Jane was just "harmed" by the poorly designed, fault ridden, Microsoft Server Software. Joe/Jane NEVER signed/accepted/whatever the EULA associated with the poorly designed, fault ridden Microsoft Server Software.
I believe Juanita
No, they'd need access to the subnet, not the machine. The security issue isn't with the machine that was patched, but the machines it communicates with
There's also a 6a, which is why I wasn't sure whether it was 5 or 6.
I don't know how much the issue is "new security holes" from the patch but "will it still work?". Look at 5->5a, 6->6a, DX8->DX8a, 3(!) attempts to fix that hole in Exchange, etc. Every MS patch needs to be regression tested on a non production box before being really attempted. It's too dangerous to do otherwise. It's also too dangerous not to immediately patch now as well. SNAFU.
You and I know that you don't need your proof of purchase, but is it inconcievable that the bulk of people using a bootleg copy would feel uncomfortable going to Microsoft.com - Thinking that MS will somehow *know* and track them down?
-- My Weblog.
You are absolutely right. This tool probably couldn't detect secondary changes made to the machine's binaries.
We have a policy of formating the hard drive and reinstalling the OS once a machine has been compromised. This policy applies to any OS we run. To make it easy we've automated the process. To test the process we reinstall all of the machines on a regular basis, even servers. We spent some time years ago convincing vendors like RedHat that this was a useful thing (think jumpstart).
You're wrong. Its the virus writers fault.
-- "Perceptions create reality. By changing your perceptions you change your reality."
There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles. Some good examples where this would apply include some major items in software bugs history: the AT&T 800 service outage, the hospital radiation treatment software controllers that killed people from overexposing them to radiation, and of course Code Red. CNN interviewed Bruce Scheneir (sp?) about this isue and he is all for holding software makers liable. Last week I tried submitting those stories to slashdot, yet the editors dont think it's an issue and won't post it, despite the fact that if liability someday hits the software market, it hits OSS people too.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.
/usr/bin, /usr/local/apache/bin, /opt/apache/bin or any one of a number of places; your web pages might be in /home/httpd/html, /var/www/html, /usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;
Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:
* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;
* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);
* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;
* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in
* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;
* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.
Using Microsoft software costs you all of these advantages and more.
Got time? Spend some of it coding or testing
People here suggest that admins are to blame of the Code Red ongoing catastrophe because they took the responsibility to maintain a server.
Some posts accuse of letting MCSE handle servers, which only mighty hackers with years of experience should touch.
I think it's stupid. there aren't enough admins that fit to the definition of experienced hackers. that's why organizations buy server software to handle 'serving'. they hire admins to operate the server not to code-and-compile or patch every morning. It's true that admins are the ones responsible to patch software, but you can't expect all servers to be patched the moment a patch is released, hell, MS servers failed to patch on time.
The software is not secured. whose negligence is it?
On top of that, the admins who missed repeated pleas from both Microsoft and Government officials urging them to install the patch, not to mention all the publicity the pleas and the virus made on CNN (both the website and on TV), other major national news networks, and even my local (Washington DC area) television news stations.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Actually, it might even be good PR for them too.
this is what joe user will think:
A dangerous "virus" threatens the entire internet (*cough*) and then microsoft comes to the rescue with a patch and saves the internet!