Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
The Internet

Code Red! All Hands to Battle Stations! 445

Posted by michael
from the bring-your-debian-install-CDs dept.
We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.
This discussion has been archived. No new comments can be posted.

Code Red! All Hands to Battle Stations!

Comments Filter:
  • would only approach systems that have subscribed to this as a service.

    inform the Administrator of the system (through email

    some sort of confirmation/activation/deactivation process available to the Administrator

    I've got an idea too! How about an "opt in system" where system administrators get emailed a location to where the "patch" is! That way they would:
    1) Be informed of the problem.
    2) Told where to get the fix
    3) Have some sort of confirmation/activation/deactivation process available to the Administrator

    Or how about a web page where users could find updates [microsoft.com]?

    Or maybe a site that tracks bugs [securityfocus.com] in software?

    And all that without having to have microsoft send out more stupid worms.

    My point is that if people don't use the tools already availible, why would the take the time to opt-in to this program?


    -- Zack
  • apart from 127.xxx.xxx.xxx and 224.xxx.xxx.xxx


    Eh? You're getting queries for your web server from multicast addresses? Interesting.
    --
  • And you know what? He's right. The fact that 13-year-old kid with "off-the-shelf" script-kiddying tools can cultivate an army of bots and anonymously attack any site he wants is a very large flaw in the world of computing and deserves a lot of attention. Scare tactics, while somewhat repugnant, are effective, and Gibson sometimes uses his powers for good as well as evil.

  • All the articles I've read about Code Red seem to be carefully avoiding pointing the finger at Microsoft.

    A statement like "Microsoft IIS servers run less than 25% of the Web, but the congestion created by the attack could affect all servers" would be accurate, informative, and make it clear that the problem is caused by a minority of systems. It would also make PHBs think twice about implementing IIS.

    How do we get this message out to PHBs everywhere?

  • Don't think that just because you're running a Linux distribution that you're safe from worms. Anybody running portsentry or snort can tell you about how many times per day they get a portscan on their system looking at port 111 (rpc.statd). Linux is not a magic bullet; it takes discipline to keep up with the exploits no matter what operating system you use to connecto to the net.
  • Hey! No need to be sorry for speaking the truth.
  • by jd (1658)
    If the Internet crashes badly enough, then the tech monstrosities that run(?) it might be forced to install modern (ie: > 18th century) technology.

    The string & tin-cans currently used on the backbones and trans-atlantic link might be a cool hack, but they are a little short on bandwidth for serious use. It's got to the point where those who built the Internet in the first place have had to jump ship, and start from scratch, just to get the necessary bandwidth.

    I -hope- that the failures are major enough that QoS technology is deployed, not just decorated. I -hope- that delays become bad enough that terabit pipes become the norm, not just a pipe-dream. I -hope- that this scares ISPs and corporations into enabling ECN, IPSec and possibly even IPv6.

    It is only in times of adversity that technology really changes. We have an adversary, we HAVE to defeat it, and that means we HAVE to change.

    IMHO, viruses, trojans, etc, are evil. But in destroying their evil, we have the opportunity to rid ourselves of some of our own.

    This probably sounds a sick way of looking at things, but the fact is, we HAVE the means to prevent Code Red. We have, for many years. It's because system admins have always argued that it's not worth dealing with threats -before- they happen, that we're in the situation we're in.

    Inertia is mankind's second-greatest enemy. (Jerry Springer narrowly beats it.) Damned is the person who does nothing, because they couldn't do everything. This entire fiasco could well give the impetus needed to overcome that inertia.

    On the other hand, I'm inclined to think that everyone'll just panic, but do nothing, and actually be over-run. Needlessly and stupidly. But, then, that's people for you.

  • I collect patches. (I even make the collection available, online. It's running at 17th or so on the 20 most active Sourceforge projects.)

    Mind you, I collect all sorts of odd things. One time, I was into collecting comms software. I had over 30 for the PC.

    Another time, it was MUDs. I had practically every MU* server on the planet. (LP, MudOS, Pernmush, Tinymud, Tinymush, Pennmush, Ubermud*, Tinymuck, Abermud, Circle, LambdaMOO, etc)

    *Ubermud was the first truly distributed MUD system. Processes could migrate between the Uber servers freely, provided the necessary database entries existed. It was truly ingenious for it's time, and nothing more recent really compares.

    Of course, *Trek games were great for collecting, too. XTrek, Netrek (Bronco, Vanilla, KSU, et al), the briefly-lived Paradise development line, etc.

    Compilers and interpreters are cool, too. That's one reason I'm fluent in something like 10 computer languages, and am OK in about 7-8 more.

    Of course, collecting has its down-side. You need a LOT of disk space, a LOT of time, and a LOT of bandwidth. The stuff will never be worth the tens of thousands of dollars that stamps, or other "physical" collectables, will fetch in time. And they require active steps to preserve. A teddy bear, if stuffed in a box in the attic, will usually do ok for 40-50 years. Netrek, on a 3.5" floppy, would be lucky to last a tenth of that time. Even if there was still anything that would read it.

  • Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock.
  • Considering the nature of this thing, when it went dormant, probably most people just forgot about it. It doesn't really need to spread again, since it's still out there all over the place.

    This is not really all that different from an average virus-- it spreads for a while, activates, causing a lot of damage and panic and such, people panic for a while, it deactivates and spreads some more.

    The people who are all worried about it coming back repeatedly should be at most disappointed that it doesn't just kill itself after a month. But there's no reason they should expect it to.

    In fact, this is still less of a problem than an old-style virus: it order to stop those, you had to get a clever program to catch and disable this code. With Code Red you merely have to patch or replace IIS and it stops being an issue.
  • I'm still getting

    "Hi! How are you?
    I send you this file in order to have your advice
    See you later. Thanks"

    spam in my mailbox...

  • This newswire article [yahoo.com] quotes various people in China claiming that obviously the worm didn't come from there because Chinese servers aren't getting infected, and besides, the worm is just too complicated for an individual to create. The reporter bought it. Had he bothered to do some research, he'd have known that the worm is coded to only infect English (US) language servers, and in all likelyhood it was coded by a (Chinese?) teenager with too much time on his hands.

    (Well, okay, it does run on the non-English servers, but it doesn't deface them...)
  • Perhaps the fact that this guy got modded to 3 with such baseless "logic" is an indication that there are some xenophobic moderators around? Guys, mod this misguided moron down!

    My point, had you bothered to think about it, was that the reasons given for why the worm couldn't have originated in China were obviously wrong, and had the reporter been competent enough to do a modest amount of research he'd have seen that.

    Sometimes the obvious answer, namely that the worm really was written by a lone cracker in China, really is the right one, no matter how un-politically-correct it is. However, we don't really know, as I indicated with "(Chinese?)". I'm just curious why the reporter's mainland Chinese sources felt it necessary to dispense obvious misinformation. It's probably just a reflex action from a lifetime in one of the more brutal Communist dictatorships.
  • "The Lazarus Worm"

    Great title. If you'll hurry up with that screenplay maybe we can get Robert Urich as the title character and it can be the "Tron" sequel.

  • Actually MSNBC (the cable channel, haven't looked at the web site) just had someone on explaining this who didn't do too badly considering the audience he was trying to explain it to, and they even put up a graphic showing which *Microsoft* products were vulnerable. They forgot the "We're a joint venture of..." disclaimer, though.
  • I'm pretty sure that White Lightnin' was a Mountain Dew wannabe. I never saw one until several years after Mountain Dew came along.

    Here's a link to the story of its creation (Mountain Dew) in Knoxville, Tennessee (I'd always heard that it was started in western North Carolina) from an AC's reply to another post of mine.

    http://metropulse.com/dir_zine/dir_2000/1039/t_sec ret.html

  • Being a Mountain Dew drinker since they had a hillbilly on the bottle, I tried Code Red out of curiosity and don't see how anyone could stand to drink an entire bottle, much less copious quantites of it, and wouldn't trust any work done by anyone who did. It's that bad.
  • another story to add to the mounting piles of crap that /. editors have been posting lately.

    I have found that by going to other sites I am getting better coverage than /.

    I have been an advocate (and even annoyed that people were complaining about the journalism here) but this is getting ridiculous.

    Repeat posts, The Onion like garbage, etc is all getting to me.

    Clean up the act boys.
  • The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable.

    Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.

    Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.

    So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.

    ASP2PHP [naken.cc] exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope [zope.org]. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.

    Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.

  • ...after all, they've given up on Microsoft DNS for themselves, and MSN's outsourced web hosting includes Apache. There's nothing to stop them from telling Apache to lie about who it is, and use something like ChilliSoft for their own web services, and after that it's not such a big step (remember Apache's licencing) to MS-Apache. Then they can explain that they outsourced development in order to be able to focus on .NET, can't they? (-:
  • ASP2PHP [naken.cc] will pretty much solve that little issue for you. And remember to set up your new Apache-on-Linux installation for automated security updates. We work while you sleep. (-:

  • Go back and have a look at the old security alerts. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. I'm sure you get the idea. And every one of those means, effectively, root access on that box. The only saving grace is that Windows systems generally don't have the full spectrum of interesting network tools available that Unix boxes routinely do. I'm not sure how to call that an advantage, but I do know a number of people (think Mundie) who probably could.

    We should petition Microsoft to Open Source IIS, purely as a matter of self defence.

  • I agree about stability of Win2000 - it's a lot better on my laptop, but I still manage to crash it occasionally (most recently when launching Outlook). I don't remember ever managing to crash a Linux or Solaris box.
  • No, I suspect that the cure Cringely is teasing us with is a countervirus.

    If these putzadmins can't or won't patch the holes, then a "white hat" virus can use the same holes to apply the patches.

    I'm not endorsing it, just making a prediction. (But it does have its elegance.)

    --

  • you dont have to run unix to run apache the win32 port is dreadfully easy and comes with lots of docs

    I run it when I want to be quick and dirty on an NT box with the win32 port of perl for CGI so that webfools can get to grips with things rather than screw up my systems

    regards

    john jones
  • /.
    When NT came out, it was supposed to be based on code stolen from the VMS system, which has truly phenomenal stability - equaled only by a few linux kernels. The advertising, and the legions of MS-shills in userland (who at that time were gunning for OS/2) gleefully proclaimed that NT was stable enough for the enterprise.
    I tested NT extensively and found that 3.51 was basically stable enough for user desktops - it crashed about as often as a Macintosh. But the computer press behaved exactly as they do today in regards to W2K - "It's uncrashable! Rock-solid! No more BSOD!" ranted the pundits.
    When 4.0 shipped, suddenly the previously "rock solid" NT 3.51 was not a stable platform - you had to upgrade to 4.0 to get the exact same empty promises and gleeful raving. My tests showed no phenomenal improvement, however.
    So, perhaps W2K is really stable and wonderful and all that nice warm fuzzy stuff. But, fool me once, shame on you; fool me twice - shame on me. I won't be buying W2K because I have known working alternatives from sources that have not abused my trust.
    --Charlie

    PS - HP (vendors of the unbelievably horrible HP-UX) were advertising Windows NT using the word uncrashable only a year ago. Just now a quick search on Google turned up numerous instances of this egregiously fraudulent claim... are W2k's promises likely to be any different?
    --CTB
  • Don't you ever read that EULA before you install?

    MS (and every other software company) have you agree not to hold them responsible for any loss of any kind (and due to any cause... even negligence). If I were a computer company, I'd have you agree to the same thing.

    Now, the question for the lawyers is if the negligence is to the point that they are in breach of their portion of the EULA, which would put the users in a position to demand something in return (service, patches, upgrades, money, bill's head on a platter, etc).

    -Chris
    ...More Powerful than Otto Preminger...
  • I'm getting irritated on this one, too. My userbase is only just into double figures, but I've had something like 20% of them ask me if they have to do anything to their machines to guard against this. On this scale it's only an irritation - but it's daft.

    If they'd only prefixed the bulletins with a simple rider that this only affects website operators (to word it for the users, remember) and that home PCs are fine, this would be better. Users wouldn't be panicking for no good reason, we'd all have a more peaceful world.

    Why can't people think harder?
  • I suspect this [apache.org] is the cure.

  • No, he really goes off on the off-clock machines.


    As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.


    I don't know WHERE he gets that idea. As long as ANY machines still have the work and ANY machines remaine unhardened, we'll still have this problem.

    BAD JOURNALIST! NO BISCUIT!
  • I just cracked the advanced *32-bit* encryption scheme used on Microsoft IIS with my hi-tech Pentium processor - even with the logic bug. Boy did it heat up my apartment doing all those calculations - I have the AC on and it's the dead of Winter here in Siberia! I found out this *top secret* information from the source code about what IIS stands for:

    • Is It Serving?
    • Idiotic Information Server
    • I Ignore Standards
    • I'd Invest in Sun
    • It Is Stupid
    • It Irritates Sysadmins
    • It Irritates Surfers
    • Information Is Stopped
  • No, he's a proponent of promoting Steve Gibson. One year it might be polymorphic viruses are going to kill all our computers [vmyths.com], the next Linux is going to kill the internet [vmyths.com].
  • And Cringely is just reposting Gibson's alert, and Gibson has shown himself to be clueless.

    As The register [theregister.co.uk] pointed out, if the clock is misset so that it's in infection mode, then it's just going to find that the servers it infects AREN'T in infection mode, so the whole mis-set clock thing is a red herring.

  • Come on, I wouldn't believe anything Chinese officials say, but I definitely wouldn't believe anything any Worm-author would like me to believe either.

    If I were a nerdy Slashdot-reading Worm-writer I would probably think it a good idea to frame the Chinese. And start my infection spree by attacking some Chinese servers first. Next time he'll try Saddam or Milosevic (I heard those stupid Dutch gave him a computer in his cell).

    Why the White House? Simply because it makes for a more visible target, publicity is what these guys are after.

    Of course it could be the (a?) Chinese, but it could be anyone else on the planet with the necessary skills.

    Regards,
    Xenna

    Disclaimer: The fact that I have a Chinese girlfriend does not influence my opninion in the least. And, no, it wasn't me.
  • What really gets me is that many people (read: Admins) still don't know about this worm. With all the publicity it's gotten they still don't know. Never mind the fact that the problem is known to the point that a patch has been officially released (for about a month and a half now) and that these people still haven't gotten around to installing it yet. That's incompetent if you ask me. IMHO every person should be accountable for any machine they put on the Internet. They should be responsible for at lesat the basic security practices. I had a friend who had his car stolen a few years back. The insurance company wouldn't honor his claim because in the police report he told the cops that he didn't lock the doors. The insurance company had a clause that stated that the owner was responsible for the basic security precautions and they gave a short list of no brainers. Locking the doors was one of them. Not leaving the keys in the ignition or in plain site through a window was another. I think similar things should be applied to publicly accessible machines. I just don't know how something like this would be enforced. Any ideas?

    --

  • What in the world are you talking about?

    --

  • I also know that RedHat was criticized for having Apache and several other services running as the default behavior. So the later versions (7.x) don't default as web servers, and the users need to configure them to get them started.

    I also believe that this is true for the other distros. Now with XP coming with sockets, I can just imagine the new impact that will have.


    Steven Rostedt
  • OTOH, almost every Unix box on the net has Perl these days, so, except for some bootstrapping code, it could be network independant. Also, compilers (and cross-compilers) are more prevalent.
  • "Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all. "

    s/Apache/Sendmail and Robert T. Morris did it over 10 years ago.
  • You know it and I know it, and I am certain that most people here on /. know it, too.

    I tend to wonder if these "viruses" we have been seeing are merely "shots across the bow", so to speak. I mean - why hasn't a virus as you described come out yet?

    Most of the source code to these viruses is available for free, if you know where to search.

    It is obvious that MS products are buggy, full of holes to exploit, and rarely patched - not to mention that users of the systems tend to be lazy and ingnorant about security precautions - constantly clicking to see the next naked Brittany Spears image - so why haven't we seen true chaos yet?

    Worldcom [worldcom.com] - Generation Duh!
  • Actually, I probably am good enough to do this under Windows - but I hate M$'s business practices, and their software is shit.

    I am a Linux "convert" - I run SuSE Linux 7.2 at home, currently learning Perl. At work I do VB and Java coding. I have seen the code of the ILoveYou virus - it is dead simple. I am certain these other "viruses" are similar in scope. I am aware of various virus coding sites, and I keep up from time to time on the "underground" - side hobby of mine.

    I could probably patch together such a "virus" as described, and even release it without leaving behind a "trail". The only thing keeping me from doing anything like this is that I know ultimately it wouldn't benefit anybody, not even myself - and would be unlikely to affect Microsoft, either. All it would cause would be anger, lost time, and money. So why do it? Of course, all of these other viruses out there do the same thing - so someone either is really fucked up in the head, or there must be some kind of motive.

    Boggles me...

    Worldcom [worldcom.com] - Generation Duh!
  • When the Morris worm hit, around 10 years ago (IIRC), it was on all the major newscasts, and on the front page of many papers.
  • Hey, this isn't as serious as they make it out to be. The government is just concerned because they were stupid and choose Microsoft servers and probably think that's what most people use. The truth is though that Microsoft only accounts for 20% of the servers out there, but Apache runs on 63% (see Netcraft Web Survey [netcraft.com])

    With any luck, this will just wipe Microsoft servers off the map. Check back next month to see Apache hit >70% on the Web Server Survey.

  • Funny, another highly visible vulnerability in a Microsoft operating system. You think that sometime soon, people would start waking up and choose a more secure and efficient OS for important servers (like BSD or Linux of course.) There is an old adage that 'nobody can get fired for buying 'Microsoft' (used to be IBM). Well, maybe it's time that changed.

    When people make statements like this;

    The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.

    and then call this worm,

    the largest ever dangers to the Internet.

    and then go on to state

    Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.

    When are people going to put the pieces together and start holding the people that choose Microsoft and maybe even Microsoft responsible for these things?

    Of course this is only a pipe dream. There are too many people out there willing to believe Microsofts propoganda.

  • Maybe you should check out the figures at Netcraft's Survey [netcraft.com]. Apache runs on over 63% of the web servers out there and MS IIS is only on 20%. I would bet that most of those Apache servers are running BSD, Linux or Solaris. The only reason that Microsoft has such a large share is that it takes a few Windows servers to do the work of one Linux server, so companies deploy more of them for their websites. Look at Microsoft's own attempts [slashdot.org]
  • [EDITOR] "Cringely, you useless fuckhead! Its deadline! Just make something up, 90% of your readership is so clueless, they won't know the difference. Ignore the 10% who have a clue, they won't bother reading our site for much longer."

    Although he mostly misses the point, especially about how any single unpatched server will somehow relaunch CodeRed every month, I'll agree that port 25 probes are on the increase here. But as more and more machines are patched, the problems and reinfections from this particular worm will eventually become lost in the noise. I am looking forward to new, better written nasty IIS worms over the next few months.

    It can be retargetted from whitehouse.gov to ... cringely.com in an instant.

    Thanks for the idea. Now, which bit is it that makes CodeRed attack forever? And which bits to change the target? :-)

    the AC
    [too much karma interferes with your tantric energy, time to troll]
  • (Use the Preview Button! Check those URLs! Don't forget the http://!)

    Doh! Port 80. Self-LART applied.

    [obPitifulExcuse: was working on sendmail/procmail/qmail/postfix/dns interaction on one screen, watching port 80 probe counts coming in on another screen, and reading /. on another screen.]

    the AC
  • Shut down the internet?

    No more X-10 popup ads!

    No more AOL kiddies!

    This just might be the Internet Clean Up day we have been needing for a while.
  • Patrick,

    I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all :)

    I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.

    I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated! :)
    --
    Steve Jackson
  • As of July 2001 IIS only represented ~25% of the web servers on the Internet. So even if Code Red achieved 100% infection (highly unlikely), about 3/4 of the web would be untouched. Explain to me how this would cause the Internet to cease to exist.

    Besides, don't think of it as a virus, but rather "natural selection" in the digital world :)

  • i am really looking forward to midnight uct tonight -- it's a code red party!

    we'll have all our packet sniffers running full tilt and plan to laugh and laugh at all the losers running iis! die! die! die!

    nobody
  • The government has turned down the prospects of creating a counter-worm, but any decently-experienced assembly programmer with sockets experience could just disassemble the current worm, make a number of changes, and release the worm on a time-skewed box. A really crafty assembly programmer could even keep the binary size of the worm the same, so in case the worm has some self-check mechanism, it won't notice any difference. I personally wouldn't mind seeing this fire fought with fire - Let the anti-worm run its course for a month, and then have it destroy itself. That would wipe out the vast majority of the code-red virus.

    It is a really rash and dangerous tactic, but considering the scenario that a number of people are expecting from this worm, are there really any other effective options?
  • .. where in, Sir Slud's suspicion that humans are dumber than rocks is confirmed: They decided NOT to email the owners of infected webservers. I'm guessing they felt that those server admins have far more important emails to read, like "MAKE $$$ IN A WEEK - TRUE STORIES FROM PEOPLE LIKE YOU"?
  • by Anonymous Coward on Tuesday July 31, 2001 @06:08AM (#2180681)
    I think it may have been irony?
  • by phil reed (626) on Tuesday July 31, 2001 @05:26AM (#2180682) Homepage
    The fellows at eeye, who are the ones who found the IIS hole, and then found and analyzed the worm called it Code Red, because they drank copious quantities of Code Red Mountain Dew while they worked on it. Check the archives at SecurityFocus.


    ...phil
  • by Hallow (2706) on Tuesday July 31, 2001 @06:07AM (#2180683) Homepage
    Umm. ColdFusion server runs on linux. Sure, you can't use studio, but the lack of a text editor's not necessarily a reason to abandon the platform. The docs are all HTML, install in windows, copy the docs over.
  • by astrosmash (3561) on Tuesday July 31, 2001 @05:34AM (#2180684) Journal
    Excuse me? The Code Red drink hasn't been around long enough to be prefered by programmers... don't you think it's far more likely to say that 'Code Red' was chosen simply to make people think it's more dangeous than it really is?
    No. The guys (from eEye Security) who initially reverse engineered the worm were drinking Code Red at the time, so that's what they named the worm. [google.com]

  • by ethereal (13958) on Tuesday July 31, 2001 @06:23AM (#2180685) Journal

    I thought there already was a Microsoft tax on stupid admins?

  • by hrm (26016) on Tuesday July 31, 2001 @06:32AM (#2180686)
    I had an idea for a simple little program that can help sort out this Code red mess. I'm not aware of any existing program that does this and unfortunately lack the time to write it myself -- even though it's probably not beyond my rudimentary bash skills, it's that simple -- so I'll just present the idea here in the hope that someone will pick it up (or shoot it down in flames if it sucks :-).

    What I propose is a GPL'd shell/python/perl script that "grep"s the apache/thttpd/whatever access log for "default.ida" requests, and logs the requesting site name/ip to a file. Sort | uniq this file for good measure, then send a friendly message to the webmaster at this site, stating at least the following points:

    • an apology in case this is the 50th mail of this nature that the admin receives (possible, because I recall that an infected host contacts about 100 semi-random targets), and point out that there's no way for the sender of knowing that in advance.
    • that their host has probably been infected by the Code Red worm, or a mutation thereof (you should grep for "default.ida" only and not "www.worm.com" as well, as mutations are not likely to use that string). Also quote the access log line, to be complete.
    • briefly point out that this is not a hoax, as can be seen from these mainstream press articles (link, link, link).
    • point to the microsoft patch.
    • warn them to look into the problem in case it's a new strain of Code Red (for example, a disk-resident one that can't be flushed by a reboot).
    • put in a plug for free software :-). Make it a friendly and useful kind of microsoft bashing for a change...
    • link to the author and source of the program that was used to generate this mail, for review and troubleshooting of the program.

    Running this a few times a day, and keeping track of the sites that we've mailed already to avoid duplicates, should give semi-awake (i.e. reading mail, but not patching their system regularly) IIS admins some friendly help.

    What do you think?

  • by p3d0 (42270) on Tuesday July 31, 2001 @05:52AM (#2180687)
    Apparently this guy [slashdot.org] saw it coming.
    --
  • by Lxy (80823) on Tuesday July 31, 2001 @07:24AM (#2180688) Journal
    I hate to criticize .NET since I am by no means the expert on the subject. Think about if .NET actually succeeds. Every PC, PDA, cell phone, and dog collar will be running a Microsoft OS and accessing its data over .NET. What happens when the .NET version of Code Red comes out? What then? All my data is wrapped up in .NET. Everything I do is on a server somewhere but the wireless .NET is too bottlenecked for me to get to it. It's a sign of things to come. Companies put many $$ into Microsoft software and constantly have to upgrade to keep a virus from systematically destroying their entire network. When are people going to get the hint that despite all their propoganda, Microsoft is not good for anyone.

  • by iso (87585) <slashNO@SPAMwarpzero.info> on Tuesday July 31, 2001 @05:27AM (#2180689) Homepage

    I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).

    They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?

    - j

  • Although I'm normally somewhat of a fan of CPM's articles, I think this one was just a _little_ weird... the Chinese did it to get back at us? It might be the US government trying to frame the Chinese? I know she doesn't make these claims, just quotes others, but still... not every crackpot idea has to be covered.

    Other than that, quite an interesting article ;).

  • by Animats (122034) on Tuesday July 31, 2001 @07:09AM (#2180691) Homepage
    It's time for companies that distribute bad software to take responsibility for it.

    A class action against Microsoft would be appropriate, in that it is a defect in a Microsoft product that made it possible. The class action should be led by non-Microsoft users impacted by the problem, so EULA issues are irrelevant.

    Where's the plaintiff's bar when you need them?

  • Don't forget, Steve Gibson is the guy who managed to make a 13 year old kid in a chat room, writing code that opens a socket, sends a few IRC commands (the hardest being the Ping/Pong set) and accepts a few commands sound like some sort of Big Black Voodoo Priest, sitting upon a throne carved from human bone, piecing together zombies from heaps of human corpses and sending them out to do his evil work.
  • Think about 25 percent of the servers on the internet constantly sending out a stream of crap against random websites, not to mention clogging up the wires as they search in vain for more servers to infect. In other words, imagine if 25 percent of the servers on the internet were suddening acting like SlashDot... Don't forget also that the attack affects various web-enabled machines, such as certain Cisco routers, HP LaserJets, and the like.
  • If you go here: http://www.microsoft.com/technet/security/search/b ulletins.xml [microsoft.com] you'll find a lovely XML doc which lists hotfixes going back, I believe, to 1998, what they apply to, what they're superceeded by, and so on. If you look for 'hfcheck' on the ms sites you'll find a lovely little WSH script that grabs this bulletin, and uses WMI to check servers and tell you what needs to be installed. It defaults to only checking for IIS patches, but that is easily fixable.
  • by legLess (127550) on Tuesday July 31, 2001 @05:34AM (#2180695) Journal
    A friend of mine runs a Cold Fusion/NT website, and has IIS installed on his home box for development. I called him last week to alert him to this thing, and it was the final straw. He dragged an old P133 out of the closet and installed Mandrake, Apache and PHP on it. Now he's migrating his site away from Cold Fusion.

    There are a few points of interest here:

    • First, as we've all been saying, Microsoft's security flaws are hitting them where it hurts - market share.
    • Second, this guy had *never* used Linux before (although he'd seen me use it, and we've talked about it for a long time). In less than 3 days he started from scratch and got a running development machine. This is evidence of a huge step forward for Linux usability.
    • Third, Allaire/Macromedia just lost a customer. Microsoft is not a safe bet in many applications, and tying yourself to them will hurt in the long run.


    "We all say so, so it must be true!"
  • by iconnor (131903) on Tuesday July 31, 2001 @06:06AM (#2180696)
    then at least I would know that it didn't apply to any of my servers. Instead, I have to read through a few paragraphs of crap before it gets to the "IIS security flaw" line.
  • by Srin Tuar (147269) <zeroday26@yahoo.com> on Tuesday July 31, 2001 @08:39AM (#2180697)

    Analogous to real virii and worms, Those that destroy their host too quickly dont spread.

    Those that dont spread die off.

    Making a system unbootable doenst destroy the data on the harddrive. But if the data on the harddrive is destroyed- the admin will reboot.

    The computer is now offline and the worm gets no more opportunities to spread.

    A common way to overcome this is to set a logic bomb: have the worm set a cutoff date after which it becomes destructive. The problem with this approach is that it allows people time to patch their systems.

    A good compromise would be to make the system unbootable immediately- with a boot loader that wipes the harddrive. Then set a logic bomb with a cutoff date after which data gets deleted.

    Its tricky though. A good twist may be to rearrange some dll's in the filesystem- to cause patches to fail. Also setting up a backdoor vector for reinfestation. Then at least 3 subtly different versions would have to be released simultaneosly.

    Its a lot harder than it sounds. And not worth it really.

  • by doctor_oktagon (157579) on Tuesday July 31, 2001 @05:56AM (#2180698)
    ... and a card with our Condolences to mark the death of his "child".

  • by peccary (161168) on Tuesday July 31, 2001 @05:37AM (#2180699)
    The problem was that there were just enough Cisco routers running down-rev software that crashed when you send "GET ?" to port 80. Fix those, and the Internet will be fine. The traffic is a non-issue.
  • by MrBogus (173033) on Tuesday July 31, 2001 @07:34AM (#2180700)
    Netcraft's numbers do not apply to this situation -- they tally *public* webservers *by domain*, which means it ignores virtual hosts and load balanced configurations. Since the worm attacks on the IP address level, I think you'd find there's significantly more IIS _servers_ out there than the 20% of IIS _domains_ number indicates.

    Second, Microsoft has a large market of intranet servers and client machines running IIS for some reason or another. That's a significant amount of mayhem that doesn't show up in Netcraft's reports at all.
  • by chompz (180011) on Tuesday July 31, 2001 @09:47AM (#2180701)
    You ask about admins still not patching this? Take five seconds and ask yourself of all of the webservers you know, how many of them are on a network with a full time administrator? You think its all of them, don't you. No, it isn't. The companies which we need to really worry about are the ones like the webdesign company my girlfriend works for. They have a server, but they have no on staff administrators. ZERO! If something goes wrong with their server(s) they call the owner of the companie's kid, who doesn't know anything at all about security, he manages to know a few simple things about computer hardware, but not that a motherboard with an AGP1x does not work well with AGPPro cards.

    I alerted them to being infected by several IIS worms and security compromises, and they still haven't patched.

    They just don't have a clue.
  • by Auckerman (223266) on Tuesday July 31, 2001 @07:47AM (#2180702)
    "Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread."

    As the previous writer clearly stated, and you clearly missed, this is just not the case with IIS. Since IIS has LESS marketshare then Apache one would expect Apache to have this kind of problem and not IIS, but it doesn't (All of which the previous poster stated).

    Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for

    You mispelt "Part of the reason Windows virii are so widespread...."

    Which you would have partially correct, but mostly wrong. W2K is MORE stable than previous Windows, yes, but no where near as stable as the traditional Unixes. Windows API could NEVER be described as stable since upgrading Windows almost always breaks something important (my CD burner, for example, which works in OS X, but not WinME). This is the reason many people are still on NT4 SP3/4. If they move up to SP6 or W2k, something important breaks. This is a big reason why Windows is taken down so much. The other part you addresses with the "easy to write for" comment. VB is easy to learn (compared to Unix scripting) and can be learned on a desktop machine before one begins coding for IIS. You can use VB for all sorts of things, including scripting the breaking into of systems, so that some 9 yr old on AOL can breaking into WIndows machines all day long...

  • by jsse (254124) on Tuesday July 31, 2001 @04:48PM (#2180703) Homepage Journal
    Media here told the public Code Red would infect all computers. They simply ignore the fact that Code Red infects only IIS 5 server.

    A local lead moron - the president of Hong Kong Computer Society, a branch of British CS, told the public that in order to protect yourself from virus, we all should update the latest virus signature and do not swith on computers. I'm sure all their members would feel shame of their president's cluelessness.

    Scott Adam [dilbert.com] is right, idiots, morons and clueless people are defining the reality.
  • by imipak (254310) on Tuesday July 31, 2001 @06:56AM (#2180704) Journal
    ...read Incidents list?? Check this out. [securityfocus.com] ( http://www.securityfocus.com/templates/archive.pik e?fromthread=1&end=2001-07-21&list=75&mid=198320&s tart=2001-07-15&threads=1& ). It's a proper mathematical analysis of the spread of the worm, by someone who knows what they're talking about (unlike Steve Gibson.) Be afraid. Think about what it would be like if this was an Apache or Sendmail hole.

    Turn a non-tech hobby into your career.
    --

  • Sure enough - decided I'd start some log traces on my (Apache) servers and watch for anything .ida Sure enough, the scans are starting already, though this looks like a different variant, instead of default.ida, its x.ida?AAAA...

    [baptiste@surfboard httpd]$ tail -f access_log | grep .ida 136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280 136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280

    Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart

  • Turns out that this signature is probably from the eEye CodeRed scanner [eeye.com] to identify vulnerable hosts. Interesting that they seemed to show up after 5PM from various places.
  • by LittleGuy (267282) on Tuesday July 31, 2001 @06:22AM (#2180707)
    If the Internet Ceases, then society will regress to the point when you can only create pr0n from whatever scraps you can find in the dilapidated ruins of New York City.
  • by tb3 (313150) on Tuesday July 31, 2001 @05:23AM (#2180708) Homepage
    Yep, 'journalists' seem to have forgotten how to 'consider the source' and blithely believe everything handed to them. I love the way the Reg trashes Gibson, but I wish somebody in the mainstream would pick up on the other side of the story.

    Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.

  • IIS: It Isn't Secure.

    But no, really I can tell you why IIS is still a choice as a web server, and also I'll tell you why it is so insecure.
    (WARNING: As Always, IMHO).
    IIS is still a choice because:
    a) You can teach virtually anyone to perform simple administration on an IIS server.
    b) You don't need to use a command prompt (no, it doesn't really scare people, they just tend to believe it's such a fuss to make things work.)
    c) It comes with Windows 2000/NT (if you had a choice to 'Run Your Very Own Web Server(R) while running MS Office and games, without having to boot to another OS, what would you think would be better?).The fact that It's There(r), is also extremely important;otherwise, people who had to use a Windows server would use Apache for Win32 instead.
    d) It's a breeze to install and enable (incorrectly of course;there are plenty of configing and patching you can do on IIS to make it safe/er, but no-one seems to bother:'Who whould try to hack ME?')
    e) It means that it'll be easier for you to migrate to .NET later. That one's a very good reason. If the world DOES jump on .NET bandwagon would you like to stay behind( don't think '.NET port to Linux')? Could be very bad for business. On the other hand, if .NET doesn't work out, you can always jump to Apache.

    Now, why IIS is insecure:
    a) Do you remember how long it took Microsoft to realise the Internet was going to be the next big thing? That hurt them. Sure, they did release a web server (their lamest ever --IIS 2.0), but it was behind its time.IIS 4.0 was their first proper attempt, and while it worked, Microsoft had a lot to learn about security. They had to release patches constantly to help the poor early-adopters (nobody new it was going to be so open), which unfortunately, were quite a lot.IIS continued to grow, as it fitted the bill as a method to extend businesses with a Windows/NT infrastructure to the Internet. So, now we have 20% of the Internet, running IIS.
    b) IIS is also insecure because 50% of it's sysadmins are idiots. 50%, not all of them, not none of them. 50% . Now, if you pushed a *nix sysadmin to run IIS (you would have to push real hard though), you would get a web server (being configed and patched correctly) which would totaly evade most (if not all) of the IIS hacking frenzies and DoS attacks of the past 2 years. Including Code Red (the MS patch for that buffer overflow buf was published a few months ago.The wise IIS sysadmins noticed.).
    c) Remember, IIS is young. It's about 6-7 years old, but it wasn't taken seriously since Windows NT 4.0, 4-5 years ago.As with Windows 2000, the time for IIS to become a proper,feasible solution is longer than that. And isn't Apache much older (please enlighten)?
    And how will IIS become secure?
    IIS 6.0 will be the first IIS to be reasonably secure, IMHO of course. Because it will incorporate all the fixes until now (quite a lot, shouldn't they be running out of bugs?) , but most importantly because it will patch itself (that's what I heard anyway).
    Now for your opinion: Will IIS 6.0 be a proper web server? Think about it and don't reject it: There wasn't a single reason to consider it if you were happily running the latest version of Apache, but now there is: .NET.

    Think, think, and then post. And please correct me if I'm wrong.Thank you.

    Oh and some things I'd like to point out, because some people get it wrong:
    a) When you install Windows 2000 OR WinNT 4, it won't install IIS.Not even with full install. You have to install it separately AFTER the OS installation is complete, so people know when it's installed.
    b) The Internet won't cease to exist, and this isn't a conspiracy by Microsoft (probably).

  • by Violet Null (452694) on Tuesday July 31, 2001 @05:19AM (#2180710)
    Cringely tells us that the true threat is servers with mis-set clocks

    No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.
  • by kiwimate (458274) on Tuesday July 31, 2001 @05:24AM (#2180711) Journal
    I got the following mail from MS yesterday. (The ironic part is I initially was suspicious because the subject line was in all caps -- how rude!)

    The following is a Security Bulletin from the Microsoft Product Security Notification Service.

    Please do not reply to this message, as it was sent from an unattended mailbox.

    -----BEGIN PGP SIGNED MESSAGE-----

    The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ

    A Very Real and Present Threat to the Internet: July 31 Deadline For Action

    Summary:

    The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.

    How Big Is The Problem?

    On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.

    Who Must Act?

    Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.

    What To Do If You Are Vulnerable?

    a. To rid your machine of the current worm, reboot your computer.
    b. To protect your system from re-infection:
    Install Microsoft's patch for the Code Red vulnerability problem:

    - - Windows NT version 4.0:

    http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30833

    - - Windows 2000 Professional, Server and Advanced Server:

    http://www.microsoft.com/Downloads/Release.asp?Rel easeID=30800

    Step-by-step instructions for these actions are posted at

    http://www.microsoft.com/technet/treeview/default. asp? url=/technet/itsolutions/security/topics/codeptch. asp

    Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:

    http://www.microsoft.com/technet/treeview/defaul t. asp? url=/technet/security/bulletin/MS01-033.asp

    Because of the importance of this threat, this alert is being made jointly by:

    Microsoft
    The National Infrastructure Protection Center
    Federal Computer Incident Response Center (FedCIRC)
    Information Technology Association of America (ITAA)
    CERT Coordination Center
    SANS Institute
    Internet Security Systems
    Internet Security Alliance


  • Talk about FUD - here's a quote, from Scientific American, no less: "Imagine a cold that kills. It spreads rapidly and indiscriminately through droplets in the air, and you think you're absolutely healthy until you begin to sneeze. Your only protection is complete, impossible isolation,"

    WOW! That sounds awful! Run for the hills!

    But wait - imagine that a vaccine for the cold has been available for months. You could get vaccinated just by logging into a website.

    Oh, and once you're infected, all you need to do is take a nap (ie. reboot) and you're healthy again.

    What a load of scare-mongering. SciAm should know better.
  • by wiredog (43288) on Tuesday July 31, 2001 @05:23AM (#2180713) Journal
    while there is a solution ... many people will see the cure as being nearly as bad as the disease

    I suspect this [kuro5hin.org] is the cure.

  • by First Person (51018) on Tuesday July 31, 2001 @07:38AM (#2180714)

    If any Mozilla developers are listening, I have a request. I'd like a version which displays a visible icon everytime I log onto a IIS server. Then, if I double click the icon, it could list a selection of 'counter measures' such as CodeRed which I might deploy. These might use a plug-in architecture and be downloadable from sites using other browsers.


    Thanks for listening.

  • by Dr_Cheeks (110261) on Tuesday July 31, 2001 @05:41AM (#2180715) Homepage Journal
    So what happened with the headline contest [slashdot.org] from last time Code Red shook it's groove thing all over the net? Did I win (yeah, right)?

    Perhaps this could be a monthly competition. Assuming, of course, that anyone can get through the infection storm to post to it.

    Oh, and I'd like to propose a name for the inevitable next worm that just won't die - The Lazarus Worm. Cool, eh?

  • by Random_Eyes (168298) on Tuesday July 31, 2001 @05:17AM (#2180716)
    The general public, for the most part can do nothing to stop this. It is sysadmins and those running servers who need to pay attention.

    Why then is this threat suddenly everywhere?

    They're FUDing the Net!

    The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.

    Waiting for the other shoe to drop. . .

  • by T1girl (213375) on Tuesday July 31, 2001 @05:35AM (#2180717) Homepage
    Can you think of a better marketing ploy to make your soft drink sound hip and edgy and get the name plastered all over the media? This could be even better for free publicity and name recognition than the Verizon strike.

    Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say [unitedmedia.com].
  • by rabtech (223758) on Tuesday July 31, 2001 @06:08AM (#2180718) Homepage
    Sorry, but Apache mostly runs on *nix systems... anything from Linux to Solaris to FreeBSD.

    Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all.

    Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for.

    Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread.
    -- russ
  • by sorinm (459727) on Tuesday July 31, 2001 @06:49AM (#2180719)
    And then another bug will be discovered, and then another worm will start spreading and so forth. The only solution to this (IMHO) is not to shut down whatever network or to put another patch or even to switch to Apache. The solution is to stop the false ideea that using computers is easy. It is not, it requires work and study. Thos who are merely pushing buttons on screen should quit computers or pay more atention. Having a netwotked computer is a responsibility and people should learn that. "Easy use" of computers is the virus, not Code Red. Sorin M
  • by cyphon (467846) on Tuesday July 31, 2001 @05:16AM (#2180720) Homepage
    The only reason that the media is style hyping about this is because steve gibson is wailing like a little bitch about things like: Raw sockets, and "Logaritmic Axis Graphs".

    Gimme a break.

    Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.

  • by jmv (93421) on Tuesday July 31, 2001 @05:25AM (#2180721) Homepage
    It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.
  • by RedHat Rocky (94208) on Tuesday July 31, 2001 @06:05AM (#2180722)

    My God, I just realized that the worm's creator was obviously a man with an ex-girlfriend. It has a monthly cycle. It spends the 2/3rds of the month putting its nose in where it doesn't belong. It then spends the remaining 1/3 of the month on a complete lashing-out, bitchfest.

    Gads. Couldn't he have just gotten drunk instead?

  • While I'd agree that he may be overly paranoid, I do share the opinion that the internet is extremely vulnerable right now, although not necessarily for the reasons he states.

    I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.

    We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.

    Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?

    The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.

    Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.

  • by taliver (174409) on Tuesday July 31, 2001 @05:48AM (#2180724)
    I got a call.

    At 5:15 AM.

    In the morning.

    From my mother.

    She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.

    I informed her that this was unlikely, and went back to bed.

  • by b1t r0t (216468) on Tuesday July 31, 2001 @06:31AM (#2180725)
    Does anyone know how/where I can get my computer infected with Code red?

    All you have to do is:

    1. Sell your soul to Microsoft
    2. Install a copy of IIS
    3. Connect to the Internet without a firewall
    4. Wait. It will be automatically delivered to you within 24 hours. Or it's free.

  • by mike260 (224212) on Tuesday July 31, 2001 @05:34AM (#2180726)
    The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.

    IIRC, the worm is memory-resident-only and therefore can't survive a reboot. It's not picking up where it left off, it's starting over infecting the internet almost from scratch, so it should be the same thing as last time. Except that this time everyone's forewarned.

    Microsoft knew it all along: It isn't a bug that Windows requires rebooting every few days, it's a security feature.
  • by agallagh42 (301559) on Tuesday July 31, 2001 @05:26AM (#2180727) Homepage
    The Register has a good summary of Gibson's ravings here [theregister.co.uk]

I am not now, nor have I ever been, a member of the demigodic party. -- Dennis Ritchie

Working...