Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Media

Code Red Reporting That Doesn't Suck 191

marvin tph writes "The results are in: Time.com is the first mainstream news source to write an intelligent article on story Code Red. With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."
This discussion has been archived. No new comments can be posted.

Code Red Reporting That Doesn't Suck

Comments Filter:
  • by skrowl ( 100307 ) on Friday August 03, 2001 @08:57AM (#2110061) Homepage
    I don't have time to patch my servers against code red!

    I'm too damned busy reply to all of my email. You'd never believe how many people have been sending me files asking for my advise!
    • I copied my favicon.ico (a penguin icon for MS IE and Konqueror to save along with a bookmark) as default.ida. Now, whenever I get probed, I send out a little portrait of Tux. ;)

      Ok, I know that doesn't accomplish anything useful, but it does cut down on the 404's in the logfile at Librenix!
  • The Silly Season (Score:4, Informative)

    by Marcus Brody ( 320463 ) on Friday August 03, 2001 @08:37AM (#2110587) Homepage
    In the UK, this time of year is sometimes refered to as "The Silly Season" in the media.
    All the poloticians are away on summer holidays.... most of the decent journalists take a break aswell. This leaves the papers a little thin on decent news (er, like, theres nothing happening in the world at all. honest guv. No civil war in sri lanka. No erupting volcano on sicily. No siree). Basically, its the time of year when two-bit journalists regurgitate 2-week old stories, and the papers are full of "and-finally" articles....
  • According to the Beeb [bbc.co.uk] current thinking is that a train crash in a tunnel caused a fire which damaged data cables used by ISPs which were in the tunnel, which caused the slowdown, not Code Red at all.
  • Let's look at the incentives for someone at Microsoft releasing the worm:

    1. Instead of looking foolish because they have a bug in their software, they look like the hero who fights off an internet threatening hacker. (cough, cough)

    2. Microsoft gets a lot of visibility with the government.

    I'm sure there are more, and it's probably a stretch, but makes a good conspiracy theory.
  • A main reason for this thing being blown out of proportion is that the government's computer security people were brought in front of the Senate not too long ago and asked what good are you really doing now? Lo and behold, along comes Code Red! Now they'll be saying, look guys we have a purpose! Keep giving us money! Hey we need even MORE now! This could be good or bad (a little more security on a server is usually a good idea), but Code Red in the end will basically be a tool for getting more gov funding.

  • by novarese ( 24280 ) on Friday August 03, 2001 @09:01AM (#2111782) Journal
    How can you say this is good reporting???

    There was no malicious intent.

    Gee, just a massive DDoS against the US Government. Yeah, not malicious at all. I mean, even if you think this is a worthy social goal, you'd have to honestly believe your audience is a bunch of morons (ok, we are talking about Time magazine here, but still) to say that with a straight face.


    • you sure it doesn't come under 'public service'? ;-)

    • Its saddening to say this:
      The machine in question [whitehouse.gov] is merely a poor attempt to replicate the Marketing Department of a certain monopoly to make people think Bushie is a smart cookie. Marketing attempting to make people think this company's sotware is the only smart way to do business. If you hadn't noticed he similarites think about it, it's frightening.

      However, just because the pages imply that it is the Government doesn't mean it actually *is* the government.
      If We the people would wake up & read the foundations of our government we would realize *WE* are the government & if we don't like what's going on we are obligated to *change* what we don't like.
      Too many laws are on the books, so it's back to basics for me.

      But I digress...
    • I'm still trying to figure out the "sadly untypical security flaw". Should we have hoped for more such flaws, or is this guy unable to proofread his copy?

      And while we're at it, where did he get the idea that "the owners were never aware that Microsoft software had turned their computer into a server in the first place"? Win2k installs IIS by default, it's true, but the majority of the IIS servers out there are NT4, and the Option Pack must be explicitly installed.

      And this is terrific logic: "We welcome their presence, in fact, because they keep our immune system constantly on its toes, ready for any real invaders." Yeah, if it weren't for thieves testing our locks, we wouldn't have locks good enough to protect us from thieves. I think I'll do him a favour and drive by his house every day and break a window, thereby encouraging him to get better windows -- just 'cause I'm such a nice guy.

      • "sadly untypical security flaw".

        Yeah, that still has me scratching my head.

        I liked the story on saw yesterday on the BBC Sci-Tech web site (which I can't find today) which said that because Code Red goes away if you reboot, and because IIS is so much more unstable than other web servers, the spread has been slowed because of how often people have to reboot their servers anyway.

  • by Dr_Cheeks ( 110261 ) on Friday August 03, 2001 @09:02AM (#2111783) Homepage Journal
    How do the majority tabloid media find out about stuff like this? Well, either they hear about it from someone else (and thus Chinese Whispers ensues), or they go looking for info and run into technical stuff that's over their heads.

    What they need is a source that dumbs things down enough to be broadcast on your local Fox afilliate while still keeping it accurate. Soundbite-friendly, not very technical, clear about the details. Most people don't know what you're talking about if you say "IIS vulnerability", but if you say "The Code Red Virus will hack the internet" then most people can get a handle on that.

    It's not just about hype - it's lack of understanding. Anchors aren't good at telling people something when they don't understand it themselves, so it needs to be explained to them.

    I, unfortunately, already have hardly any free time to start up a site providing a service like this, but I'd be willing to contribute to someone else's - anyone up for it?

    • How do the majority tabloid media find out about stuff like this?

      Include something about aliens and/or Hollywood sex scandles.

    • This would work if the point was to reveal the truth. Of course this is not the point of the news media. The point of the news media is to make money. This is easier when people are scared. This is why yellow journalism works so well. The problem is not lack of sources, it's the gullibility of the general populace. The only way we could improve the media is if the general populace was made up of proficient skeptics. But it's not. So it doesn't matter.
  • red rum red rum (Score:2, Interesting)

    by dermotfitz ( 470733 )
    Anyone know of a site that gives a good technical explanation of the worm? I'd like to know if it shows up as a process of its own or if it is part of the IIS process. Also, can it be killed without a reboot. What about if you received two separate probes (potential infections)? Would you have two processes trying to spread the worm?
  • Is /. the only news site that covers the SirCam virus? I actually got a copy of the damn thing the other day, and I'm glad I don't use Outlook. I'm also glad that I had a resource like /. to tell me what it looked like before I got the damned thing. The mainstream media needs to look more at a virus that DOES affect the casual MS user (95/98/ME) instead of an NT-based worm like Code Red that falls flat on it's face.
  • Hype? Maybe but.. (Score:4, Insightful)

    by kill_9_1 ( 123711 ) on Friday August 03, 2001 @08:52AM (#2114389)

    Was the story hyped by newsmakers and others who would benefit from such an event? Probably. Was anyone harmed by the hype? No (unless you count late-night patching). If anything, it got sysadmins everywhere into action to fix a hole that could have resulted in a real problem

    • If anything, it got sysadmins everywhere into action to fix a hole that could have resulted in a real problem


      As a tech-savvy guy, I often get asked, "Why do people do this?"

      I realise that this is not the motivation for every virus or worm, but generally, each one raises some awareness in the consumer. The popular viruses get around and a lot of people see it. Every time, they "update" their virus scanner and feel safe until the next one. What I tell people is that it shows the inherent security problems in Windows. I chase that with, "What if a your company's competitor writes a virus targetted at your's and nobody else's? They have the power to grab all of your intellectual property and no virus scanner out there will save you because they only deal with 'popular' viruses. Once the damage is done, it's done. Virus scanners only superficially 'fix' the problem. The *real* threat is the inherent insecurity in Windows/Outlook that Microsoft seems unwilling to fix. These viruses you see are warnings and nobody is realising that. Few people are aware of the real problem."

      This usually enlightens them. The big problem, as I see it, is that the popular media isn't saying it. As long as they aren't, the problem will continue to exist... *sigh*

      Then again, I *am* known as the second most paranoid person at my place of work (the biggest paranoiac doesn't trust the use of kernel modules, and that is probably the only difference). I may be totally off base, but if you think I'm not, then, by all means, answer the inevitable question appropriately.

      ** I apologise for any incoherence in this post. I drank more than usual today as we were let out early to "enjoy" the day :-)* I hope you get the gist, though, as I can be quite passionate about the topic (and friggin' wordy, as well).
  • by sdo1 ( 213835 ) on Friday August 03, 2001 @08:43AM (#2115481) Journal
    Code Red is providing a convenient excuse to the feds to call for further regulation of the internet.

    "Our economy DEPENDS on the internet!" they'll cry. "We can't let our country be reduced to rubble by some malicious hacker!"

    And of course the press buys right into it. The DMCA, bills to punish users of school networks and computers, laws with stricter penalties for hackers than murderers... expect it to accelerate. Worms like Code Red just give the feds the ammunition they need in the court of public opinion.

    -S
    • While we're talking conspiracy theories, take a look at Cringely's latest column [pbs.org], where he believes that MS will be leveraging these types of holes to create their own proprietary TCP/IP-like protocol that will be forced down our throats and will receive backing from the government. Sounds a bit far-fetched, but I wouldn't put anything past MS when it comes to them controlling markets that they have their fingers in.
  • i don't buy it (Score:2, Insightful)

    by emoeric ( 470708 )
    From the article: "We welcome their presence, in fact, because they keep our immune system constantly on its toes, ready for any real invaders." The 'what doesn't kill us makes us stronger' attitude really doesn't do it for me. I'm glad that the hole is fixed now, but really, how long will it take before somebody makes a really badass virus that does what this one stopped short of? IIS is not anything like a human imune system: the human body adapts to diseases...its something like survival of the fittest?

    For my money (or lackthereof), and i hate to jump on the bandwagon and mention linux in every /. story, the real living, breathing OS is not windoze...I'll go for an OS that is constantly improving itself.

    Anyway, i dont really buy the point because it's like finding somebody with no white-blood cells and sending them out to get a cold, and afterwards saying that it was a good thing for them to go to the hospital.

    My two sense(s).

  • by EyesOfNostradamus ( 75825 ) on Friday August 03, 2001 @08:46AM (#2116200) Homepage
    The Code Red background noise could serve as cover for a much nastyer worm to be released.

    Consider the following scenario: a new worn, let's call it Code Blue, exploits the same security hole as Code Red. However, rather than attacking randomly any IP address, it would first just sit there and wait. As soon as it got a probe from the original Code Red (which statistically happens about 3 times per hour), it would "fight back" by infecting the attacking machine and replacing Red with Blue. The newly infected machine would behave similarly.

    After about 11 hours of propagation, the new worm would have infected a significant percentage of the vulnerable machines, without revealing its presence in an obvious way. It would only attack machines which are known vulnerable (and hence probably badly maintained), and probability of anybody noticing would be incredibly small. Then after, some twenty hours, it would start to do some fun stuff...

    • This is the nature of worms: they advertise exactly what is vulnerable, and advertise exactly how they're vulnerable.
    • by friscolr ( 124774 ) on Friday August 03, 2001 @09:56AM (#2139256) Homepage
      Code Red first started wreaking havoc a couple days after the bugtraq post about the telnetd vulnerability - about July 19th, after the mutation which allowed it to truly randomly spread.

      There were no more posts about the telnetd vulnerability for a few days as the bugtraq list was saturated with Code Red information. I'm paranoid as fuck and assumed that Code Red was a cover up for the telnetd exploit which we'd later find out affected every single version of telnetd out there (including on routers and the like).

      But it didn't happen that way.

      It is a lesson in distraction, though: when a true hacker wants to really take over the net, a Sircam virus or Code Red worm will make a great cover for the true exploit. I'm sure Sun Tzu wrote something witty about this, as it is the same technique used by countless military tacticians (at least the ones who "won") - c.f. the amphibious build-up prior to the land invasion during the Gulf War, or Patton's fake army prior to Normandy Invasion during WWII.

    • That's stupid. The amount of machines Code Blue could attack would be vastly diminished because so many people patched against Code Red.

      Worms like this propogate because people aren't prepared for them. Why alert everyone to the existence very security hole you plan to exploit?
      • by EyesOfNostradamus ( 75825 ) on Friday August 03, 2001 @09:33AM (#2141478) Homepage
        There are still about 100.000 vulnerable (and by now... infected) machines out there. Many are home machines connected via cable or DSL, whose owners may not even know that they run a web server. Another big contingent are countries such as China, Korea, Taiwan, where traditionally they take a more relaxed view about security.

        Code Red could be a good launch platform for some other nastyness. Make it multiple phase. First propagate under cover of Code Red. Then, after a set time (say, 24 hours) change phase, and use a different propagation medium (email, another exploit, whatever) and toss away Phase I code. The benefit: a much larger launching platform for the actual virus! And if Phase I code is cleaned away well enough, nobody will be able to understand where the virus suddenly came from, out of nowhere.

  • by Bowdie ( 11884 )
    From the BBC's news page about codered :

    "What might also hamper the ability of the virus to spread is the relative unreliability of Microsoft web servers.
    The Code Red virus lurks in the memory of a web server and is cleared when the computer is rebooted.
    As Microsoft servers crash more often than many of their counterparts, this might limit the spread of the malicious code. "
  • Plain and simple, the reason that these worms/viruses/etc get so much media attention is that the general public is, more or less, ignorant about what goes on underneath that box that gives them their email. Hence, they hear something that makes the investment they have made into this email fetching device seem not so secure, and panic. The media lives and dies on this sort of story. Y2K anyone? It's a pure and simple ratings bid, and actual substance is immaterial in technological issues, since little of their audience would understand it in the first place. Furthermore, a catchy name like Code Red is ripe for a media blitz!

    Root DOWN
    grep what -i sed?
  • its expected... (Score:2, Interesting)

    by Extimes ( 250515 )
    nobody (statistically) really cares - for that matter, 99% of the population has no reason to care about code red anyway. SirCam should be getting the attention, but "Code Red" has a much more sensational name. Hence, the media blows it out of proportion
    • Re:its expected... (Score:1, Insightful)

      by Anonymous Coward
      Code Red is getting sensationalized partly because of the suggestion that it came from China. The media desperately wants to make a big deal out of the so-called "war" between US and Chinese hackers, but they're thwarted by the fact that nothing much has actually happened.
  • An observation... (Score:5, Interesting)

    by jeffy124 ( 453342 ) on Friday August 03, 2001 @09:18AM (#2120090) Homepage Journal
    For whatever reason, I can't connect to Time.com to get the article, so I'll ramble about an observation I've made:

    A machine at a research lab at school runs apache. In the access_log, from July 18-20, it had 18 attempts from a Code Red infected machine to spread the worm. (Naturally the attempt fails, cuz it's apache) But from August 1st through 'til about 9pm (EDT) last night (Aug 2), 36 attempts. So the question is - If the worm is spreading slower, why is it this one system has had more attempts of spreading this time around than the first?

    • Re:An observation... (Score:2, Interesting)

      by moatz ( 199627 )
      I have a DSL line and windows 98 which is protected by ZoneAlarm.

      Over the last 2 days 90% of the attempted accesses to my machine are to the HTTP port, whereas a month a go I can't remember see these type of alerts.

      Something surely is brewing
    • Re:An observation... (Score:4, Informative)

      by Saint Aardvark ( 159009 ) on Friday August 03, 2001 @10:28AM (#2120404) Homepage Journal
      Hey, folks -- mail those logs!

      From http://dshield.org/codered.html [dshield.org]:

      As you have probably heard, the Code Red worm has infected over 100,000 machines running Microsoft IIS, and the total is rising. We need to identify the infected machines so that the owners of these machines can be notified so that they can be fixed. We are appealing to DShield submitters to do a special one time only submission for log entries that contains this information.

      Linux and other *NIX users Can do this by changing to the directory where your web server logs are located and executing a script like this:

      grep 'default.ida?NNNNN' access_log | mail -s 'APACHE' redalert@dshield.org

    • Spreading slower, but over a longer period of time. It was still spreading between 19 July and 1 August because of incorrectly set clocks. Many servers infected the first time were never cleaned, which means that, as it goes back into its infective mode, it is starting from a larger infected base. So in September it may be even worse. I recall the Chinese curse "May you live in interesting times". Interesting times, indeed.
      • I understand your logic in some machines not being cleaned, having incorrect time, etc. But this particular system had no attempts between July 21-31, so I fail to see how that affects the spread of the worm. Besides, the worm was programmed to lay dormant from July 20-31. There was only one hit on July 20, most likely from an incorrect clock on the infected machine.

        I just checked the log again, as of 9:35am EDT august 3, there have been 40 attempts. A closer look at the log shows as little as 10 minutes to as much as 5 hours between attempts.

        Check your own logs:

        cd <your-apache-install-dir>/logs
        grep NNNNN access_log

        The NNNN is part of the HTTP request issued by the worm itself, as you will see.

        • The infection attempts of the worm was much more random after July 18th. You're right that it was not supposed to spread any more after the 19th - but it was supposed to attack the whitehouse for a few days and then lay dormant.

          The hit you saw on the 20th might also be from someone in a different time zone - you're in EDT? Was the hit before 6am on the 20th? I got one hit on the 20th but it was before 6am so i figured it was someone in different timezone.

          As far as the amount of hits that you're getting now, it is most likely due to the time the worm has to be in infect mode coupled with any random deviation (since the spread is random you might see 10 hits one day, 50 the next - i don't know the statistical term for this).

          My logs [blackant.net] thus far show about an average of 21 hits per day this time around versus 24 hits on the 19th, so i don't see that much change.

          oh yeah, here you go:
          grep default.ida?NNNNN access_log | cut -f2 -d[ | cut -f1 -d/ | sort | uniq -c
          for default apache logs :-)

  • Smoke on the water.

    Hacked by Metal Heads.
    • I love moderators who DON'T READ THE ARTICLE. For that ID-10-T here is the paragraph which my comment refers.

      Because what we're preparing for is not the Code Reds of today, but the Code Deep Purples of tomorrow. Not half-assed worms cobbled together by so-called "script kiddies" who merely download the right pieces of code and whose intentions are basically benign. I'm talking about vast and malicious super worms. If you could create something that attacked Cisco router software, for example, you really would cause a global Internet meltdown.

  • just a note (Score:1, Offtopic)

    by daevt ( 100407 )
    i dont mean to be a bitch or anything like that, but to enter the eye of a storm you have to either pass through the eye wall (where the storm is strongest), or fall out of the sky (which i hear also sucks without the proper prep). just so you know
    • That was cute. I wonder why it was modded 'off topic'? I wish negative moderation were reserved for posts that really threaten to flood us in crap. A post that replies to the front-page blurb may be marginally off-topic, but is it worth modding down?
  • Finally, someone rational talks about code red. I really enjoyed reading the useful information that was in this article, even though there was some babble to go with it. Now I just want to know where the other news sources [yahoo.com] got the "billions of dollars of damage" information from. Maybe this was all just a big scheme by the government to hide a bunch of money going into secret research projects. You know, like the $20k toilet and the $50k hammer...
  • Do you still believe in virus alerts you find on mainstream media? or is it hidden just y2k-syndrome bubbling to the surface of nothing?
  • by Si ( 9816 )
    Did anyone else notice that Chris Taylor could be the offspring of Chairman Mao and Robin Williams?

    The word 'columnist' (communist) on a red background only enhanced the illusion.
  • Finally, a news article that was not innacurate or written specifically to cause panic. I don't know how many average people will read this article but I hope quite a few do. The more of these truthful (a nasty word in most of the press) articles the better, in fact I would encourage all of you to write to this man thnaking him for the article and to link to the page if you have a website. Maybe if he gets enough positive mail, and the page gets enough hits, Time will let him write more major articles. A little truth in the press can't hurt Linux or the Open Source movement.
    • To my surprise, I found another good article about Code Red on BBC News Online:

      BBC News | SCI-TECH | Code Red 'was never a threat' [bbc.co.uk]

      At long last, people actually see that Code Red is just an IIS worm exploiting an IIS bug that was fixed two months ago! It quotes Graham Cluley of Sophos, one of the most clued in people in the antivirus companies.

      Unpatched systems are not just a problem in the Microsoft world, of course: remember all the Sendmail 8.6 and SMI-SVR4 and 8.8 (nasty buffer overflow/relaying/take your pick) installations or old versions of BIND or Apache that litter the Net, and sigh. Microsoft had a patch out within days of the vulnerability getting posted to bugtraq, and all the open source products would do the same - or release a new version.

      Admins that don't keep up with patches or new versions are the real problem here - that's why we have so many open relays, or rooted RedHat 6.x machines. Does linuxconf still make open relays by default? It did for a long time.

      The ineffable rubbishness of IIS does need to be taken into account here - I'd rather use Apache. However, admins that don't keep up with the security patches mailing list (or bugtraq) for NT or Linux or xBSD or anything is in serious danger of being rooted whenever anything like Code Red or the Morris worm or just your neighbourhood script kiddie comes along. And that is a seriously bad thing.
  • Interesting Point: (Score:3, Interesting)

    by Lizard_King ( 149713 ) on Friday August 03, 2001 @08:51AM (#2126719) Journal
    "For Microsoft, this was the kind of publicity you just can't buy. ... they also had their name inextricably linked with the well-being of the Internet itself"

    This is quite an interesting point that Taylor makes. The FUD-monster in the back of my mind is thinking up future scenarios where Microsoft could privately release worms/virii to rally support from the public.

    I'm just waiting for the next major worm to have pop-up ads.
  • Dutch website Security.nl [security.nl] has published a preliminary map of the geographical dispersion of the infected hosts that visited a dutch ISP network. They will update the map as more data is analysed.

    It's at http://www.security.nl/misc/codered-stats/kaart.jp g [security.nl].

  • With all the media coverage one should think that the affected server should be fixed by now... However, I'm still getting hit a few dozen times oer day. (Not that I'm running any version of IIS :-)
  • "With all the big guys telling people that we've only seen the eye of the storm its nice to see someone get it right."

    Are you serious? This was the computing equivelant of Jon Katz covering, uhmmm, Cats. Sure, it made the Feds look like the miserable, inept, slugs that they've made themselves out to be, but it didn't offer any answers. Anyone can go on a tyrade making a mockery of any suit and pseudo-suit, I do it all the time, as a matter of fact. . .

    Whoa, uhmmm, scratch everything after the start of the little gray box up there.

  • Why the media picked Code Red (maybe it was the name... Mountain Dew has been getting alot of pr... hmm... conspiracy??? ;-)), over sircam is beyond me. Lets see...
    Code Red only affects windows 2k... and only windows 2k thats running IIS. Thats not a very sizable market.
    Sircam affects anyone too stupid to be careful (which is pretty sizable... just think about how dumb the average person is and remember that 50% of the population is stupider than that).
    Ironically has anyone noticed that its the the virus,worms,etc that are aimed at people that cause more damage than those aimed at the technology (if you call windows that). Kinda makes me wonder why we're pushing for AI when we're having enough trouble finding NI. Just a thought...
  • Finally, someone gets it right. I sincearly hope Time takes the author of that article and makes him Senior Internet Consultant or the like. There's not enough intelligent technology reporting in the news these days.
  • I've seen 57 hits on my cable modem in the past week. That's about double what I saw from the last iteration. The number of sites that have been infected (according to incidents.org) has already passed the last iteration as well.

    It would be nice if the press could get some real experts in security and the Internet to talk about this thing, not press-seeking wannabes.
    • Agreed. I have 71 hits over the last 3 days, many more than the first outbreak. 19 on wednesday, 33 yesterday and 19 so far today (10:40 Eastern).

      Maybe the thing is getting through its random IP generation faster??

    • On Aug. 1, my cable modem-based site registered 7 hits from Code Red-infected machines.

      On Aug. 2, there were 32 hits.

      As of 8:37 AM EDT on Aug. 3, there have been 19 hits - more than half of yesterday's total in just over 1/3 of the time.

      Average time between hits (eyeball guess) is 0.5 hours, and will probably decrease by the day.

      I'm going away for the weekend. I wonder what those hit totals will look like come Monday night.

      Code Red may not cause any trouble to the White House, but I don't think many people will be laughing in, say, 1.5 weeks if hit counts (and, by extension, infections) continue to increase at their current rate, or on the 21st when it tries launching another DDoS.
  • check out: How Code Red Works [howstuffworks.com]
  • Concur (Score:2, Interesting)

    by Runt-Abu ( 471363 )
    I have to agree, this is a very insightful article, but i'm not sure about the end;
    (Quoting ) [time.com]
    'Apart from that, the whole red-alert reaction only demonstrated that there's seemingly infinite space on the Feds' faces for more egg.'

    Do they Feds have egg on thier face?

    I'm not so sure, real egg would be getting infected whilst giving the dire warnings of what would happen, but in this case I think they are only slightly blushing.
  • Caida is producing dynamic graphs of the code red spread. It seems that there is about 50% less infected host than last time. The worm progression seems to have stopped, probably that all the machine with the IIS bug are now infected.

    http://www.caida.org/dynamic/analysis/security/cod e-red/index.html [caida.org]

  • by hillct ( 230132 ) on Friday August 03, 2001 @08:54AM (#2135726) Homepage Journal
    Chris Daylor in TIme, makes a few good points. IF you look at biological virology, and compare it to computer viruses, the similarities are striking.

    Viruses can either stealthily infect every computer available to it then after a gestation period, attack and destroy the computer in some way (NetHazard level 1) or as soon as it infects a computer it can simply wipe the drive and be done with it (NetHazard level 5) but this doesn't give it any time to infect other systems. As such a NetHazard 5 virus would (in virology lingo) 'burn itself out' in a short period of time.

    We've seen our first highly infectious virus recently, in Code Red, but we havn't seen one so highly infectious that also causes the patient to bleed out and die. In short, we ain't seen nothn' yet.

    I'm waiting for a patient virus writer to perfect his software first, before releasing it, because so far, although Microsoft software is a favorite virus target, virus writer seem to employ the same software development model as Microsoft, in that they just let their code loose on the net without debugging or optimizing it. Imagine what email (read: Outlook) viruses could do if the writers stopped to use proper grammer in their messages, or taylored the attachment type to the domain from which the infected computer is sending the message (office docs for .com, web pages for .net, etc...). Better viruses are on the horizon, and I'm amazed we havn't started to see them already.

    --CTH
    • IF you look at biological virology, and compare it to computer viruses, the similarities are striking.

      I'm waiting for the first worm to appear that has a quasi-genetic structure.

      Create a population of worms, and give each worm a few chromosomes, and some code that allows it to propagate using strategies determined by its genetic material. Give the worms an initial state that allow it to exploit some basic M$ vulnerabilities, and release a few hundred.

      Every time a worm infects a new system, it looks for any other genetic-based worms. They've also been successful in infecting the system, so get the worms to mate and produce a new generation of a few tens of individuals from their genes (plus a few modifications).

      Rinse and repeat.

      • From everything I've read about such programs, you'd have to be careful that the dominant "species" didn't become the one that could pretend that it had infected a bunch of systems....
      • There have already been worms/viruses/etc. like this, but just not on the net (that I know of...probably there have been though). Instead of "chromosomes" you'd have features (sleep for this long, deliver this type of payload, infect this type of system, etc.). When these things detect each other they'd take some random (or perhaps not random? maybe determined by some fitness test) features from each and create a new "child", and send it off in the world. These would be very polymorphic, and there would probably not be as much of a distinct signature to identify them by, slipping right by virus scanners. Viruses have also employed encryption and various other randomizations to become polymorphic and undetectable by virus scanners.
        • These would be very polymorphic, and there would probably not be as much of a distinct signature to identify them by, slipping right by virus scanners.

          Good ol' evolution. Once such Virii become frequent, the anti-virii people will need to code intelligent agents that can recognize a virus based upon its components. Instead of exact signatures we need intelligent pattern matching. For these kinds of virii, a signature might be
          if it has 6 or more of the following components, then it might be a virus.

          Also, frequency counts (and the like) on structures in the code might come in handy. Has anyone ever done freq counts on code structures and come up with general templates for network apps vs word processors, spreadsheets vs video games, virii vs non-virii ? I think i know what i'm going to do for the rest of the day instead of working...

      • You don't need a genetic structure, what you describe could be obtained by modifying the existing Code Red worm to make a random change to the GET request it uses to spread itself. Say, once every 100 attempts to spread, it makes some random change to one character of its 'child'. As in real life, the vast majority of such changes would be either deadly or would end up in the long string of NNNNNNNs and have no effect. Once in a great while, a variant would turn out 'fitter' than its parent, for example by disabling the limitations that keep the parent in check or becoming somehow less visible to human observation.

        Give it a year to run, and who knows what could happen? [amazon.com]

    • Chris Daylor in TIme, makes a few good points. IF you look at biological virology, and compare it to computer viruses, the similarities are striking.

      I agree, it's a very good point. A thought that occured to me after I read the article was comparing innoculation methods of the biological world against those in the computer.

      One way the human body can be made ready to deal with some strain of virus is to inject a dead of version of the virus into the blood stream, the body produces white blood cells to fight off the attack. In essence you're priming the body against a possible future attack.

      The computer equivalent would be to release a virus into the world that makes use of a given exploit but isn't actually harmful. For example, it infects a machine, attacks other machines for an hour, then pops up a message on the user's screen telling them what to do to fix it. It'd be a downright illegal thing to do, but it would effectively strengthen the Internet against some form of attack.

      The Internet was built with our best understanding of organized systems, it's ironic that it winds up resembling an untidy organtic entity. I suspect we'll have to crack open books on biology more than once to successfully tame this thing, this is only the beginning after all.

  • My logs show 46 attacks from 44 IP addresses, starting Aug 1. My site is not well known, so this is random scanning. If a machine is vulnerable and on the net, it's going to get this. That said, the cries of "the internet is going to meltdown" now sound like the dire Y2k predictions. (Or Bob Metcalfe's bleating about internet 'gigalapse'.)
  • by camusflage ( 65105 ) on Friday August 03, 2001 @08:37AM (#2140340)
    Are we really surprised? The media loves to play to the man in the street's fear that the net can easily be taken down. No one ever brings up that the core protocols of the net are built to route around problems. From the Michaelangelo virus to Y2K, they glom on to every story and predict the imminent death of the web. We of the techies know better. We know that it would take nothing short of a massive world-wide failure of the power grid and oil delivery infrastructure to truly take the net offline.
    • You don't find it ironic to complain about this on *Slashdot*, do you?

      b.
      • Taken as a whole, /. isn't that bad. Sure, if it's your only news source, you need help, and yes, Jon Katz tends to rant about minutae sometimes, but I'll take Slashdot over my local Fox affiliate any day of the week. I'll trust RobLimo to keep people in line editorially far more than I do the WSJ to keep Kara Swisher from exercising conflicts of interest. Stories casting OSS/Linux in a negative light are run along side everything else.
    • by Anonymous Coward
      A worm can't take a big chunk of the Internet down. A lowly backhoe, on the other hand...
      • If you had a worm that propogated through the DNS servers on the net, then at some point activated to disrupt the DNS services, that would come about as close to bringing the net down as you could get, for practical purposes. Between Bind and Windows DNS, you could do some real damage. So while I agree that the media coverage of Code Red was pretty sensationalized, I don't think that the net at large is all that invulnerable.
    • And this is precisely why every single news source [TV, radio, print, etc.] needs to have one or more dedicated technology correspondents. Every other arcane-yet-important [like law or medicine] field has its own senior correspondent, where the reporters can get "expert" advice on the latest Supreme Court decision or pharmaceutical breakthrough - why shouldn't they have a chief technology correspondent? All they'd need to find is someone who can adequately translate geekish to something Joe Sixpack can get his mind around, and who can provide intelligent commentary on technology issues.

      Of course, with our luck, they'd hire some photogenic smooth-talker to spin the corporate line - "Open source is communism! Napster is theft! Buy Microsoft or you're going to go to hell when you die!" etc.

    • Yes, good point my friend.

      I think the media need it pointed out to them that the net was designed by DARPA to withstand NUCLEAR WAR. I reckons it will take a little more than a slightly original-thinking s'kiddie (yes, that is an oxymoron) to bring it down!

      ...Then again, lets hope someone didnt go and assign a port number for the Big Red Button...
  • by Markvs ( 17298 ) on Friday August 03, 2001 @08:59AM (#2147418) Journal
    ...which is probably most Americans...

    Stolen from the article:
    "For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department --which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace -- but they also had their name inextricably linked with the well-being of the Internet itself."

    Which is *exactly* what it is, except that in this case there isn't any Nazi menace to stand up to. My bet is that this will be seen as a way to soften the DOJ/Microsoft schism in the public's eye and make all those pesky state lawsuits go away that much quicker.

    History is *filled* with bait-n-switches like this, which most people pick up on about as frequently as they do retail prices going up two weeks before a big sale. Study the past. Without it, you'll never see the future.

  • by weave ( 48069 ) on Friday August 03, 2001 @09:22AM (#2147631) Journal
    I liked this bit from the article...

    It could replicate itself across thousands of servers ? usually because the owners were never aware that Microsoft software had turned their computer into a server in the first place.

    We set up a simple win2k file server and specifically did not want IIS installed. There are a LOT of things on 2000 server that depends on it and if you check them on during the install, it will silently recheck IIS again. Want to just run an ftp server? It installs IIS.

    We had to go back and uncheck IIS three separate times during the install. Another server done by another tech had IIS after I specifically put in a work order NOT to install it. He swears he didn't. I believe him.

    It's as bad as the original various linux distro installs enabling every damn service under the sun (no pun intended) during an install.

    Don't believe me? Just watch your code red hits on your web server and go to the sites that nail you. Most of them have either the default page or "directory listing denied" message. They are not big corporate servers for the most part that I've seen... That leads me to believe that a lot of these people don't even know IIS is running on their server...

    • I feel I need to point out the following:

      IIS stands for Internet Information Services - that includes FTP and HTTP. IIS is usually used as a webserver, but you can also use it as a FTP server and various other servers, all through the same "friendly" interface. You can install IIS without the webserver and with various other interfaces.

      My install of Win2K (hey, I'm at work, writing ASPs - it's a paycheck, layoff) has the following IIS options:

      • Common Files and Documentation as items - the Common Files are required, Docs are useful
      • FTP Server
      • FrontPage 2000 Server Extensions (allows FrontPage to post pages via the HTTP server)
      • Internet Information Services Snap-In - some sort of managment utility
      • Personal Web Server - actually, a GUI for idiots who want to screw themselves over with bad IIS installs (it's basically a on/off switch for the webserver plus some pretty slides)
      • SMTP Service - an SMTP server
      • Visual InterDev plugin - same as FrontPage extensions, but for InterDev
      • World Wide Web Server - what most people call "IIS"

      IIS is just Microsofts server platform, it isn't just a webserver - that's why you have to install it with a FTP server - it contains some core files along with pretty graphical management software. If it helps, think of it like inetd - it also does configuration and other management "stuff." (I'm not sure exactly what the "Common Files" are and what they do - I think they're mainly the configuration/management utilities though.)

    • You can't install the FTP Service without IIS.

      You can install the FTP Service without the WWW Service, however.

      These are important distinctions that it doesn't seem you grok.
    • Others have replied pointing out that IIS != WWW Server, so I won't bother to go into detail. But here's something else to consider.

      The problem as I see it is that Microsoft has put a pretty front-end GUI on everything and thereby allowed idiots to believe they can be a sysadmin. If you want to set up a Unix server, you need to have a certain amount of knowledge before you can even get the thing up and running to serve web pages. But a Windows web server, on the other hand, is so simple to get up and running in a basic configuration that it doesn't take much to struggle through and get a web page presenting. Unfortunately, that's the point at which the average Joe will congratulate himself on his system engineering skills and move on.

      Completely forgetting to do any administration, such as disabling the web service if it's unneeded.

      For better or worse, Microsoft's integration of internet-serving features into IIS means that IIS is the base platform for both WWW and FTP services. But the people to blame here are the people who don't know enough to take a minute after installation to go in and diable the default and administration web sites (or even just not install those features in the first place -- guess what? You can actually choose to not accept defaults! and go in and uncheck the little box next to web services, and IIS will happily install the basic IIS snap-in and FTP services and you'll have an FTP server without a Web server).

      Along with power comes responsibility; and if someone gets seduced by the pretty pictures into believing they can run something without having to check the manual or investigate beyond the defaults, then that's irresponsibility. Like it or not, Britney Spears is not sufficient reason to boycott Shure. Well, probably not...
      • The problem as I see it is that Microsoft has put a pretty front-end GUI on everything and thereby allowed idiots to believe they can be a sysadmin.

        Agreed. But Microsoft throws out marketing crap saying that it is so much easier to administer than Unix servers and will save your company tons of administrative costs, but then turns around and claims a sys admin needs to have several thousand dollars in training to administer one. Which is it?

        And getting back to my original note, saying FTP service was probably a bad example. I'm not an idiot, we are trained mainly on the UNIX side of the house and our main web server is Apache. When it came to set up a file and print server, THAT is what was studied up on and that is all we wanted on that server. I swear the most innocent things turned on IIS and I did not want it installed without knowing how to administer it correctly.

        So just because one doesn't know the Microsoft server world inside out doesn't make them any more of an idiot than an MCSE or whatever not knowing squat about UNIX. The idiot is one who sets up services like IIS without knowing how to administer it correctly and the point of my exercise was NOT to install the damn thing cause of it...

        Sigh...

        File and Print service. Remember that? I didn't want all the other damn bloat in this particular case.. (Wishing I had just set up a Samba server for that particular project. Would have been a lot easier....)

  • The Code Red reporting made me laugh- until I got two dozen requests by desktop users for "that thing from Microsoft that's supposed to stop Code Red."

    How can we expect good tech reporting when the whole of the news business is going down the pooper? Look at what CNN is about to do to Headline News. They have hired an actor to anchor the news. [ridiculopathy.com] Now some news organizations would have played it safe by hiring someone with more than two years of reporting unde their belt. But CNN knows that outdated concepts like "experience," "journalistic integrity," and "fact checking" no longer apply in the 21st century's news entertainment business.

    And people will watch, no doubt. And these people will get the kind of crappy, poorly-researched, panick-stricken news that they deserve.

    • Well.. when you think about it.. the news anchors are just talking heads.. news readers.. they don't actually do any real reporting. That's done by a huge staff and tons of interns, not the people on TV.

      So why not hire somebody that has alot of on-camera experience, all they're doing is reading..

  • by Lumpish Scholar ( 17107 ) on Friday August 03, 2001 @09:05AM (#2147699) Homepage Journal
    From the article:

    There was no malicious intent.

    Except to trash whitehouse.gov, using servers and networks all over the world to do so.

    In the vast world of potential Internet viruses and worms, Code Red is a grade Z microbe.

    If people hadn't woken up and smelled the patch, it would have been a grade B (if not A) pain in the butt. Like Y2K, there was too much hype, but the hype helped; a self-defeating prophecy.

    It would have to go through a significant amount of mutation before it became any sort of serious threat to the Internet's health.

    Significant, but not huge. There's been lots of discussion about how bad the next generation may be.

    At its broadest definition, all hacking is white-hat hacking.

    This statement is nonsense. There is certainly such a thing as white-hat hacking, and certainly too much hacking is portrayed as far darker than it really is, but there's a huge difference between the white hats and the jerks behind Code Red.

    At most, Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge.

    Um, these machines were supposed to be servers.-)

    We should be wary about what any software does to our machines. Point well taken, though.
  • Voice of Reason (Score:2, Insightful)

    by ashkendo ( 452892 )
    Forgive me for being 'uncool' by disagreeing, but this article is horrible. No malicious content to the virus!? It's initial intent was a DOS attack on whitehouse.gov. It was rather lame in it's attack, but that was still malicious. Also, it's complete crap that MS came out of this looking good. It was another high-publicity security hole for one of their systems. No matter how it was handled this still made them look bad to the general public. Also, there was a considerable slow down on some Internet backbones due to the whitehouse.gov attack; and some slowdown on a few backbones Wednesday afternoon due to attacks by a variant of this worm attacking other gov't sites. I don't mean this as an attack on anyone, but just remember that no matter how you feel about a certain topic, don't let you feelings and opinions cloud the facts.
    • "Also, it's complete crap that MS came out of this looking good. It was another high-publicity security hole for one of their systems."

      You know that and I know that, but what Joe Newspapereader knows is that an "Internet virus" was stopped by "Microsoft security." Joe N. doesn't know that a relatively small portion of the Net is run by Microsoft servers, and that only those servers are affected, and that the total effect on the Net even if every M$ server in the world stopped working at once would be minimal. Joe N. knows "Virus bad, Microsoft good."

  • The BBC [bbc.co.uk] is running a story [bbc.co.uk] about how the bandwidth loss during the first Code Red attack was actually due to a train crash.

    I haven't seen this anywhere else, can anyone corroborate?

  • At last!! (Score:2, Interesting)

    by The_Weevil ( 448754 )
    Oooh praise time. Yeah, the Code Red virus event. I got extremely irritated by the news media on this one. Promising the 'downfall of the internet' etc etc. Fact is, the majority of the internet runs on UNIX, which has evolved from a network environment to an internet environment steadily and sensibly over 25 years. MicroSoft windows NT has not done this, it's 'evolved' in the space of a couple of years, and is affected by every virus under the sun because it uses the Win32/DOS MZ executable format that everyone is so fond of coding virii for. Hopefully this will convince people to stop paying extortionate amounts for crappy MicroSoft webservers and get a sensible OpenBSD server with FP2000 extensions (if you must have them) instead. Keep the GUI on the desktop, servers do not need a rediculous GUI stopping you from properly managing processes etc.

    Anyway. The weird thing about the Media is that it has concentrated on the malicious people who created the virus. I have not seen anyone comment on why it is always Microsoft servers that seem to appear in the news; only a few months ago there was the great MS Administrator Password fiasco. Then there was I Love You and so on.

    It'd be nice if someone created some software to check for dDoS worms on servers. All you need is a packet sniffer to track incoming and outgoing packets and hunt for millions of outgoing packets that werent originally to an IP that hasn't requested anything.

    The idea of an 'immune system' mentioned at the start of that article intrigued me. It would be very nice if someone like McAfee created a system that automatically pushes upgrades to registered antivirus software running on servers as soon as an outbreak is detected, so that the software could instantly do a quick search for that one virus and deal with the problem each hour for several days or something (although several days is a bit of a wishfull uptime for microsoft servers, Ho Ho Ho Ho etc :P...). Well thats what I think. Bubbye. Weevil
    • I have not seen anyone comment on why it is always Microsoft servers that seem to appear in the news
      That's because your average Journalism major is probably only vaguely aware that there are any other operating systems besides windows [and possibly Macintosh, for those clueful enough to realize that their Mac doesn't run windows]. Mention "UNIX" to a journalist and he's more liable to think about harem guards rather than an operating system.
  • I just read this one here [globetechnology.com]:

    Worms are a common Internet technology that have been in use since the late 1980s. For example, most search engine operators, such as Yahoo or Google, use worms to index the Internet.

Machines that have broken down will work perfectly when the repairman arrives.

Working...