Slashdot Mirror
Code Red: the Aftermath
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
Blame the bozo who designed strncat!
strncat() isn't a problem by itself. The problem is improper usage patterns.
When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:
strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));
Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.
But strncat() isn't the main culprit.
Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.
The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The rest of us applied the patch supplied by Microsoft more than a month before CR came out...
:)
And were still vulnerable until we disabled URL forwarding.
The Microsoft patch alone is not useful. You are still at risk. See Incidents home page
I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.
Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!
Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein
Blame Alan Turing, he invented stored-program computers...
This is what happens when you give admins a false sense of security.
After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
Microsoft has got to accept the blame for this mess - It is their doing.
Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?
Cheers,
Jim in Tokyo
-- My Weblog.
Blame the bozo who designed strncat!
This may not be the cause of this particular overflow, but it causes a very large number of them.
The main reason you'd use strncat rather than strcat is to avoid buffer overflows, yet instead of the obvious choice of feeding it the buffer size, you have to feed it the maximum number of characters to add. So to use it to prevent buffer overflows, you not only need to remember the buffer size, you have to track the current string length!
Avoid strncat! Even if you understand it, someone who changes your code might not.
Make something more intuitive:
char *buf_strcat(char *dest, char *src, size_t buflen){
char *cur=dest;
int i=0;
while(*cur && i<buflen-1){cur++; i++;}
while(*src && i<buflen-1){*cur++ = *src++; i++;}
*cur='\0';
return dest;
}
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
I've had similar thoughts. I've been reading Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence and with the Code Red outbreak, I've taken to reading it with malware in mind.
What I've come to realize is that a worm could become real scary if its author, like me, were to be a fan of multi-agent systems. There's a plenthora of research on agent-to-agent communication, just waiting for that big experiment to take place.
Ponder this: interlock. The worms work together to reach a situation in which a host cannot be cleaned without data from another host, and vice-versa, thus making disinfection extremely hard
I've been sketching on scenario where relationships are created via the infection plus one level. if A infects B (first level of interconnect), then B would tell A about every other host it infects in turn (second level). These hosts would form a cluster, where each member is free to initiate contact with another and request services.One of these could be the encryption or decryption of data. Hosts would say "Please encrypt this data (hands it over) and return the encrypted result". Say host A tells host B this. Suddenly we're in a situation where we cannot simply disinfect host B, because if we do we'll lose the key that decrypts data on host A! Of course, the worms would negotiate the complement, and host A would contain the key to unlock data in host B. We then expand this scenario to a great interconnection between members of the cluster. We can strengthen the connections by allowing unrelated hosts to negotiate interlocks.
In the same vein worms can negotiate and divide the search-space between them. Each worm could contain a compressed/simplified representation of the IP-search-space (just a couple of masks maybe? Haven't thought too hard about it). Relatives would communicate which parts have been scanned as to not duplicate (too much) work. This then becomes a parallell binary search!
I think I'm gonna have to write a short doomsday article too, there's just so much cool things that someone wicked could do.
Belief is the currency of delusion.
- 2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)
SinceHere's the scoop (more meat at K5):
Using your sig line to advertise for friends is lame.
This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.
I'd rather have someone respond than be modded up.
Talking about rebooting - check this news.com video out.
Everybody but Bill Gates thinks it's pretty funny :)
I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.
From: security@cfl.rr.com
To: Our Valued Customers
Subject: Security Notification
ROAD RUNNER ALERT
VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.
Dear Road Runner Subscriber:
Road Runner, like many other ISPs and, indeed, the entire Internet, has
experienced an attack on its network that apparently is attributable to a
strain of the Code Red virus. It is possible that this virus has infected
the PCs of Road Runner customers using the Microsoft Windows NT Server or
Microsoft Windows 2000 Server operating systems. Infected PCs may
continue to flood the Internet and the Road Runner network with
virus-generated messages (even without your being aware of it).
Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner customers may
experience slow network response, flashing data lights on their cable
modems, and other symptoms (such as unusual port scan log activity or
increased firewall activity) while Road Runner and the Internet community
work to control the impact of this virus.
IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.
IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.
We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.
Thank you.
Road Runner Security
" it also gives you an option to permanantly disable IIS..."
About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*
Comment removed based on user account deletion
Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.
.ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...
I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:
http://www.dynwebdev.com/codered/
It auto-replies to any machine that tries an
When in danger or in doubt, run in circles, scream and shout. --Robert A. Heinlein
From: Support@iis.microsoft.com
To: Registered_Users@iis.microsoft.com
CC:
Subject: RE: IIS Code Red Worm Patch
Attachment: Instructions.doc
Body:
Hi, how are you?
We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.
If you have any advice on this file, please email us back!
See you later!
No, no, no.
When you buy a house, you know for a FACT that glass will break when hit with a hammer.
The people who buy MS products THINK they're getting something secure, since it's one of the many buzzwords (READ: lies) that MS always uses.
Your analogy just doesn't do justice to the situation.
Rich...
Ignore Alien Orders
Code Red is not the problem, it is the symptom. If Microsoft had fixed the problem before there was a problem, then the buggy version of IIS never would have shipped.
However part of the problem is the use of huge monolithic programs, which attempt to do everything including the "kitchen sink". For quite a while with Windows we have been seeing what amount to explots through "bells and whistles". Frquently where most people don't even know something is even there...
When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
Blame the creators of C.
They're the ones who are responsible for buffer overflows.
Trolls throughout history:
Jonathan Swift
"It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."
Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.
And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...
I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.
=== The price of freedom is eternal vigilance
Its true that Microsoft put out a patch before the virus took off, so that's a good thing. But Microsoft releases patches all the time, and that is a bad thing. I'm on the security mailing list from MS, and I get at least 3 or 4 alerts a week. I'm also on the slackware list, and I have received 3 or 4 alerts in the last six months.
The reason for this is because Open Source projects tend to fix their security bugs before they are released. If Apache shipped with something that allowed this kind of remote exploit in one of the 2.0 betas, there is a better chance that someone else out there will see it. What is the chance that someone can do an independent security audit of Windows XP?
Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.
Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.
-Mike
PS: how do we know that "Microsoft fixed the problem before there was a problem", anyway? The patch came out before this big worm hit, but how many servers were quietly compromised in the last year?
My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.
If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).
I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?
Screw Micro$oft.
in /etc/apache/httpd.conf:
.ida
AddHandler cgi-script
You and I know that you don't need your proof of purchase, but is it inconcievable that the bulk of people using a bootleg copy would feel uncomfortable going to Microsoft.com - Thinking that MS will somehow *know* and track them down?
-- My Weblog.
There's been talk on places like CNN and CNet about software makers being held liable for serious defects in much the same way Ford and Firestone are for their recent tire troubles. Some good examples where this would apply include some major items in software bugs history: the AT&T 800 service outage, the hospital radiation treatment software controllers that killed people from overexposing them to radiation, and of course Code Red. CNN interviewed Bruce Scheneir (sp?) about this isue and he is all for holding software makers liable. Last week I tried submitting those stories to slashdot, yet the editors dont think it's an issue and won't post it, despite the fact that if liability someday hits the software market, it hits OSS people too.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Michael writes, So, Microsoft has given you a mop to clean up the mess they made.
No, Microsoft gave us a mop to clean up after the mess the Code Red author(s) made.
You see, more than a month before Code Red came out, Microsoft gave us the patch for the security breach that allowed Code Red to take place.
"And like that
As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.
/usr/bin, /usr/local/apache/bin, /opt/apache/bin or any one of a number of places; your web pages might be in /home/httpd/html, /var/www/html, /usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;
Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:
* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;
* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);
* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;
* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in
* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;
* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.
Using Microsoft software costs you all of these advantages and more.
Got time? Spend some of it coding or testing
Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.
Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.
It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.
You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.
-reemul
who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working
You're just jealous 'cuz the voices talk to *me*
OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?
For extra credit: reboot twice, as Micro$oft recommends.
For a straight A: fix the problem forever by replacing NT with Linux...
Oh gods, someone PLEASE tell me how I could get a job bashing Microsoft. I do it for free all the time.
And here's a security hole for you. Service Pack 6 (that's the original Service Pack 6, not 6a) not allowing anyone but Administrators to access the TCP/IP stack. You think that possibly some of Microsoft's vaunted legions of crack QA people might've possibly tried testing the service pack as something other than an Administrator?
Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.
You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.
What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.
Two other points:
Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.
You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!
In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.
On top of that, the admins who missed repeated pleas from both Microsoft and Government officials urging them to install the patch, not to mention all the publicity the pleas and the virus made on CNN (both the website and on TV), other major national news networks, and even my local (Washington DC area) television news stations.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
Actually, it might even be good PR for them too.
this is what joe user will think:
A dangerous "virus" threatens the entire internet (*cough*) and then microsoft comes to the rescue with a patch and saves the internet!
08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net
These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)
But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.
None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.
So far today 08/11/01 at 10:00am I've had 69 probes.
As far as I can see, getting all these systems disinfected and patched hasn't even started yet.
t_t_b
I'm on PJ's "enemies" list! Are you?
well, not really, the IPv6 address space will be largley unused. but the areas that are used will be well known, it would be very easy to specify the good ranges to scan.
-- free as in swatantryam - not soujanyam.
It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins.