Slashdot Mirror

← Back to Stories (view on slashdot.org)

Happy Birthday Code Red

Posted by ryuzaki0 on from the bring-back-public-spanking dept.

totallygeek writes: "One year ago today (July 19, 2001), more than 359,000 computers were infected with the Code Red worm in less than 14 hours. At the peak of infection, more than 2,000 new machines were infected each minute. Servers running Internet Information Services from Microsoft were propagating this worm across the Internet faster than anything has up to then or since. For the first time, systems running the Apache web server were getting requests for a document called "default.ida". Here we are a year later, and my web log shows an average of forty-two requests per day for default.ida over the last five days. To really appreciate the spread of this program, look at this animated image."

16 of 364 comments (clear)

  1. Sorry. by ryanr · · Score: 5, Interesting

    One year anniversary was last week some time. We had been running DeepSight (nee ARIS) in a test mode at the time, and actually detected some test runs of Code Red about a week before the big outbreak.

    Folks will notice though that the fixed version of Code Red I (CodeRed.B) is still going. Picked up a couple of hits today.

  2. Well, at least it was good pizza that night... by SClitheroe · · Score: 5, Interesting

    It really was good pizza...and it was quite a bit of fun riding skateboards around the corporate HQ at 2:30am in the morning...

    Seriously, though, it also taught the company I work for a serious lesson about staying on top of this kind of stuff. We had just finished a 2 month project to secure our web servers, but we were still bound by our traditional change management processes - 7 days notification for an outage, and testing of all changes documented and submitted for approval in advance. At the time Code Red hit, I had sent a note saying "we've really got to get this hotfix applied", but we were bound by the process, and we got burned.

    Needless to say, when an urgent hotfix comes out now, it takes almost no convincing to get it applied ASAP. If it breaks a web app or two, well, that's the risk we take. We'd rather look for signoff from the business to unapply a hotfix that breaks something, than spend a few days trying to secure the approval beforehand. It's a lot cheaper in the long run to troubleshoot the effects of a hotfix that has unintended side effects than it is to watch your entire web farm get demolished by a worm.

    Yes, we run IIS, and I suppose you could harp about how this could all be avoided by running Apache, but the point is that without a policy, strategy, and process for rapidly deploying defenses against net-born attacks, no system is invulnerable.

    1. Re:Well, at least it was good pizza that night... by SpaceJunkie · · Score: 2, Interesting

      Except there are patches I would be a little careful with as well. If you choose to run XP, there is a patch that makes the Guided Mode available through Nat and firewalls - tunneling effectively. Surely if someone has these in place- they sure as hell dont want such an obvious hole wide open...

      I sometimes use VNC - but restrict it through a firewall so only a specific IP(my work PC) can communicate with it, in specific timeframes. It also does not run as default - I use SSH to start it, also Ip filtered and time restricted. Which I think is all possible in windows as well(have not tried that). Oh - And it does not run as ROOT. I restrict root to console only.

      You see the other problem is that XP and 2k may well be running security vulnerable services without the user knowing -as default setup. Which is why XP is so bad as a joe user OS- it has more security holes than my socks...Unless you are competant to configure and patch it - and lets face it even many trained MIS staff miss them - let alone Joe Shmoe Wordprocessor who bought an XP box from PC world.

      --
      OrionRobots.co.uk - Robots From sol
  3. Lots of infected hosts still out there by ActMatrix · · Score: 4, Interesting

    DShield's Code Red Anniversary Page has an interesting graph showing scanning activity they've detected from active hosts since the beginning of this year. Some 35,000 IPs still continue to regularly come alive around the beginning of the month, quiet down towards the middle, and then resume the cycle again - the numbers have remained remarkably consistent.

  4. Argh by Myuu · · Score: 3, Interesting

    No one ever notes that the CRW absolutely rape cisco dsl routers.

    At its peak, Qwest had a 5 hour hold time for people who's cisco was taken down by the vuln.

    Incidently, the fix was killed more routers.

    --

    forget it.
    1. Re:Argh by jhirbour · · Score: 3, Interesting

      For that matter all the Netopia R 7100/7200 series were brought to a halt by CR also....

  5. apache attacklog analyser? by YellowSubRoutine · · Score: 2, Interesting

    Is there a apache log analyser that shows nifty graphs of all the different kinds of attacks somewhere out there?

    That'd be cool :)

  6. Re:Logs Clogged by mbogosian · · Score: 3, Interesting

    I doubt the worm is going to bother to follow redirect requests.

    Besides https://microsoft.com/ would chew up more cycles on their end....

    All kidding aside, with a redirection rule, the worm may not follow it, but at least it cleans up the logs a little. Plus, Apache's default error page and it's default redirect page are about the same size (for the bandwidth conscious).

    Just add the following to your httpd.conf at the root level (so they are inherited by all of your <VirtualHost>s as well):

    RedirectMatch /default.ida https://www.microsoft.com/
    RedirectMatch /robots.txt https://www.microsoft.com/
    RedirectMatch /root.exe https://www.microsoft.com/
    RedirectMatch /cmd.exe https://www.microsoft.com/
    For those of you who think these are a bit too general (they match quite a few URLs), or if you have legitimate destinations which are matched by the above patterns, I'm sure they can be modified to suit your needs....

    --

    moto411.com
  7. Re:What about Morris? by Weffs11 · · Score: 2, Interesting

    I was curious, so I did some research on what teh Morris Worm was. (I was 4 at teh time it was released)

    All About Morris
    Wikipedia
    It seems that a college kid wrote a small prgram to propagate itself to as many computers as it could, and try to run in the background unnoticed. But due to a bug(s) it copied itself manytimes over and ran multiple times on teh same machine, causeing to slow to a point of being unusable.

    It infected 6,000 VAX machines in November of 1988.

    Gotta love Google

  8. Re:And how fitting... by loconet · · Score: 2, Interesting

    Hey .. why dont u post some of the log entries ...to see for the first time how a webserver sees the /. effect :)

    --
    [alk]
  9. Ya think? by NFW · · Score: 4, Interesting
    I got curious about the default.ida hits I was getting my web server one day, so I took a look at the systems at a bunch of the IP address the attacks were coming from. I found mostly unix systems, a couple I couldn't ID (not that I tried much beyond telnetting to ports 25 and 80), and only a couple of Microsoft systems.

    This was not an exhaustive search, nor a statistically significant sample group, and dynamic IP allocation muddled the results a bit, but it was enough to make me wonder. How many of the 'code red attacks' these days are really script kitties with unix boxes? My guess is they account for most of them.

    Has anyone looked into this for more than the 15-20 minutes I put into it?

    --
    Build stuff. Stuff that walks, stuff that rolls, whatever.
  10. If a hotfix breaks an app, kick the developer. by Otis_INF · · Score: 4, Interesting

    Hotfixes don't kill webapps. I develop webapplications (the n-tier stuff, VC++/VB/ASP/IIS/SQLServer etc) for over 5 years now and have applied a zillion or so hotfixes on IIS and NT / Win2k server to keep the systems up to date, but never ever have I encountered 1 single hotfix which killed a webapplication nor did I hear from collegues that hotfixes killed their webapplications. If the webapp is written solidly, by the guidelines MS has supplied, you can apply any hotfix, period.

    When your developers are not that educated however, perhaps they use dirty tricks which will break when a hotfix is applied (allthough I doubt it, hotfixes mostly overwrite existing files without updating CLS_ID's etc, because these stay the same) and the app will die after the hotfix is applied: one reason to kick them out the door for some real professionals.

    --
    Never underestimate the relief of true separation of Religion and State.
  11. 509 by Ender+Ryan · · Score: 3, Interesting
    My web server received 509 requests for default.ida last week, 7 days.

    You should have seen it last year, one day we were receiving so many requests for non-existant files that out server was crawling, because our not found page was generated by some scripts. I simply wrote a Perl handler to handle it(roughly 60 secs) and that took care of it.

    Quite humorous it was. And that we still get thousands of hits from infected machines is hilarious.

    Heh, Internet worms... fun stuff.

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
  12. Re:76 Code Red hits in 2 months by JediTrainer · · Score: 3, Interesting

    My home server, running WormScan:

    Nimda - 319242 attacks
    CodeRed 2 - 15488 attacks
    CodeRed - 359 attacks

    All from 5777 unique hosts.

    --

    You can accomplish anything you set your mind to. The impossible just takes a little longer.
  13. Re:What pisses me off by jeffy124 · · Score: 3, Interesting

    that's definitely interesting. Makes me wonder -- there was that Code Red Vigilante program written up. It was basically a Java program (speed issues aside, it was for maximum cross-platformness) that listens on port 80 for Code Red exploit attempts, then fires back at that machine, using the same default.ida exploit, causing a window to pop-up on the infected machine with information about what's wrong, what to do about it, where to go for more information, etc.

    The author made the program available on his website, so that anyone not running a webserver could run CRV themselves. I know the author also got a lot of thank you emails from infected users who thought they weren't vulnerable because of misinformation that was going around about the worm.

    As to your FBI story, I think the problem there was that the worm-patching-another-worm was making changes to the system without permission of the admin. But it makes me wonder how the FBI may have reacted to the CRV program. Given that the FBI has better educated themselves on computer hacking issues (especially since the witchhunts following the AT&T outage in the early 1990s), my guess is that they saw it as no biggie because it made no permanent changes to the infected machine.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
  14. Limited Ecosystem by steelhive · · Score: 2, Interesting

    The biggest reason (IHMO) why Code Red spread so rampantly was not because:
    - Microsoft writes lousy code (they're not great, but I don't believe they suck more than other httpd authors)
    - Windows security is dreadful (Win95/98 is fairly bad, but I don't think NT is *that* horrific)
    - The large installed base (Apache has kind of a big base)
    - Microsoft has bad kharma

    I believe the real reason is the *homogeneity* of IIS and the Win32 platform. Virus and worm authors have a predictable environment for which to code. Biologists would refer to this as a monoculture. Monocultures are notoriously prone to being taken down -- witness the Irish potato famine.

    Apache runs on far too many disparate platforms for a single exploit to "catch fire".

    That's why I like an internet with many different OSes, machine architectures, http servers, etc. A diverse ecosystem is good for all! ;-)

    Apache