Code Red! All Hands to Battle Stations! 445
We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.
Re:New ways to patch MS holes (Score:2)
inform the Administrator of the system (through email
some sort of confirmation/activation/deactivation process available to the Administrator
I've got an idea too! How about an "opt in system" where system administrators get emailed a location to where the "patch" is! That way they would:
1) Be informed of the problem.
2) Told where to get the fix
3) Have some sort of confirmation/activation/deactivation process available to the Administrator
Or how about a web page where users could find updates [microsoft.com]?
Or maybe a site that tracks bugs [securityfocus.com] in software?
And all that without having to have microsoft send out more stupid worms.
My point is that if people don't use the tools already availible, why would the take the time to opt-in to this program?
-- Zack
Re:Worms and market share (Score:2)
Eh? You're getting queries for your web server from multicast addresses? Interesting.
--
Re:Steve Gibson Made this Worse (Score:2)
Why is nobody using this as a propaganda tool? (Score:2)
All the articles I've read about Code Red seem to be carefully avoiding pointing the finger at Microsoft.
A statement like "Microsoft IIS servers run less than 25% of the Web, but the congestion created by the attack could affect all servers" would be accurate, informative, and make it clear that the problem is caused by a minority of systems. It would also make PHBs think twice about implementing IIS.
How do we get this message out to PHBs everywhere?
Magic Bullet (was Re:die, monster devil, die!) (Score:2)
Re:The Entire Internet Will cease to exist... (Score:2)
Hey! Cool! (Score:2)
The string & tin-cans currently used on the backbones and trans-atlantic link might be a cool hack, but they are a little short on bandwidth for serious use. It's got to the point where those who built the Internet in the first place have had to jump ship, and start from scratch, just to get the necessary bandwidth.
I -hope- that the failures are major enough that QoS technology is deployed, not just decorated. I -hope- that delays become bad enough that terabit pipes become the norm, not just a pipe-dream. I -hope- that this scares ISPs and corporations into enabling ECN, IPSec and possibly even IPv6.
It is only in times of adversity that technology really changes. We have an adversary, we HAVE to defeat it, and that means we HAVE to change.
IMHO, viruses, trojans, etc, are evil. But in destroying their evil, we have the opportunity to rid ourselves of some of our own.
This probably sounds a sick way of looking at things, but the fact is, we HAVE the means to prevent Code Red. We have, for many years. It's because system admins have always argued that it's not worth dealing with threats -before- they happen, that we're in the situation we're in.
Inertia is mankind's second-greatest enemy. (Jerry Springer narrowly beats it.) Damned is the person who does nothing, because they couldn't do everything. This entire fiasco could well give the impetus needed to overcome that inertia.
On the other hand, I'm inclined to think that everyone'll just panic, but do nothing, and actually be over-run. Needlessly and stupidly. But, then, that's people for you.
Re:The Entire Internet Will cease to exist... (Score:2)
Mind you, I collect all sorts of odd things. One time, I was into collecting comms software. I had over 30 for the PC.
Another time, it was MUDs. I had practically every MU* server on the planet. (LP, MudOS, Pernmush, Tinymud, Tinymush, Pennmush, Ubermud*, Tinymuck, Abermud, Circle, LambdaMOO, etc)
*Ubermud was the first truly distributed MUD system. Processes could migrate between the Uber servers freely, provided the necessary database entries existed. It was truly ingenious for it's time, and nothing more recent really compares.
Of course, *Trek games were great for collecting, too. XTrek, Netrek (Bronco, Vanilla, KSU, et al), the briefly-lived Paradise development line, etc.
Compilers and interpreters are cool, too. That's one reason I'm fluent in something like 10 computer languages, and am OK in about 7-8 more.
Of course, collecting has its down-side. You need a LOT of disk space, a LOT of time, and a LOT of bandwidth. The stuff will never be worth the tens of thousands of dollars that stamps, or other "physical" collectables, will fetch in time. And they require active steps to preserve. A teddy bear, if stuffed in a box in the attic, will usually do ok for 40-50 years. Netrek, on a 3.5" floppy, would be lucky to last a tenth of that time. Even if there was still anything that would read it.
Re:The Entire Internet Will cease to exist... (Score:2)
Re-infection? What about continued infection? (Score:2)
This is not really all that different from an average virus-- it spreads for a while, activates, causing a lot of damage and panic and such, people panic for a while, it deactivates and spreads some more.
The people who are all worried about it coming back repeatedly should be at most disappointed that it doesn't just kill itself after a month. But there's no reason they should expect it to.
In fact, this is still less of a problem than an old-style virus: it order to stop those, you had to get a clever program to catch and disable this code. With Code Red you merely have to patch or replace IIS and it stops being an issue.
People don't patch... (Score:2)
"Hi! How are you?
I send you this file in order to have your advice
See you later. Thanks"
spam in my mailbox...
My favorite bit of misinformation: China denial (Score:2)
(Well, okay, it does run on the non-English servers, but it doesn't deface them...)
Re:My favorite bit of misinformation: China denial (Score:2)
My point, had you bothered to think about it, was that the reasons given for why the worm couldn't have originated in China were obviously wrong, and had the reporter been competent enough to do a modest amount of research he'd have seen that.
Sometimes the obvious answer, namely that the worm really was written by a lone cracker in China, really is the right one, no matter how un-politically-correct it is. However, we don't really know, as I indicated with "(Chinese?)". I'm just curious why the reporter's mainland Chinese sources felt it necessary to dispense obvious misinformation. It's probably just a reflex action from a lifetime in one of the more brutal Communist dictatorships.
Re:The Lazarus Worm (Score:2)
Great title. If you'll hurry up with that screenplay maybe we can get Robert Urich as the title character and it can be the "Tron" sequel.
Re:This is pretty sad (Score:2)
Re:Yahooo, Mountain Dew! (Score:2)
Here's a link to the story of its creation (Mountain Dew) in Knoxville, Tennessee (I'd always heard that it was started in western North Carolina) from an AC's reply to another post of mine.
http://metropulse.com/dir_zine/dir_2000/1039/t_sec ret.html
Re:Idiots in journalism (Score:2)
Re:Please cut the sensationalist crap. (Score:2)
I have found that by going to other sites I am getting better coverage than
I have been an advocate (and even annoyed that people were complaining about the journalism here) but this is getting ridiculous.
Repeat posts, The Onion like garbage, etc is all getting to me.
Clean up the act boys.
Instant partial solution (Score:2)
Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.
Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.
So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.
ASP2PHP [naken.cc] exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope [zope.org]. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.
Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.
Not as unthinkable as first glance might suggest (Score:2)
Don't forget the scripting (Score:2)
IIS overflowing for ages: petition MS to open it! (Score:2)
We should petition Microsoft to Open Source IIS, purely as a matter of self defence.
Re:Worms and market share (Score:2)
Re:From cringely's article (Score:2)
If these putzadmins can't or won't patch the holes, then a "white hat" virus can use the same holes to apply the patches.
I'm not endorsing it, just making a prediction. (But it does have its elegance.)
--
60 % Apache is not all unix (Score:2)
I run it when I want to be quick and dirty on an NT box with the win32 port of perl for CGI so that webfools can get to grips with things rather than screw up my systems
regards
john jones
Is W2K really stable though? (Score:2)
When NT came out, it was supposed to be based on code stolen from the VMS system, which has truly phenomenal stability - equaled only by a few linux kernels. The advertising, and the legions of MS-shills in userland (who at that time were gunning for OS/2) gleefully proclaimed that NT was stable enough for the enterprise.
I tested NT extensively and found that 3.51 was basically stable enough for user desktops - it crashed about as often as a Macintosh. But the computer press behaved exactly as they do today in regards to W2K - "It's uncrashable! Rock-solid! No more BSOD!" ranted the pundits.
When 4.0 shipped, suddenly the previously "rock solid" NT 3.51 was not a stable platform - you had to upgrade to 4.0 to get the exact same empty promises and gleeful raving. My tests showed no phenomenal improvement, however.
So, perhaps W2K is really stable and wonderful and all that nice warm fuzzy stuff. But, fool me once, shame on you; fool me twice - shame on me. I won't be buying W2K because I have known working alternatives from sources that have not abused my trust.
--Charlie
PS - HP (vendors of the unbelievably horrible HP-UX) were advertising Windows NT using the word uncrashable only a year ago. Just now a quick search on Google turned up numerous instances of this egregiously fraudulent claim... are W2k's promises likely to be any different?
--CTB
Re:Why can't MS be held responsible? (Score:2)
MS (and every other software company) have you agree not to hold them responsible for any loss of any kind (and due to any cause... even negligence). If I were a computer company, I'd have you agree to the same thing.
Now, the question for the lawyers is if the negligence is to the point that they are in breach of their portion of the EULA, which would put the users in a position to demand something in return (service, patches, upgrades, money, bill's head on a platter, etc).
-Chris
...More Powerful than Otto Preminger...
Re:Why all the public hullaballoo (Score:2)
If they'd only prefixed the bulletins with a simple rider that this only affects website operators (to word it for the users, remember) and that home PCs are fine, this would be better. Users wouldn't be panicking for no good reason, we'd all have a more peaceful world.
Why can't people think harder?
Re:From cringely's article (Score:2)
Re:Mis-set clocks? (Score:2)
As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.
I don't know WHERE he gets that idea. As long as ANY machines still have the work and ANY machines remaine unhardened, we'll still have this problem.
BAD JOURNALIST! NO BISCUIT!
IIS Explained (Score:2)
I just cracked the advanced *32-bit* encryption scheme used on Microsoft IIS with my hi-tech Pentium processor - even with the logic bug. Boy did it heat up my apartment doing all those calculations - I have the AC on and it's the dead of Winter here in Siberia! I found out this *top secret* information from the source code about what IIS stands for:
Re:Mis-set clocks? (Score:2)
Re:Mis-set clocks? (Score:2)
As The register [theregister.co.uk] pointed out, if the clock is misset so that it's in infection mode, then it's just going to find that the servers it infects AREN'T in infection mode, so the whole mis-set clock thing is a red herring.
Re:My favorite bit of misinformation: China denial (Score:2)
If I were a nerdy Slashdot-reading Worm-writer I would probably think it a good idea to frame the Chinese. And start my infection spree by attacking some Chinese servers first. Next time he'll try Saddam or Milosevic (I heard those stupid Dutch gave him a computer in his cell).
Why the White House? Simply because it makes for a more visible target, publicity is what these guys are after.
Of course it could be the (a?) Chinese, but it could be anyone else on the planet with the necessary skills.
Regards,
Xenna
Disclaimer: The fact that I have a Chinese girlfriend does not influence my opninion in the least. And, no, it wasn't me.
People still don't know (Score:2)
--
Re:People still don't know (Score:2)
--
Re:Apache problem (Score:2)
I also believe that this is true for the other distros. Now with XP coming with sockets, I can just imagine the new impact that will have.
Steven Rostedt
Re:Worms and market share (Score:2)
Re:Worms and market share (Score:2)
s/Apache/Sendmail and Robert T. Morris did it over 10 years ago.
Re:What would be incredibly funny... (Score:2)
I tend to wonder if these "viruses" we have been seeing are merely "shots across the bow", so to speak. I mean - why hasn't a virus as you described come out yet?
Most of the source code to these viruses is available for free, if you know where to search.
It is obvious that MS products are buggy, full of holes to exploit, and rarely patched - not to mention that users of the systems tend to be lazy and ingnorant about security precautions - constantly clicking to see the next naked Brittany Spears image - so why haven't we seen true chaos yet?
Worldcom [worldcom.com] - Generation Duh!
Re:What would be incredibly funny... (Score:2)
I am a Linux "convert" - I run SuSE Linux 7.2 at home, currently learning Perl. At work I do VB and Java coding. I have seen the code of the ILoveYou virus - it is dead simple. I am certain these other "viruses" are similar in scope. I am aware of various virus coding sites, and I keep up from time to time on the "underground" - side hobby of mine.
I could probably patch together such a "virus" as described, and even release it without leaving behind a "trail". The only thing keeping me from doing anything like this is that I know ultimately it wouldn't benefit anybody, not even myself - and would be unlikely to affect Microsoft, either. All it would cause would be anger, lost time, and money. So why do it? Of course, all of these other viruses out there do the same thing - so someone either is really fucked up in the head, or there must be some kind of motive.
Boggles me...
Worldcom [worldcom.com] - Generation Duh!
This is not new (Score:2)
Not that serious (Score:2)
With any luck, this will just wipe Microsoft servers off the map. Check back next month to see Apache hit >70% on the Web Server Survey.
Maybe it will change peoples minds about Microsoft (Score:2)
When people make statements like this;
The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.
and then call this worm,
the largest ever dangers to the Internet.
and then go on to state
Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.
When are people going to put the pieces together and start holding the people that choose Microsoft and maybe even Microsoft responsible for these things?
Of course this is only a pipe dream. There are too many people out there willing to believe Microsofts propoganda.
That's not the case (Score:2)
Deadline, Cringely!! (Score:2)
Although he mostly misses the point, especially about how any single unpatched server will somehow relaunch CodeRed every month, I'll agree that port 25 probes are on the increase here. But as more and more machines are patched, the problems and reinfections from this particular worm will eventually become lost in the noise. I am looking forward to new, better written nasty IIS worms over the next few months.
It can be retargetted from whitehouse.gov to
Thanks for the idea. Now, which bit is it that makes CodeRed attack forever? And which bits to change the target?
the AC
[too much karma interferes with your tantric energy, time to troll]
Use the Preview Button! (Score:2)
Doh! Port 80. Self-LART applied.
[obPitifulExcuse: was working on sendmail/procmail/qmail/postfix/dns interaction on one screen, watching port 80 probe counts coming in on another screen, and reading
the AC
shut down the internet? (Score:2)
No more X-10 popup ads!
No more AOL kiddies!
This just might be the Internet Clean Up day we have been needing for a while.
Re:Not a surprise to everyone (Score:2)
I *really* appreciate your recognition of my post. Unfortunately, my thoughts were discredited yesterday when I first got the ISS alert stating that several security firms have tried the clock-forwarding test, and they were *never* able to get the worm to reawaken. I guess I didn't deserve the "5; Insightful" after all
I never did think that it could be rereleased tonight at 8ET to get started again, but even with the 2,000 hosts with the misconfigured clocks still trying to spread the worm, the first few hours won't be as devastating as the image I painted -- a hundred thousand hosts or more kicking it into high gear all within a few minutes of each other.
I'm excited, so I'll be up late tonight to see how it's going. Thanks again for the recognition. Most appreciated!
--
Steve Jackson
The Internet will "cease to exist" ? (Score:2)
Besides, don't think of it as a virus, but rather "natural selection" in the digital world :)
die, monster devil, die! (Score:2)
we'll have all our packet sniffers running full tilt and plan to laugh and laugh at all the losers running iis! die! die! die!
nobody
Vigilante style? (Score:2)
It is a really rash and dangerous tactic, but considering the scenario that a number of people are expecting from this worm, are there really any other effective options?
No email to infected owners? (Score:2)
Re:Please cut the sensationalist crap. (Score:3)
Re:Idiots in journalism (Score:3)
...phil
Re:Best-case scenario (Score:3)
Re:Idiots in journalism (Score:3)
Re:Tax Code Red (Score:3)
I thought there already was a Microsoft tax on stupid admins?
Help from your friendly unix/linux webmaster? (Score:3)
What I propose is a GPL'd shell/python/perl script that "grep"s the apache/thttpd/whatever access log for "default.ida" requests, and logs the requesting site name/ip to a file. Sort | uniq this file for good measure, then send a friendly message to the webmaster at this site, stating at least the following points:
Running this a few times a day, and keeping track of the sites that we've mailed already to avoid duplicates, should give semi-awake (i.e. reading mail, but not patching their system regularly) IIS admins some friendly help.
What do you think?
Not a surprise to everyone (Score:3)
--
a taste of what's to come (Score:3)
CNN this morning (Score:3)
I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).
They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?
- j
Code Red Sci-Am article (Score:3)
Other than that, quite an interesting article ;).
Microsoft should be held responsible for this (Score:3)
A class action against Microsoft would be appropriate, in that it is a defect in a Microsoft product that made it possible. The class action should be led by non-Microsoft users impacted by the problem, so EULA issues are irrelevant.
Where's the plaintiff's bar when you need them?
Re:Steve Gibson Made this Worse (Score:3)
Re:The Internet will "cease to exist" ? (Score:3)
Re:Conspiracy Theory (Score:3)
Best-case scenario (Score:3)
There are a few points of interest here:
"We all say so, so it must be true!"
They should call it "code redmond"... (Score:3)
Fatal Infections (Score:3)
Analogous to real virii and worms, Those that destroy their host too quickly dont spread.
Those that dont spread die off.
Making a system unbootable doenst destroy the data on the harddrive. But if the data on the harddrive is destroyed- the admin will reboot.
The computer is now offline and the worm gets no more opportunities to spread.
A common way to overcome this is to set a logic bomb: have the worm set a cutoff date after which it becomes destructive. The problem with this approach is that it allows people time to patch their systems.
A good compromise would be to make the system unbootable immediately- with a boot loader that wipes the harddrive. Then set a logic bomb with a cutoff date after which data gets deleted.
Its tricky though. A good twist may be to rearrange some dll's in the filesystem- to cause patches to fail. Also setting up a backdoor vector for reinfestation. Then at least 3 subtly different versions would have to be released simultaneosly.
Its a lot harder than it sounds. And not worth it really.
Maybe we should send Al Gore a wreath.... (Score:3)
Re:The Entire Internet Will cease to exist... (Score:3)
Re:Not that serious (Score:3)
Second, Microsoft has a large market of intranet servers and client machines running IIS for some reason or another. That's a significant amount of mayhem that doesn't show up in Netcraft's reports at all.
Re:CNN this morning (Score:3)
I alerted them to being infected by several IIS worms and security compromises, and they still haven't patched.
They just don't have a clue.
Re:Worms and market share (Score:3)
As the previous writer clearly stated, and you clearly missed, this is just not the case with IIS. Since IIS has LESS marketshare then Apache one would expect Apache to have this kind of problem and not IIS, but it doesn't (All of which the previous poster stated).
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for
You mispelt "Part of the reason Windows virii are so widespread...."
Which you would have partially correct, but mostly wrong. W2K is MORE stable than previous Windows, yes, but no where near as stable as the traditional Unixes. Windows API could NEVER be described as stable since upgrading Windows almost always breaks something important (my CD burner, for example, which works in OS X, but not WinME). This is the reason many people are still on NT4 SP3/4. If they move up to SP6 or W2k, something important breaks. This is a big reason why Windows is taken down so much. The other part you addresses with the "easy to write for" comment. VB is easy to learn (compared to Unix scripting) and can be learned on a desktop machine before one begins coding for IIS. You can use VB for all sorts of things, including scripting the breaking into of systems, so that some 9 yr old on AOL can breaking into WIndows machines all day long...
idiocy of Hong Kong's media (Score:3)
A local lead moron - the president of Hong Kong Computer Society, a branch of British CS, told the public that in order to protect yourself from virus, we all should update the latest virus signature and do not swith on computers. I'm sure all their members would feel shame of their president's cluelessness.
Scott Adam [dilbert.com] is right, idiots, morons and clueless people are defining the reality.
FFS, doesn't anyone here... (Score:3)
Turn a non-tech hobby into your career.
--
ITS BAAAAAAAACK!!!!~ (Score:3)
[baptiste@surfboard httpd]$ tail -f access_log | grep .ida
136.176.193.29 - - [31/Jul/2001:17:10:49 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAA[lame filter snip]AA=X HTTP/1.1" 404 280
136.176.193.29 - - [31/Jul/2001:17:12:42 -0400] "GET /x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[l ame filter snip]AA=X HTTP/1.1" 404 280
Should be an interesting evening. Intersting that I got hit twice from teh same IP a few minutes apart
Or not... [Re:ITS BAAAAAAAACK!!!!~] (Score:3)
Prepare for the Stone Age! (Score:3)
Re:Steve Gibson Made this Worse (Score:3)
Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.
IIS: Why it is Used, Why it's buggy. (Score:3)
But no, really I can tell you why IIS is still a choice as a web server, and also I'll tell you why it is so insecure.
(WARNING: As Always, IMHO).
IIS is still a choice because:
a) You can teach virtually anyone to perform simple administration on an IIS server.
b) You don't need to use a command prompt (no, it doesn't really scare people, they just tend to believe it's such a fuss to make things work.)
c) It comes with Windows 2000/NT (if you had a choice to 'Run Your Very Own Web Server(R) while running MS Office and games, without having to boot to another OS, what would you think would be better?).The fact that It's There(r), is also extremely important;otherwise, people who had to use a Windows server would use Apache for Win32 instead.
d) It's a breeze to install and enable (incorrectly of course;there are plenty of configing and patching you can do on IIS to make it safe/er, but no-one seems to bother:'Who whould try to hack ME?')
e) It means that it'll be easier for you to migrate to
Now, why IIS is insecure:
a) Do you remember how long it took Microsoft to realise the Internet was going to be the next big thing? That hurt them. Sure, they did release a web server (their lamest ever --IIS 2.0), but it was behind its time.IIS 4.0 was their first proper attempt, and while it worked, Microsoft had a lot to learn about security. They had to release patches constantly to help the poor early-adopters (nobody new it was going to be so open), which unfortunately, were quite a lot.IIS continued to grow, as it fitted the bill as a method to extend businesses with a Windows/NT infrastructure to the Internet. So, now we have 20% of the Internet, running IIS.
b) IIS is also insecure because 50% of it's sysadmins are idiots. 50%, not all of them, not none of them. 50% . Now, if you pushed a *nix sysadmin to run IIS (you would have to push real hard though), you would get a web server (being configed and patched correctly) which would totaly evade most (if not all) of the IIS hacking frenzies and DoS attacks of the past 2 years. Including Code Red (the MS patch for that buffer overflow buf was published a few months ago.The wise IIS sysadmins noticed.).
c) Remember, IIS is young. It's about 6-7 years old, but it wasn't taken seriously since Windows NT 4.0, 4-5 years ago.As with Windows 2000, the time for IIS to become a proper,feasible solution is longer than that. And isn't Apache much older (please enlighten)?
And how will IIS become secure?
IIS 6.0 will be the first IIS to be reasonably secure, IMHO of course. Because it will incorporate all the fixes until now (quite a lot, shouldn't they be running out of bugs?) , but most importantly because it will patch itself (that's what I heard anyway).
Now for your opinion: Will IIS 6.0 be a proper web server? Think about it and don't reject it: There wasn't a single reason to consider it if you were happily running the latest version of Apache, but now there is:
Think, think, and then post. And please correct me if I'm wrong.Thank you.
Oh and some things I'd like to point out, because some people get it wrong:
a) When you install Windows 2000 OR WinNT 4, it won't install IIS.Not even with full install. You have to install it separately AFTER the OS installation is complete, so people know when it's installed.
b) The Internet won't cease to exist, and this isn't a conspiracy by Microsoft (probably).
Mis-set clocks? (Score:3)
No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.
They seem to be making a real publicity effort (Score:3)
The following is a Security Bulletin from the Microsoft Product Security Notification Service.
Please do not reply to this message, as it was sent from an unattended mailbox.
-----BEGIN PGP SIGNED MESSAGE-----
The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ
A Very Real and Present Threat to the Internet: July 31 Deadline For Action
Summary:
The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.
How Big Is The Problem?
On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.
Who Must Act?
Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.
What To Do If You Are Vulnerable?
a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:
- - Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?Re
- - Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?Re
Step-by-step instructions for these actions are posted at
http://www.microsoft.com/technet/treeview/default
Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at:
http://www.microsoft.com/technet/treeview/defau
Because of the importance of this threat, this alert is being made jointly by:
Microsoft
The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance
Re:Why all the public hullaballoo (Score:4)
WOW! That sounds awful! Run for the hills!
But wait - imagine that a vaccine for the cold has been available for months. You could get vaccinated just by logging into a website.
Oh, and once you're infected, all you need to do is take a nap (ie. reboot) and you're healthy again.
What a load of scare-mongering. SciAm should know better.
From cringely's article (Score:4)
I suspect this [kuro5hin.org] is the cure.
Browser feature request (Score:4)
If any Mozilla developers are listening, I have a request. I'd like a version which displays a visible icon everytime I log onto a IIS server. Then, if I double click the icon, it could list a selection of 'counter measures' such as CodeRed which I might deploy. These might use a plug-in architecture and be downloadable from sites using other browsers.
Thanks for listening.
Headline Contest? (Score:4)
Perhaps this could be a monthly competition. Assuming, of course, that anyone can get through the infection storm to post to it.
Oh, and I'd like to propose a name for the inevitable next worm that just won't die - The Lazarus Worm. Cool, eh?
Why all the public hullaballoo (Score:4)
Why then is this threat suddenly everywhere?
They're FUDing the Net!
The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.
Waiting for the other shoe to drop. . .
Great marketing ploy (Score:4)
Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say [unitedmedia.com].
Re:Worms and market share (Score:4)
Why don't you try writing a virus or worm that knows enough about each of the various *nix OSes, and the versions of Apache they are running, to infect them all.
Part of the reason Windows is so widespread is because Windows is stable (in an API sense, and in a reliability sense as far as W2K is concerned), and easy to write for.
Part of the reason Microsoft has so many hackers and skr1pt k1ddi3s after them is because Windows is so wide spread.
-- russ
Re:The Entire Internet Will cease to exist... (Score:4)
Steve Gibson Made this Worse (Score:4)
Gimme a break.
Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.
Worms and market share (Score:5)
Re:Mis-set clocks? (Score:5)
My God, I just realized that the worm's creator was obviously a man with an ex-girlfriend. It has a monthly cycle. It spends the 2/3rds of the month putting its nose in where it doesn't belong. It then spends the remaining 1/3 of the month on a complete lashing-out, bitchfest.
Gads. Couldn't he have just gotten drunk instead?
Gibson may be extreme, but he does have a point (Score:5)
I am not a professional security expert, but I do know my fellow computer users. They will take convenience over security every time until something Really Bad happens to their system. Then they will pay money to solve the problem, be alert for several months, and gradually relax as the problem doesn't reappear. Their knowledge of security may extend as far as knowing to update Norton Antivirus every once in a while.
We are fortunate that most virus writers are not the most skilled programmers in the world. Or, perhaps more likely, they have restrained themselves in order to avoid completely destroying their playground.
Think about this for a minute. It is easy to conceive of ways in which much more damage could be done to the internet than has already been done. If I recall correctly, the ILOVEYOU virus deleted jpgs from hard drives. The worst results I am aware of from this is a commerical image database being wiped out. Now, imagine what would have happened if dlls had been attacked as well. Unbootable computers, applications and system software destroyed beyond repair short of total reinstall, etc. Most Windows machines out there have no file permissions system set up. NT does, but how many DOS based systems are still out there, and still hold critical work?
The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable. And all of us are impacted by this in one way or another, unless everyone you deal with has good security. If that is true, you are lucky. For me, it is not.
Up until now, we have delt mainly with simple scripts whose workings are obvious. However, here is some food for thought. Microsoft's servers are not invulnerable. Like any complex system, there are undoubtedly subtle and potentially dangerous bugs in the Windows code which will be obvious to anyone who can steal the source from the servers. If someone with or even without this code writes a truly powerful virus which attacks hundreds of subtle vulnerabilities simultaniously, knows how to hide the code in the depths of Windows, and destroys any system it can after reproducing itself, we are in deep S**t. Right now, most virus attacks involve the active cooperation of the email system - minimally some end user opening an attachment. So the measure of how widespread a virus becomes is often based on how many suckers read it. This is not, as it turns out, a big problem for the virus - it is easy to come up with email titles people will want to open. But if you remember the worm of 88, it didn't require the end users cooperation at all. What happens when all that is needed for a machine to die is for it to connect to the network unpatched? Imagine the chaos of half a million machines with all their work, programs, and system software gone. Gibson may have a right to be paranoid.
And boy do I love the hysteria. (Score:5)
At 5:15 AM.
In the morning.
From my mother.
She had just seen the FBI guy on TV and was worried her windows 98 machine would destroy the world over her dialp connection.
I informed her that this was unlikely, and went back to bed.
Re:Down with the internet! (Score:5)
All you have to do is:
Re:Mis-set clocks? (Score:5)
IIRC, the worm is memory-resident-only and therefore can't survive a reboot. It's not picking up where it left off, it's starting over infecting the internet almost from scratch, so it should be the same thing as last time. Except that this time everyone's forewarned.
Microsoft knew it all along: It isn't a bug that Windows requires rebooting every few days, it's a security feature.
Re:Steve Gibson Made this Worse (Score:5)