Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Microsoft

Code Red: the Aftermath 505

Posted by michael from the if-only-this-was-the-last-code-red-article dept.
LiquidPC writes: "Microsoft has released a tool to help clean up the effects of the Code Red II. It removes the files and mappings installed by the worm, and reboots your system; it also gives you an option to permanantly disable IIS." So, Microsoft has given you a mop to clean up the mess they made. Start mopping! If you're not the one infected, just tired of seeing your Apache logs fill up, you might see this page.
This discussion has been archived. No new comments can be posted.

Code Red: the Aftermath More

Code Red: the Aftermath

Comments Filter:
  • Yes, it is sort of off-topic. No, I do not advocate anyone writing viruses. Go to town, moderators.

    My point is this:
    MS is now on the brink of a win so big that they will be nearly be unstoppable, possibly even by the government, once it happens.

    This is, of course, .NET, which would give them a strangle-hold on ecommerce, and a hand in the pocket of nearly everyone on Passport.

    MS, and even Passport, have had huge security and service blow-ups in the past (Hotmail outages, etc.), and it hasn't even been a blip on the radar as far as most average people are concerned. It hasn't even registered on a corporate level, outside of the IT departments, who are just being blamed by the executives for not taking "proper care" of their single-platform fiats.

    Now, a high-profile virus that keeps going on and doesn't go away (like, for example, Code Red)and forces the public's attention on the issue and becomes a constant and increasing embarassment to MS as it continually claims to have fixed the problem just before a new version shows up.

    Now, people have this in their heads, even if it is the wrong way. ("That evil Russian hacker wrote this awful virus that takes over my computer.") The point being, that even executives will start to notice it, and may take the time to read their half-page summary sheet on the problem that it only affects MS, especially their new products that they want everyone to upgrade to.

    Ultimately, only a sustained, media-covered security crisis will have any sort of effect on MS. Public opinion will only be turned when the average user is affected by it. It will happen after .NET launches and the first hack happens that compromises personal data, but it won't matter unless it happens *before* then.

    Just a thought.

  • Everyone is saying, "blame MS", and "blame the virus writers," and/or "blame the trained monkeys." Everyone has it all wrong. All these people are responsible. MS is for having an OS that allows such exploits to be performed, and for telling people that it's easy and doesn't require skill to keep a server up and running (if you make it easy enough for a monkey to do something, monkeys will do it!). Second, the virus/worm writer, for writing it, and 3rd, the idiot monkeys for playing with something they don't have the skill to play with, and infecting each other. (Maybe like AIDs - people/monkeys play as they shouldn't, infecting each other... and everyone suffers for it.)
  • As a sysadmin for a couple of Linux web servers, I have been monitoring this site and others to see what everyone else is doing about CR. Up to now, I have gathered that the general feeling was one of moderation: ie., to try to notify the sysadmin of the offending site and wait until they patched or fixed their equipment.

    Now, the feeling seems to be shifting. According to this message and its threads, scripting a reply to reboot the machine is accepted as a response. I am still not comfortable with this but I am willing to go along with the group.

    What does everyone else feel about this?

  • My company is running IIS 5. Perl is running on the system, and I'd like to create a script that will take any requests for default.ida and add the IP to the list of IP addresses the IIS server blocks.

    While we're at it, can the net send command be used to inform the infected system of its "condition" without resorting to exploiting the Code Red II install of root.exe?

    Anyone have any ideas for using Perl or ASP to do this?
    • Well I have a PHP script [umn.edu] that I've made, but I don't know if it works (I don't have any IIS boxes to test on).

      If you want to test it, find an IIS box. Shut off the default route, so nobody can hit you while you're doing this. Copy cmd.exe to root.exe in the scripts folder. Open a browser on the IIS box, and point it at default.ida?XXXXX an Apache system running PHP and the script. If it works, it'll pop up a window on the IIS system.

      When you're done, remove root.exe, restore your default route.
  • Then there is a nice little Vulnerable Server Scanner [eeye.com] Provided by the people at www.eeye.com.

    It basicly looks for Vulnerable servers so that network admins can track them down and get the web admins to patch the machines before they get infected.

    Nice to see someone has come up with a clean, pro-active method to kill this little menace off.

  • Aftermath? (Score:2, Informative)

    by dohcvtec ( 461026 )
    The headline implies that the whole Code Red experience is over. I know everybody wants it to be over, but it doesn't seem to be over from where I'm sitting, looking at the sheer volume of logged packets hitting my firewall. So Microsoft has released a solution to the Code Red II worm. That's great, but now try to get most of the infected users to use it. I haven't seen any slowdown in probes from infected machines yet, so I'll believe it when I see it.

    • It definitely isn't over - Code Red Vigilante [dynwebdev.com] still reports dozens of attempted Code Red II attacks. Hopefully, at least some of the decaffeinations get through and get people to patch their machines.

      Port 80 may still be blocked by @Home, but I'm still getting attacks from other @Home customers. When are @Home's admins going to start cutting off the connections of infected machines? It's drastic, but it seems to be the only way to get the attention of some people.

  • Warhol Worm proposed: 15 minutes to total infectio (Score:5, Interesting)

    by molo ( 94384 ) on Saturday August 11, 2001 @12:32PM (#2122070) Journal
    • 2001-08-11 13:18:46 Warhol Worm proposed: 15 minutes to total infection! (articles,bug) (rejected)
    Since /. rejected this story, I posted it to the K5 Queue [kuro5hin.org] (only visible if you have a K5 acocunt).

    Here's the scoop (more meat at K5):

    According to an
    article [ncl.ac.uk] in the latest issue of the RISKS digest [ncl.ac.uk], Nicholas Weaver of UC Berkeley has written a description of a new type of worm, the Warhol Worm [berkeley.edu]. He believes that using a divide-and-conquer method, all vulnerable machines over the entire IPv4 addressspace could be compromised in only 15 minutes!

    `In the future, everybody will have 15 minutes of fame' -Andy Warhol

    • Beware of Interlock (Score:3, Insightful)

      by eddy ( 18759 )

      I've had similar thoughts. I've been reading Multiagent Systems: A Modern Approach to Distributed Artificial Intelligence [amazon.com] and with the Code Red outbreak, I've taken to reading it with malware in mind.

      What I've come to realize is that a worm could become real scary if its author, like me, were to be a fan of multi-agent systems. There's a plenthora of research on agent-to-agent communication, just waiting for that big experiment to take place.

      Ponder this: interlock. The worms work together to reach a situation in which a host cannot be cleaned without data from another host, and vice-versa, thus making disinfection extremely hard

      I've been sketching on scenario where relationships are created via the infection plus one level. if A infects B (first level of interconnect), then B would tell A about every other host it infects in turn (second level). These hosts would form a cluster, where each member is free to initiate contact with another and request services.One of these could be the encryption or decryption of data. Hosts would say "Please encrypt this data (hands it over) and return the encrypted result". Say host A tells host B this. Suddenly we're in a situation where we cannot simply disinfect host B, because if we do we'll lose the key that decrypts data on host A! Of course, the worms would negotiate the complement, and host A would contain the key to unlock data in host B. We then expand this scenario to a great interconnection between members of the cluster. We can strengthen the connections by allowing unrelated hosts to negotiate interlocks.

      In the same vein worms can negotiate and divide the search-space between them. Each worm could contain a compressed/simplified representation of the IP-search-space (just a couple of masks maybe? Haven't thought too hard about it). Relatives would communicate which parts have been scanned as to not duplicate (too much) work. This then becomes a parallell binary search!

      I think I'm gonna have to write a short doomsday article too, there's just so much cool things that someone wicked could do.

  • Some don't know they have IIS (Score:5, Insightful)

    by cvd6262 ( 180823 ) on Saturday August 11, 2001 @12:51PM (#2122131)
    "...it also gives you an option to permanantly disable IIS."

    This is a bigger fix than one might think. At the university at which I work, the major problem was not the sys admins who did not patch their servers, it was the professors who had Win2K Professional on their workstations with IIS on and didn't even know it. Some of them knew about the worm, even made sure that the department's IT teams patched their servers, but did not know that they were running a web server in their office, let alone that they were infected.

    • I'd really like to know how this happens.

      I'm on Win2K Pro right now, freshly installed last night. IIS is not running, because it isn't installed by default. You have to go to Add/Remove Programs and install it yourself. So how the heck do the Win2K Pro boxen that people run somehow spontaneously install IIS on them without their knowledge? IIS is installed by default on the server varieties of Win2K, but these people shouldn't be running those. So I wonder, what's going on?

  • Isn't it funny that they released a bonehead tool just after they found out that their own admins are boneheads?
  • Comment removed based on user account deletion
  • So first Microsoft says this in the description of the tool:
    Microsoft has developed a tool that eliminates the obvious damage that is caused by the Code Red II worm.
    Then they say this:
    MICROSOFT RECOMMENDS THAT INFECTED INTERNET-FACING SERVERS BE REBUILT ACCORDING TO THE GUIDELINES PUBLISHED ON THE CERT WEB SITE.

    It should be noted that among other things in the CERT guidelines, they tell you to do a clean install of your OS after you've been comprimised. So what's the point of this tool if MS thinks you should just R&R your OS anyways?

  • Conspiracy Theory (Score:2, Interesting)

    by hacker ( 14635 )
    Has anyone begun to think that perhaps Microsoft themselves has planted CodeRed and variants out on the internet? Before you mod me down, read on:

    CodeRed, the first version was fairly lame, and didn't infect beyond a separate IP block. Microsoft gets scared and realizes that their "iminent" release of WinXP might be blocked, or worse yet, shunned by the consumers. "Oh no, now we can't track all those stolen copies of Windows".

    Then CodeRedII comes out, a bit nastier, going after more machines. Then Microsoft is denied their appeal.

    CodeRedIII comes out, infection is much worse, and now opens the machine up to more attacks than before. It gets so deep into your Windows system that you must reinstall anyway. Not only that, but allows anyone who reads their logs to go in and cause damage ("polluting blame" as we say). Now compromised machines are being hacked in many more ways than just being opened up.

    What does Microsoft recommend? You download this "patch" (audit tool) which you run and then it "cleans" (audits) your system, then as their own CERT document recommends, you reinstall your OS (i.e. find your original, licensed install media, and hit our website for the latest (intentionally trojaned) copies of drivers and IE/ActiveSetup installation tools).

    What's a bit odd about this process though, is that Microsoft requires that you run their "cleanup" tool to purge the infection, THEN reinstall. If I'm going to fdisk and reinstall anyway, why do I have to run this "cleanup" tool? (audit?)

    Curious that nobody has thought of this angle. Why do we not hear about hundreds of FBI agents tracking down the author of the virus in the Faroese Islands or whatever. Usually these people are caught within days of the outbreak. There hasn't been a single peep about any investigation in two full weeks. It's not like we don't have a HUGE audit trail, we all have dozens of logs. Plot it out, find the dates/times, narrow the search,and find them.

    Oh wait, perhaps they're the same entity which supplied you with the infectable OS in the first place.

    What was that they were saying about Linux being "potentially viral" a few weeks ago?

  • And it keeps going (Score:4, Informative)

    by bonzoesc ( 155812 ) on Saturday August 11, 2001 @11:34AM (#2129563) Homepage
    I got this mail, and the problem is that people are WAY TOO STUPID to know what to do. If the microsoft patch can tell if it needs to do anything or not, RR and @home security should point everybody to it.

    From: security@cfl.rr.com
    To: Our Valued Customers
    Subject: Security Notification

    ROAD RUNNER ALERT

    VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

    Dear Road Runner Subscriber:

    Road Runner, like many other ISPs and, indeed, the entire Internet, has
    experienced an attack on its network that apparently is attributable to a
    strain of the Code Red virus. It is possible that this virus has infected
    the PCs of Road Runner customers using the Microsoft Windows NT Server or
    Microsoft Windows 2000 Server operating systems. Infected PCs may
    continue to flood the Internet and the Road Runner network with
    virus-generated messages (even without your being aware of it).

    Road Runner is working to alert all of its subscribers to this problem
    and to instruct them on where to find and install the patch necessary to
    eliminate the virus. In the meantime, Road Runner customers may
    experience slow network response, flashing data lights on their cable
    modems, and other symptoms (such as unusual port scan log activity or
    increased firewall activity) while Road Runner and the Internet community
    work to control the impact of this virus.

    IF YOUR PC IS RUNNING WINDOWS 2000 SERVER OR WINDOWS NT 4.0 SERVER,
    PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
    (www.microsoft.com/security) AND RESTART YOUR PC.

    IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOUR
    ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

    We ask for your patience while Road Runner continues to work with the
    Internet community to address this virus.

    Thank you.

    Road Runner Security
  • Unfortunately, I don't think that script will work. I don't have an IIS box to test on, but my NT 4.0 workstation will not shut down with that `rundll32 shell32.dll,SHExitWindowsEx 5' command. I get a dialog box to pop up saying ``Error in shell32.dll Missing Entry: SHExitWindowsEx''

    I have a PHP script set up to do a `net send %COMPUTERNAME%'. If I can find an FTP server with Microsoft's new tool, I may start downloading that with an FTP script and running it.

    However, I also heard that IIS doesn't run with many privileges at all on Win2k boxes. It may not be possible to do anything at all.

  • About time! (Score:3, Informative)

    by supabeast! ( 84658 ) on Saturday August 11, 2001 @04:29PM (#2129934)
    " it also gives you an option to permanantly disable IIS..."

    About time Microsoft showed people how to secure a Windows web-server! Turn off the web daemon! *sigh*

  • Leter from MS: (Score:5, Funny)

    by djocyko ( 214429 ) on Saturday August 11, 2001 @12:27PM (#2130794)
    From: Support@iis.microsoft.com
    To: Registered_Users@iis.microsoft.com
    CC:
    Subject: RE: IIS Code Red Worm Patch
    Attachment: Instructions.doc
    Body:

    Hi, how are you?

    We are writing you in response to the Code Red worm that has recently attacked our premium enterprise gold standard web portal system, Microsoft Internet Information Server. We have compiled a set of directions for patching the server, and have included these instructionsin a easy to read Word document. If MS Outlook didn't automagically open this attachment for you, double click on the attachment link above.

    If you have any advice on this file, please email us back!

    See you later!
  • That someone clever hasn't already written a bit of code that goes through their web logs and installs back orifice on all the compromised systems that have tried to scan them (over 3500 since last saturday, here.)

    Once your system has been compromised in this fashion, the only way to be sure is fdisk, format, and reinstall.


  • Linking to a page that could potentially shut down/restart your machine without warning is rude, virus or not.

    ~jeff

  • I'd be interested in seeing how the sales of Code Red [mountaindew.com] have correlated with the public's awareness of Code Red [eeye.com].

  • Dumbest thing they could do (Score:5, Insightful)

    by Talla ( 95956 ) on Saturday August 11, 2001 @11:52AM (#2131455)
    When a box has been cracked, you need to do a complete reinstall, as you can never know what backdoors has been installed. Sure, you can remove RCII, but while it was active, it would only take even the dumbest script kiddie a couple of requests to install another backdoor.
    • I still think it's better than nothing - many people simply *won't* wipe and reinstall, especially if it's not a corporate server, but just a small personal website in which security isn't exactly the number one concern. At least this tool will do a more thorough job than the manual attempts to clean up that would've happened otherwise.
    • And, depending on how much ethernet snooping the rooted box can do, change all passwords that may have been seen on that segment, and the passwords of the machine itself. The password database might have been taken as well. Maybe this will not affect a webserver, but the same passwords might be used on other machines and/or services. No backdoors necessary...
    • You are absolutely right. This tool probably couldn't detect secondary changes made to the machine's binaries.

      We have a policy of formating the hard drive and reinstalling the OS once a machine has been compromised. This policy applies to any OS we run. To make it easy we've automated the process. To test the process we reinstall all of the machines on a regular basis, even servers. We spent some time years ago convincing vendors like RedHat that this was a useful thing (think jumpstart).

  • Stop blaming microsoft (Score:4, Funny)

    by MeowMeow Jones ( 233640 ) on Saturday August 11, 2001 @11:22AM (#2135396)
    Blame the creators of C.

    They're the ones who are responsible for buffer overflows.

    • There are many other options when using srings in C, you are not required to use a limited array of char.. in this day, if you are security concious, you should consider all the possibilities when writing a program.
    • Blame Alan Turing, he invented stored-program computers...
    • Blame the bozo who designed strncat!

      This may not be the cause of this particular overflow, but it causes a very large number of them.

      The main reason you'd use strncat rather than strcat is to avoid buffer overflows, yet instead of the obvious choice of feeding it the buffer size, you have to feed it the maximum number of characters to add. So to use it to prevent buffer overflows, you not only need to remember the buffer size, you have to track the current string length!

      Avoid strncat! Even if you understand it, someone who changes your code might not.

      Make something more intuitive:

      char *buf_strcat(char *dest, char *src, size_t buflen){
      char *cur=dest;
      int i=0;
      while(*cur && i<buflen-1){cur++; i++;}
      while(*src && i<buflen-1){*cur++ = *src++; i++;}
      *cur='\0';
      return dest;
      }

      • Actually: authors of strncat() MAN PAGE and gets() (Score:5, Informative)

        by Ungrounded Lightning ( 62228 ) on Saturday August 11, 2001 @02:13PM (#2110920) Journal
        Blame the bozo who designed strncat!

        strncat() isn't a problem by itself. The problem is improper usage patterns.

        When you're builiding a string by repeated strncat()s to a buffer, and you don't have guarantees about the size of the things you're concatinating, you need to prevent (or check for) overflow, something like this:

        strncat(dest, src, MIN((BUFFSIZE-1)-sizeof(dest), chars_wanted_from_src));

        Without such an example in the man page it's easy to forget to guard against buffer overflow. And once code is writing with guards for overflow the guard code will serve as a reminder to later programmers maintaining or upgrading the code.

        But strncat() isn't the main culprit.

        Most of the buffer overflow attacks come from reading an input using gets(). That bad boy should have had a buffer size argument, ala fgets(). And it's the decision to keep it in the standard library "for compatability" that causes all the pain.

        The gnu compiler will warn you if you use it and the man page has a warning, so there's no excuse for it to show up in new code any more. And there's no excuse for not fixing ALL the warnings in a piece of production code, or for using (or writing) a compiler that DOESN'T warn about gets().)

    • Actually IIS is written in Visual C++. Blame M$, they left the buffer overflows available to use in the C++ libraries.

      I rarely use C's or C++'s overflowable library routines. If I do it's only in a quick hack. One dosen't need to use the standard library routines.

    • You're absolutely right. Note to self: If I'm every writing an OS, be sure to use java...
  • it also gives you an option to permanantly disable IIS

    Red Hat must be pleased that Microsoft is now bundling the Red Hat installer with their newest patch...

  • CI Host sucks rocks (Score:3, Informative)

    by The Big Bopper ( 150305 ) on Saturday August 11, 2001 @11:59AM (#2145599) Homepage
    My domain is on a shared Linux host at CI Host. For over one week now, starting August 2, my domain has been totally useless to me. I couldn't log in to update my content. I couldn't recieve email on the domain POP3 box. I couldn't log in with a POP3 client to download any mail that did sneak through. All this went on for over a week. I would call up on the phone and stay on hold forever... a couple of times I would get clueless technicians that would just say "It's the Code Red virus... our administrators are aware of the problem and will have it fixed as soon as possible". OK I gave them some time to get it fixed because half the internet was having problems with this. But then I noticed everyone else was getting better, and CI Host was still down (except their own www.cihost.com site, which was still aggressively selling service to new customers). I would open up online trouble tickets with them, only to have them get closed without resolution. I re-opened and escalated a couple of times and finally early this morning they took my server down to perform some kind of unknown maintenance and when it came back up it was running better than it EVER had before in the 2+ years I've been with them.

    If anyone is thinking of using CI Host, let me tell you THEY SUCK. About twice a year something major like this happens where I'm down for a week or more. In December of 1999 I went down for almost a whole month (their press releases will tell you it was a much shorter time than this but that is BULLSHIT).

    I'm looking at maybe switching to PrimeMaster Online (http://www.primemaster.com). Anyone here have experience with them?

  • Microsoft made this mess? Huh? (Score:3, Insightful)

    by tswinzig ( 210999 ) on Saturday August 11, 2001 @02:12PM (#2146173) Journal
    Michael writes, So, Microsoft has given you a mop to clean up the mess they made.

    No, Microsoft gave us a mop to clean up after the mess the Code Red author(s) made.

    You see, more than a month before Code Red came out, Microsoft gave us the patch for the security breach that allowed Code Red to take place.

  • Remind me again... (Score:3, Informative)

    by reemul ( 1554 ) on Saturday August 11, 2001 @01:16PM (#2146388)
    Which system did Ramen infect? I'm pretty sure it wasn't a Microsoft platform.

    Software has bugs. They get found, they get fixed, move on. The only reason MS exploits get more press and greater impact than Linux exploits is that MS is on more boxes. If, as you claim to desire, Linux takes off, the same people shrieking to the sky about what a crappy system MS has will be defending Linux and saying, hey, it happens. Stupid users who don't patch aren't Bill Gates' fault.

    It's just the same crap from folks who attack NT as buggy and crashprone (which is almost always due to 3rd-party drivers) while extolling the stability of Linux, which they keep rebooting because they have wonky drivers. A ha! they say, I was using a beta driver, its to be expected. Well, that driver has been in beta for over a year, that's as good as it gets. Software has bugs, move on.

    You want to ignore your own faults and start a religious war? I'm betting you can get some cheap flights to Tel Aviv right now. Knock yourself out.

    -reemul
    who wishes 2k wasn't so buggy, either, but doesn't want to hear the bitching from folks who need 2 hours and a phone call to a friend to get a soundcard working
    • Which system did Ramen infect?

      It attacked the brainstems of morons who had left notoriously insecure network-daemon software [linuxmafia.com] running unpatched for a year or more. That's what we call being too stupid to live.

      Rick Moen
      rick@linuxmafia.com

    • I always found it funny the RH worm was called 'Ramen', which is the plural of 'Raam' or in English: 'Window'.

  • Next step: automate it! (Score:3, Redundant)

    by Quixote ( 154172 ) on Saturday August 11, 2001 @11:31AM (#2146497) Homepage Journal
    OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?
    For extra credit: reboot twice, as Micro$oft recommends.
    For a straight A: fix the problem forever by replacing NT with Linux...

    • For a straight A: fix the problem forever by replacing NT with Linux...

      Shouldn't be too hard to alter one of the standard installers to:

      • Download a minimalist CygWin [cygwin.com] kit
      • Pull down a second-stage installer
      • Shrink a partition, live (might have to defrag first)
      • Add three new partitions in the shrinkage (swap, image, /var) using ReiserFS for the data partitions
      • Download and write a base Linux installation image into the image partition
      • Download and install suitable drivers for (e.g.) video card
      • Set up Linux config of network interfaces, DNS, webserver, video, etc from Windows config
      • Copy all active websites into /var/www
      • If any actually use ASP, download, install and use ASP2PHP [naken.cc] on them
      • Make the service pack ingredients available via HTTP so that daughter sites can fetch from here istead of home base
      • Break all passwords and copy them across to PAM (invent a new root password)
      • Put the new root password on the default background wallpaper
      • Reboot into Linux, auto-login as root, and restore DNS/web service
      • Migrate all (in case something didn't translate) Windows data into /var/WASWINDOWS
      • Set up a listener at default.ida to react to future CodeRed probes
      • Go through the logs and process all attacking sites

      What have I forgotten?
    • I mean Michael went to all the trouble to link to such a script and all, a few tweaks and you've got what you asked for.

      It's a pointless enadeavour though. Of the 1300+ unique hosts that have bounced off my apache machines in the last ~70 hours, only 10 seem to actually be accepting requests for root.exe... the rest throw back either a 404 or a 403, with alot refusing connections, or just returning a "server overloaded" message. Of those ten accepting requests for root.exe two returned some kind of funny response, one redirected to goatse.cx, and the other seven seemed to actually accept commands.
    • OK, who can write a perl CGI script that will, on connection from an infected host, send the appropriate commands to root.exe; download the tool; and run it?

      That only works if the server is infected by the version that installs the trojan.

      With a little more work one could take advantage of the fact that being infected by any version of the worm shows the server is vulnerable to the original buffer-overflow attack. So one could:

      Get a copy of the worm.

      Modify it to take the web server down (or whatever) rather than infecting it.

      Install a launcher for it as default.ida in the document root of your webserver.

      Note that by now any worm-infested machine - benign or backdoor version - may have several diverse rootkits installed. So it should be reinstalled (preferably with linux or a BSD and apache B-) ) rather than cleaned out and patched. And a machine infected with the benign worm, if merely crashed, will no doubt be brought back up and eventually infected with the backdoor-installing version.

      Some authors of retaliatory-strike software will no doubt chose to disable the web server on a more permanent basis - as by removing the unpatched DLL (along with the several backdoors the worm installs - see a patch tool here [securityfocus.com]) - rather than merely shutting it down.

      While this may get them in trouble, chosing to reformat the drives would be a hostile action, since it might destroy unbacked parts of the web site. (It would also likely lead to the administrators installing a backup, complete with vulnerability. So it is a less effective retaliatory strike.)

      Finally: I do NOT recommend actually doing this, as it may be illegal. The more damaging alternatives certainly are illegal (and also unnecessary, given the availability of less damaging alternatives).

  • Anybody who thinks... (Score:4, Insightful)

    by talks_to_birds ( 2488 ) on Saturday August 11, 2001 @12:56PM (#2146754) Homepage Journal
    ...this is at the "mopping-up" stage is nuts.

    08/10/01 I received a total of 132 probes to tcp:80 on my 12.82.x.x dynamic IP via my dialup to worldnet.att.net

    These are exclusively from other dialups and small-scale hosts in AT&T's 12.x.x.x class A; AT&T has introduced ingress filtering and I'm seeing almost nothing from outside (Note: almost - some stuff is still leaking through..)

    But the problem is the enemy within: there's got to be thousands of home/SOHO small systems, maybe single boxes, put together by the hotshot early-adopters and techno-yuppies who think it's cool to go through the checkout stand at CompUSA and purchase a copy of Win 2K Professional, or whatever, and put it on their home systems with all the bells and whistles installed.

    None of these boxes are under *any* formal administrative control, and it's going to be up to each and every one of these thousands of techno-yuppies to patch each and every single one of their boxes.

    So far today 08/11/01 at 10:00am I've had 69 probes.

    As far as I can see, getting all these systems disinfected and patched hasn't even started yet.

    t_t_b

  • Not the mess they made... (Score:3, Insightful)

    by shagoth ( 100818 ) on Saturday August 11, 2001 @11:20AM (#2153864) Homepage
    It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins.
    • What is the point of your message? Do you think
      posting it enough will make such lazy sysadmins
      go away?
    • Looking through my logs, I think it's more likely that it is home users that are infected now, a lot of DSL users on dynamic IP addresses are hitting me.

      I haven't seen it posted here on Slashdot yet, but there's a neat little Java Applet (it's even GPL) over at:

      http://www.dynwebdev.com/codered/ [dynwebdev.com]

      It auto-replies to any machine that tries an .ida exploit against you, popping up a Net Send message on the computer, so hopefully someone will notice and patch the machine...

    • Re:Not the mess they made... (Score:4, Insightful)

      by mikethegeek ( 257172 ) <blair&NOwcmifm,comSPAM> on Saturday August 11, 2001 @11:28AM (#2141758) Homepage
      "It's the mess left by lazy admins who can't be bothered with security patches a month before a worm comes out to exploit them. Shame on the NT admins."

      Does this really surprise anyone? MCSE's are trained (and tested) to solve everything by "reboot, reload, reinstall", because Microsoft's way is to "take the easy way out" instead of actually FIXING the problem.

      And, so many MS service packs BREAK servers and software when installed, can you also not blame people for NOT rushing ot install them? Even where I work, where we do OS compatibility testing on servers we don't start using new MS service packs until they've been tested and found safe by our internal test group...

      I for one expect use of IIS to drop as a consequence of the Code Red virus... Were IIS open source, these holes and backdoors would have been seen LONG ago and fixed. Apache runs MUCH more of the web than does IIS, yet you don't see anywhere near the number of bugs, exploits and DOS worms as does IIS.

      • Talking about rebooting - check this news.com video out [cnet.com].

        Everybody but Bill Gates thinks it's pretty funny :)

      • Re: (Score:3, Insightful)

        by account_deleted ( 4530225 )
        Comment removed based on user account deletion

      • Re:Not the mess they made... (Score:4, Insightful)

        by sheldon ( 2322 ) on Saturday August 11, 2001 @01:32PM (#2146609)
        Just a correction... Apache does *NOT* run MUCH more of the web than does IIS.

        You just have to go look at the Netcraft survey's to understand. In the past they've pointed out that half of SSL enabled sites run IIS. Then about a month or two ago they started trying to identify individual machines and found IIS/Windows combination again on half of the overall web.

        What we do know is that Apache is used in many more cohosting situations. Jimmy and Susy set up a web page and pay $0-10/month for it. Is it a signifigant thing that companies providing low price service with no service level agreements use a free OS/web server? I don't think so, but you be the judge.

        Two other points:

        Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.

        You should *ALWAYS* test patches and new releases before installing them into a production environment. That applies not only to Microsoft, but also to Linux, Sun, HP, Oracle, Peoplesoft, everything!

        In our testing service packs don't usually break apps. But they do have a tendency to break drivers or low-level hardware monitoring tools provided by the manufacturer. Is this surprising? No. Again we have the same problems on our Unix servers with OS patches.

        • Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.

          Its true that Microsoft put out a patch before the virus took off, so that's a good thing. But Microsoft releases patches all the time, and that is a bad thing. I'm on the security mailing list from MS, and I get at least 3 or 4 alerts a week. I'm also on the slackware list, and I have received 3 or 4 alerts in the last six months.

          The reason for this is because Open Source projects tend to fix their security bugs before they are released. If Apache shipped with something that allowed this kind of remote exploit in one of the 2.0 betas, there is a better chance that someone else out there will see it. What is the chance that someone can do an independent security audit of Windows XP?

          Closed source can be perfectly good at closing holes, if the company is as big as Microsoft. But Open Source is much better at closing those holes before they are shipped: many eyeballs make all bugs shallow. Open Source doesn't catch every bug, of course; but enough are found that when the odd hole is announced, it is a big enough deal that the patches are more likely to be installed.

          Closed Source hurts Microsoft security in more ways than one. Not only are all default installations compromised, but since so many new patches come out every week most admins don't keep up with them. While this is partially the admin's fault, it is also the fault of the software model that prevents these problems from being found quickly.

          -Mike

          PS: how do we know that "Microsoft fixed the problem before there was a problem", anyway? The patch came out before this big worm hit, but how many servers were quietly compromised in the last year?

        • Microsoft fixed the problem before there was a problem. I don't see how Open Source would be any better in this regard.
          When my favorite open-source project [debian.org] discovers a security hole, it releases the patch in such a way that you can install it with a single command. Microsoft has an equivalent to this -- it's the "Critical Updates" section of the "Windows Update" facility. They frequently put important security and bug-fix patches in this section, so that Windows users can easily access them. This also makes it easy for site IT staff to encourage users to keep their systems up to date.

          The default.ida patch, a fix for a root-level compromise, was not placed in Critical Updates. Without either searching the site or being told of the correct URL to download the patch, users could not find it. People who used Windows Update religiously in the expectation of keeping their systems up to date were screwed. Sites which instructed their users that setting Windows Update to perform automatic updates would help keep them secure were screwed.

          Once again, Microsoft created an expectation and failed to live up to it.

    • On top of that, the admins who missed repeated pleas from both Microsoft and Government officials urging them to install the patch, not to mention all the publicity the pleas and the virus made on CNN (both the website and on TV), other major national news networks, and even my local (Washington DC area) television news stations.

      • Microsoft's Problem! (Score:5, Insightful)

        by wirefarm ( 18470 ) <jim@mmdCOWc.net minus herbivore> on Saturday August 11, 2001 @11:59AM (#2116333) Homepage
        This is what happens when you give admins a false sense of security.
        After all, they became an MCSE after a couple months of hitting the books, rather than a few years of hacking old hardware. They got a certificate and the sense that the Microsoft way is the best way - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.
        Some of my friends are MCSEs. - Not all of them are 'hackers' who actually watch what happens in their systems. They trust that MS will send them a shiny new CD with a 'Service Pack', along with a few other goodies to play with when an update is needed.
        The problem is compounded by the fact that these Win2K CDs got passed around - Microsoft knows this and whether or not they admit it, it's part of their marketing. From what I've seen, I'd suspect that the bulk of the problems are coming from the home users who are running a borrowed copy of Win2K on their PC/Cable Modem setup. The ones who don't get the service packs and don't log into Microsoft.com too read the bulletins for fear of being asked for proof of purchase.
        You Microsoft has these thousands of unlicenced customers that they know are using their software in a dangerous manner - Everything installed, every service running - all the lights on, but nobody home. What is MS's liability?
        With all of the talk about the signifigance of an AOL icon vs. an IE icon on the desktop, MS *knows* how people will react when running an install - They know that if the user gets a dialog that says "Activate IIS?" that an unsure user will probably say yes, even if he has no idea what IIS is or what the risks are.
        Microsoft has got to accept the blame for this mess - It is their doing.
        Unfortunately, this is the first step in the process of requiring people running servers of any kind to be *licenced* - Now won't that be fun?

        Cheers,
        Jim in Tokyo
        • Here is my disclosure: I hold an MCSE (I also hold Linux Professional Institute Level 1, Server+, Network+, A+, and Inet+ certs but that is beside the point).

          The Windows GUI follows many of the same design principals that Mac followed for years which is why Apple never marketed the Macs as servers-- the abstraction is great in a workstation but in a complex server environment it is dangerous not to have the ability to participate in the system in the way one does with UNIX. Apple sold servers too, but they ran on UNIX.

          Now you have trainied monkeys who think they know everything about NT, which really ammounts to "reboot when it bluescreens." They think that they are secure because of the quality of Microsoft's software. Yet they don't know really how TCP works so they have no clue how to begin to think about security from the outside-- all they know is security from the inside which is all the exams cover, and all Microsoft want's you to think about because that is where they have the most features (yeah, if yo can break in from the outside, you can break in from the inside, though).

          So now, Microsoft has issued a patch to remove a backdoor-- one loudly advertised. Where is the ecurity in that? They should have, on their web site, in no uncertain terms, exactly what their engineers are telling their customers and exactly what the rest of the security community is saying: If you are infected, reload your computers.

          There is false sense fo security in using this patch. Your IIS server has a backdoor which was heavily advertised to the net. Anybody could have installed another backdoor and you, as the admin would probably never find it. Not, at any rate, until someone used it to deface your site, publish your confidential information, destroy critical information, or other such activity...

        • Re:Microsoft's Problem! (Score:4, Informative)

          by MrBogus ( 173033 ) on Saturday August 11, 2001 @12:55PM (#2140414)
          - If you don't understand what a dialog box is asking, just hit 'Enter' and go with the recommendation. That's how IIS got installed on all of those PCs and this 'Default.ida' nonsense too. I still don't know what a 'default.ida' is used for, and I'm a pretty technical guy. - Something to do with indexing? Whatever.

          Since you asked... Most people install IIS because they want to serve HTML or ASP pages, or maybe just FTP.

          What Microsoft doesn't tell you is that Internet Information Service_s_ automatically installs a bunch of other ISAPI services which enable crap that you most like do not want. Examples include:
          + The ability to query Index Server indexes (idq.dll)
          + Internet Printing
          + Remote data queries
          etc etc

          Some of these things, particularly idq.dll have *repeatedly* had security holes. And that's why installing the the patch is not a fix, because it's only a matter of time until Code Red IV is exploiting another IIS bug to similar effect.

          The real fix is to disable the extention mappings for things like .ida/.idq and so on (UI is buried in the Computer Management console), and then sleep at night because you don't have to worry about most of the IIS patches. Of course, neither Microsoft or the mainstream media, or slashdot for the most part is offering this advice. (Somewhere buried on their site, they have a 'Securing IIS' document where this is the #1 recommendation, but since they aren't getting the word out, their ass will be bitten hard again.)

          And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton. Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.
          • The real fix is to disable the extention mappings for things like .ida/.idq and so on

            The real fix is to install some other web server. If it supports PHP you can also migrate your VB ASP scripts using ASP2PHP [naken.cc]. But maybe you don't want to drag extinct-but-doesn't-know-it-yet methodology and technology across to your shiny new server?

            And... since you're changing such a major server component, why not change the whole server so that you're not, one day, forced to upgrade to Windows XP and bleed money for insecure software for the rest of your life? Install Service Pack MAXINT [linux-mandrake.com] today!

          • And the REAL real fix is for Microsoft to ship Win XP with a sane out-of-box IIS configuraiton.

            Actually a real fix would be to move away from monolithic programs. But NT since process creation is expensive under NT multi threading (of multi function programs) is prefered

            Anyone who needs value-add services can certainly find a way to turn them on. If Linux distros shipped with a thousand Apache modules installed and configured, you'd probably have much of the same problems.

            Except that it would be less of obscure to find a fix. IIS isn't modular...

Slashdot Top Deals

E = MC ** 2 +- 3db

Close