Happy Birthday Code Red

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday July 18, 2002 @04:01PM from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

21 of 364 comments (clear)

Min score:

Reason:

Sort:

Interesting... by neksys · 2002-07-18 16:12 · Score: 1, Insightful

It's been a year since the most devastating virus spread across the internet like wildfire - and to this day, Microsoft still insists that such things are the fault of the user, not the software.
1. Re:Interesting... by NeuroManson · 2002-07-18 17:51 · Score: 4, Insightful
  
  Considering that despite the worm being in the wild for over a year, that either installing a *nix varient, applying a service pack, or simply running a decent antivirus app were alternatives to being infected? All of which are conscientious actions of the user, admin, etc? All actions that are made on the part of the user? All options undertaken or not by the user?
  
  Sounds an awful lot like the fault of the user to me...
  
  --
  Just because you can mod me down, doesn't mean you're right. Shoes for industry!
2. Re:Interesting... by ShavenYak · 2002-07-19 01:31 · Score: 3, Insightful
  
  Did it occur to you that maybe you should connect the box to the Internet as the LAST STEP? - AFTER the server is configured and PATCHED?
  
  Perhaps that should be obvious to an experienced sysadmin, but most installers of Windows 2000 won't have a clue about such precautions. The intelligent thing for Microsoft to have done is not had IIS turned on by default. This is especially obvious when you consider how many of the Code Red hits you get come from people who obviously don't even use the IIS that's running on their box.
  
  Since Microsoft is aiming their software at clueless users who can't be bothered to secure their machines, Microsoft needs to ensure that their software is secure out of the box.
  
  --
  
  Hey kids, there's only 5 days left 'til Yak Shaving Day!
3. Re:Interesting... by netringer · 2002-07-19 01:57 · Score: 3, Insightful
  
  Perhaps that should be obvious to an experienced sysadmin, but most installers of Windows 2000 won't have a clue about such precautions. The intelligent thing for Microsoft to have done is not had IIS turned on by default. This is especially obvious when you consider how many of the Code Red hits you get come from people who obviously don't even use the IIS that's running on their box.
  Well, I don't think anybody has to defend NON-professional sysadmins. If you really believe that any Internet server should be so brain-dead simple that you can't hurt yourself you should get what you deserve - even if you managed to pass the MCSE exams.
  Since Microsoft is aiming their software at clueless users who can't be bothered to secure their machines, Microsoft needs to ensure that their software is secure out of the box.
  Far be it for anybody to defend Microsoft on slashdot but this is an impossible requirement that no other OS vendor delivers - Not other Unices - Not even Linux.
  
  Fifteen years ago we knew that Sun insisted on shipping SunOS with a "+" in /etc/hosts.equiv which would open your system to any other server on the network. We edited that and other config files before a Sun went on the LAN.
  
  In the real world you have a checklist of things that must be done and things that must be changed before the box can put into production especially on the the big bad Internet. In our company, where the NT operations MCSE staff are not exactly the brightest thinkers, we have a standard Windows 2000 build document that has a security checklist and says to only install IIS if the box is going to be a web server. There ARE checkboxes in the custom install where you can deselect the install of IIS and other unneeded programs.
  
  If you dare to draw a paycheck you SHOULD be a Professional. It's up to you to learn how a professional operates.
  
  --
  Ever dream you could fly? Get up from the Flight Sim. I Fly
What about Morris? by sconeu · 2002-07-18 16:14 · Score: 5, Insightful

Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since

Granted, the 'Net was a lot smaller, but what about the Morris worm?

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Re:What about Morris? by David+Off · 2002-07-18 23:45 · Score: 2, Insightful
  
  I was working for Siemens at the time as a young Unix hacker (siesoft.co.uk).
  
  The Morris worm was slowed down by the speed of the Internet... we had a 64kbps connection to ICL. We managed to pull our link to the next before we got affected. It was really quite exciting at the time, following the Usenet links as people pulled the Morris worm apart and analysed it byte by byte.
  
  In the end we were probably affected for around 3 days. We first realised there was a problem as Usenet dried up... we used to take all newsgroups with a feed of around 1000 posts per day! This slowed to a trickle during the 'attack'.
  
  Things got back to normal again as you really had to have people who knew what they were doing to get Unix and Vax systems on the 'net back then. Also there were nowhere near as many wankers online, even as a % of the total population. We were there in a spirit of cooperation and discovery. Happy days.
  
  David
Happy Birthday? by SoupaFly · 2002-07-18 16:17 · Score: 4, Insightful

What exactly are we supposed to celebrate? The inept SAs that have failed to patch their systems? The sad lack of software development skills and abundance of corporate greed that combine to push shoddy software upon millions of users?

Maybe we should celebrate the resiliency of the Net. The fact that while attacks on systems continue to come daily, and at a seemingly increasing rate, everything still works most of the time.

--knowledge, not information, is power
1. Re:Happy Birthday? by DeepZenPill · 2002-07-18 17:23 · Score: 3, Insightful
  
  I think the belief that birthday == celebration in each age group is represented with a bell shaped curve. Shit, when I'm 89, senile, and living in my own filth, my next birthday will be a celebration for me. That much more closer to escape!
Looking at my records by Neolithic · 2002-07-18 16:42 · Score: 2, Insightful

June 18, 2001 14:29:28 -0700
Microsoft Security Bulliten MS01-033

June 18, 2001 14:36:53
q300972_w2k_sp3_x86_en.exe

When did Code Red hit? Did I bother to notice? Did I bother to record? No. It didn't affect me much.
1. Re:Looking at my records by 1g$man · 2002-07-18 18:12 · Score: 3, Insightful
  
  No, he's pointing out that the patch was available a full month before the worm hit.
  
  A full month.
  
  And, being a competent admin, his boxen weren't hit.
2. Re:Looking at my records by spongman · 2002-07-18 18:18 · Score: 2, Insightful
  yup, I think this says two things:
  
  (most) IIS sysadmins are a bunch of lazy/ignorant fools who needed to get their backsides kicked to get them to heed the MS-SEC mailings.
  
  the worm writer did an excellent job.
times out by bilbobuggins · 2002-07-18 16:50 · Score: 5, Insightful

To really appreciate the spread of this program, look at this animated image.
Is it slashdotted or is that the demonstration?
;)
A year later, no service pack 3 for Win2K by Animats · 2002-07-18 17:03 · Score: 2, Insightful

The most recent service pack for Windows 2000 is dated May 2, 2001. There's a Security Rollup Package dated January 30, 2002. Nothing since then, despite the "month of effort" Microsoft supposedly put into fixes earlier this year. Whatever happened to that, anyway?
Corporate America mostly runs Windows 2000. That's the system that needs security and reliability most. And where's Microsoft?
Re:IIS is sorta like an STD by Verizon+Guy · 2002-07-18 17:08 · Score: 2, Insightful

Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.

--
Aw, fuck it. Let's go bowling. - The Big Lebowski
Re:All of this kvetching about bad sysadmins, and by NeuroManson · 2002-07-18 18:04 · Score: 3, Insightful

Does that mean, therefore, that anyone running Linux without the fix for the 1i0n (or however that's spelled) exploit, can sue Linus Torvald, Redhat, et al for damages? How about anyone running a Micro$oft OS that has an exploit taken advantage of with a worm, virus, etc, that was created on a Linux system with the sole purpose of damaging as many M$ OSs as possible?

If you get shot by someone and suffer horrendous injuries, do you sue every bullet proof vest manufacturer, or gun manufacturer because they didn't base their business model around you? Or do you sue (or at least lock up) the one who pointed the gun at you and pull the trigger? Do you go around your neighborhood, testing each doorknob to see if the house is locked, then rob and burn down each house that isn't? Is it the homeowner's fault for not locking the door, or you for entering in the first place?

If you want to hold anyone responsible, try the guy/s who code viruses and worms... Anyone with sufficient pathological incentive to wreak havoc and trash a computer system (or, basically, anything else) will do so...

Responsibility goes two ways, on one hand, those who have known for a substantial period of time that there was a problem that needed addressing, and those who take advantage of that problem... The net makes this all more obvious, at least to those of us with a smidgen of common sense...

--
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Re:Power of slick advertising by 1g$man · 2002-07-18 18:08 · Score: 3, Insightful

If you think Linux is a "Safe Haven" then you're just asking for your ass to be handed to you.

If you think you can put ANY server up on a public network and not maintiain it--you WILL be in for a rude awakening one day.
Re:Power of slick advertising by _Sprocket_ · 2002-07-18 18:16 · Score: 4, Insightful

Just a side note, if anyone ever came up with a virus that was as devastating to apache as code red was to IIS, I think Linux would be doomed. If you expect something to fail (Microsoft products) then you don't care too much when they do. But if a product is touted as being absolutely secure and stable (Linux/Apache) then when it does screw up big, it will probably be it's death. The higher up you are, the further you have to fall.

Tnere has to be some fundimental shifts in the environment for this to happen. You see - Linux (and Solaris) have had their own worms around the same time period as Code Red. They could have been just as devistating - but they weren't. They died quickly and went away.

Of course - that's not to say it can't happen to Linux in the future. Some changes that would have to take place would include:

1) An increase in un-administered machines (which is possible as more Linux machines go in to service and are promptly forgotten about or appropriate support stuff aren't also put in place).

2) More distributions installing services by default without user knowledge (which most distros seem fairly resistant to doing - but not all).

3) Patches that become as devistating as the security threat they attempt to mitigate (I've yet to see this and would think that any organization that constantly produced dangerous patches / replacement packages would find their user base fleeing to another distribution).
76 Code Red hits in 2 months by rossz · 2002-07-18 18:54 · Score: 2, Insightful

I guess I should consider myself lucky.

Total/Unique
Nimda hits: 6213/134
CodeRed hits: 76/76

Damn annoying, though.

--
-- Will program for bandwidth
Re:I still have my fake default.ida by DeadSea · 2002-07-18 23:39 · Score: 4, Insightful

Notice that the parent post ends with "YHBT".
That stands for "You have been trolled".
The perl script is a troll, it won't work, I can't believe this got modded up.
Re:IIS is sorta like an STD by thesolo · 2002-07-19 00:43 · Score: 4, Insightful

Unfortunately, if vigilant admins set up their severs properly -- i.e., disable unused script mappings (like I did ;-), this never would have happened, bug or no bug, worm or no worm.

Yeah, that's fine and dandy for those who don't need the IDA, et all mappings; but what of those people who DO use them?! You know, a lot of those corporate servers that were hacked had those script mappings set for a reason, i.e. they were using them.

That's great that you knew better than to keep the default script mappings, but what about people who needed them?? It would have been a lot nicer if Microsoft had written a secure server in the first place instead. Even the most vigilant sysadmin would still get infected running IIS if he needed to use the IDQ & IDA mappings. In short, don't blame the sysadmin, because it's not always their fault.
Re:If a hotfix breaks an app, kick the developer. by SClitheroe · 2002-07-19 02:03 · Score: 3, Insightful

You are assuming that all web apps are written using MS technologies...how about ColdFusion, Lotus Domino, etc? We have quite a mix of stuff, as our environment has evolved over the years...and there have definitely been hotfixes that have broken Domino.