Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

CAIDA Released Code-Red Worm Post Mortem

Hemos posted about 13 years ago | from the scalpel-video-camera dept.

The Internet 186

davidu writes "David Moore at CAIDA (The Cooperative Association for Internet Data Analysis) was monitoring an entire /8 network while the code-red worm traversed the net. His findings are really interesting and show just how swiftly code-red moved across the net and infected hosts. It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential. note: Check the graphs, these pictures really do tell a thousand words."

cancel ×

186 comments

Sorry! There are no comments related to the filter you selected.

Re:sheer stupidity (1)

Anonymous Coward | about 13 years ago | (#62330)

You probably meant "surely arise", but there's something poetic about "surly arise" in this context.

Greetings Professor Falken (1)

Anonymous Coward | about 13 years ago | (#62331)

That animation would look good projected on the screen of the War Room at NORAD!

"No, I want to play Global Thermonuclear War..."

lesson 1: bounds checking code is mandatory (1)

Anonymous Coward | about 13 years ago | (#62332)

Based on the willingness to "give up" that was coded into this worm, I suspect that the author desired it to be a troublesome but not lethal wake-up call. I do not condone or participate in such activity. I also doubt that I'd be likely to insist on strict punishment to the worm author were I the member of a jury. I do take a dim view of manufacturers that produce flawed and potentially dangerous products. Many other industries are held responsible for this kind of thing. What's so different about the software industry that it seems to be excluded from the equivalent responsibility?
Things like the Code Red worm and particulary the analysis of it's propagation do provide valuable lessons. It does seem to me that languages used to produce products like IIS and Outlook should be constructed so that programmers already up to their necks in complex code and company meetings can just specify a compile time option or the inclusion of a security library or something to provide for generation of bounds checking routines.

What's a little mode code bloat after all if it will stop these rascals?

Re:Don't be a jackass (4)

Anonymous Coward | about 13 years ago | (#62335)

There is about 3 security bulletins from M$ per week.

Exaggeration. While this was true in the past, the rate of such bulletins has been slowing. I've received three for the entire month of July so far.

This patch in question requires SP1 to be installed as well. If the IIS server was up withoug SP1 then that requires 2 reboots to get the server patched.

And, as others have said, any system administrator worth his salt has already installed SP1 for Windows 2000. Therefore, it's really only one restart.

In many cases, the admins are overworked and cannot get to every patch all the time.

Indeed. That's why you put in extra hours to fix things. MS may not be the best server software in the world, but any competent MS system administrator applies the patches as they come out, maintains a reasonable schedule, and tells the bosses flat-out, "I'm installing this patch at such-and-such a time, and that's all there is to it." Few employers are willing to fire a system administrator who's doing their job.

Personally, I had 1 of 3 IIS servers at my job vulnerable and it was 'ploited.

Yes. Imagine how you would have felt if you'd stayed on top of it. It's easy to say that you don't have time to install the patch, but on any reasonable server-level machine, the patch takes maybe five minutes to install, and most of that is spindown/startup time.

I have enough on my plate then to jump at every damn MS Security Bulletin.

If this is your attitude, you need to find another line of work. I wouldn't want you administering anything of mine.

If you actually care about what you do, then you MAKE the time. Explain to people what you're doing. Encourage them to understand what's involved. Tell people to piss off, you're saving the company.

There are just so damn many of them!

39 this year. That averages to slightly more than one per week thus far. This is a lot, to be sure, but it is not "too many." The thought "too many" should be followed by the thought, "What are my alternatives?"

If you're that peevish about MS product security, then don't use MS products.

I am overworked as it is yet my CEO still asks "What exactly does he do again?"

Then quit. Get a job elsewhere. Do something else.

Re:Unpatched version of server software (2)

Gleef (86) | about 13 years ago | (#62337)

perdida writes:

If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.

Good! Poor security needs to hit companies where not only it hurts, but boards of directors and shareholders will see it: in the insurance premium line on their budget.

Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.

This I would be going far. Every business should be allowed to make their own stupid decisions. Save regulation for where it actually can do some good; for example, keeping businesses from harming consumers or each other.

----

Re:The world is safe again ... (1)

Phroggy (441) | about 13 years ago | (#62338)

So what if you can't get sharks with laser beams, and all you have available are sea bass?

--

Re:I see a nice research paper in this (2)

phil reed (626) | about 13 years ago | (#62339)

You mean like this [ibm.com] ? (of special interest are the graphs starting here [ibm.com] . Also note that the first attempt to model the spread of a virus was done in 1703, and the resulting equations look a whole lot like the ones derived for Code Red.)


...phil

Stupid worm writer(s) (1)

dragisha (788) | about 13 years ago | (#62341)

I am trying to imagine few possible variations of virus/worm/trojan writers:

first: Employee of antivirus/security company with agenda to keep people aware of dangers of Internet/"hackers" and so on... Working hard but enjoying hoopla and good compensation packages - as long as company is growing/becoming more know/visible/important. Being careful not to make real damage and making sure his PR team is first to report new findings of company's always alert "antivirus" team.

second: Stupid hacker who is smart enough to make working worm able to break 359,000 hosts in 13 hours, yet stupid enough to be easily blinded and nice enough to kill itself (stop spreading) after two days.

This second variation is, at least for me - not easy to imagine. But then, I am only a programmer with no more than 18 years of programming experience - what can I know about programming? :)

Fun begins when all brave and smart "journalists" of the net start bitching around how these "virus/trojan/worm" writers are, in fact, only stupid.

Someone IS stupid, but who?

I see a nice research paper in this (3)

Masem (1171) | about 13 years ago | (#62342)

Beyond what the authors have done, this research could be used as a basis to compare the spread of virii in fixed pool, whether biologically based or network based. While there's been a lot of speculation on the spread of computer virii before, this appears to be the first study with hard numbers that could be used for comparison.

Sure, the results aren't that surprising, but it's still an interesting comparison.

Re:Don't be a jackass (2)

Malc (1751) | about 13 years ago | (#62344)

"Not only corporate machines where infected. Lost of machines from homeusers "

That is definitely caused by MSFT's incompetence. One of the first rules of security is not to run any unnecessary services. I installed Win2K on my home machine and immediately discovered that it was running IIS, including FTP, W3SVC and SMTP. Sure, they were password protected, but they shouldn't have been running in the first place. How many home users *need* those services on by default?

Re:Mirror (1)

h2odragon (6908) | about 13 years ago | (#62349)

thanks, i needed that

Re:You can't blame them entirely (4)

Stiletto (12066) | about 13 years ago | (#62359)


Simple. If a customer's machine is responsible for further spreading a virus, worm, etc. the ISP should CANCEL the customer's account without a refund. People would be more responsible if irresponsibility affected their wallets.

Re:I see a nice research paper in this (2)

gorgon (12965) | about 13 years ago | (#62361)

There is no such word as "virii." The word you're looking for is "viruses."

Thank you.

--
I hope we shall crush in its birth the aristocracy of our monied corporations ...

Re:sheer stupidity (1)

ethereal (13958) | about 13 years ago | (#62362)

I don't know, somebody could release a nice, polite worm instead. They don't all have to be surly, you know.

Re:Absolutely correct (1)

ethereal (13958) | about 13 years ago | (#62363)

Well, they're cheaper by the dozen [amazon.com] , you know :)

We've seen this class and scale of problem before (2)

rleyton (14248) | about 13 years ago | (#62365)

The Code-Red worm is a wake-up call

It's worth remembering that this sort of problem has been seen before, with the Robert Morris Worm [mit.edu] is 1988. The similairities in terms of spread are clear, although the damaging affect (Morris brought down a large percentage of the then mainly academic based Internet) was much more severe - so far. The article makes clear that we need to be aware that things could be worse, when script kiddies start playing with this virus

Lessons were learnt then, and it probably makes sense to revisit them and ensure we haven't missed anything.

Those of us with machines at home running services should all be careful (be it Windows, Linux, Solaris, *BSD or whatever), and review our presentation to the world. Check out Bastille Linux [bastille-linux.org] for a start.

Re:You can't blame them entirely (2)

HiThere (15173) | about 13 years ago | (#62367)

And perhaps you've kept up to date. I sure haven't. The last car I took the engine of apart was built around 1956. I've looked under the hood of a few recently, and ... I think I'll leave that to the professionals.

Caution: Now approaching the (technological) singularity.

Re:Still Out There (1)

andyf (15400) | about 13 years ago | (#62371)

That's not the code red worm, that's the sircam virus. The Code Red worm spread through IIS servers, the sircam virus spread through email with the characteristic lines "I send this file in order to have your advice" and "Te mando este archivo para que me des tu punto de vista".

sheer stupidity (1)

mab (17941) | about 13 years ago | (#62372)

It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.

There was a couple of versions of it and another will surly arise.

Re:What the hell are they waiting for? (2)

BilldaCat (19181) | about 13 years ago | (#62373)

Well, that certainly helps too. :) Also the fact I use mutt for my mail makes me fairly safe from just about anything.

But seriously.. the english/engrish is so bad in some of these that it's a dead giveaway .. it's scary to think what a malicious person with good social engineering skills could do ..

What the hell are they waiting for? (3)

BilldaCat (19181) | about 13 years ago | (#62374)

Where are the truly destructive worms/viruses/trojans/etc.? I'm really surprised no one has written anything that would forward itself along, then wipe out the HD (no random chance BS), or something like that ..

And these guys seriously need to hook up with someone who knows English .. the grammar errors in the e-mail are usually enough to tip me off it's a virus to begin with, that's what I guessed about SirCam before I really knew what it was ..

WOW! (1)

KFK2 (23515) | about 13 years ago | (#62379)

I'm just glad I don't run IIS.. Just Imagine if a whole this big was discovered in Apache.. I'm just glad there's people out there that look at Apache source just to make sure this doesn't happen.

Re:Available animation formats (1)

ce25254 (25706) | about 13 years ago | (#62380)

a lot of folks are going to grab the 13 meg quicktime file?
Probably mostly because the .mov is the very first link in the page. If it's truly the "preferred format," why did he entice the average reader with this heavy link right up front?

Re: Leniency (2)

AntiFreeze (31247) | about 13 years ago | (#62382)

That's an interesting thought. Someone else posted that this could be a case of "hacker ethic", of the writer simply trying to awaken people to the gaping hole in IIS and the wonders patching can do.

But I find this hard to believe. The worm attacked whitehouse.gov, and although I truly dislike Bush and his administration, I can see how this could be construed as an attack against the United States itself. I understand that sentiment is very far-fetched, but remember, when it comes to things like this, there are hot-shot lawyers involved who will do, and say, whatever it takes to win their case. And yes, that too is a generality, but if the US catches this guy, I can see them using that as a viable argument.

Really bad analogy: Firing an unarmed nuclear warhead with anti-antimissle technology at the whitehouse lawn. "But I was just showing you that your systems were severly lacking ...", "But it wasn't armed ...", "But I meant ..." are all irrelevant. Leniency is not a concideration. The missle was fired at the whitehouse, all else is irrelevent.

---

Absolutely correct (3)

AntiFreeze (31247) | about 13 years ago | (#62383)

From the research:
Again, 359,104 hosts were compromised in approximately 13 hours. Although the growth was slowing, had the worm not been programmed to stop spreading at midnight, additional hosts would have been compromised. The infection rate would have continued to decrease once the vast majority of vulnerable machines were infected. We speculate that the memory resident status of this worm would have allowed reinfection of many hosts.
All it takes is another version which doesn't limit itself, and the problem explodes. As it is, there was a nice easy way to stop the worm (once it stopped itself). If the worm had not stopped itself, I'm skeptical that it would have been nearly as easy to deal with the infection.

---

Prelude (3)

chill (34294) | about 13 years ago | (#62385)

It makes you wonder where all the truly devious virus writers are.

If, in the case of SirCam, files were posted to an unmoderated news group instead of e-mailed randomly then the authors could retrieve them anonymously.

Add in the ability to distinguish victims (such as hosts only on a certain domain); to quietly terminate itself if the victim isn't on "the list"; and stick to a specific task instead of just spamming and destroying -- you will have something truely devistating.

It makes me wonder what we AREN'T finding and what ISN'T getting the headlines.
--
Charles E. Hill

Version 2.0 (4)

csbruce (39509) | about 13 years ago | (#62388)

It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.

I'm sure that version 2.0 of the worm will fix all of the problems.

Re:You can't blame them entirely (2)

wiredog (43288) | about 13 years ago | (#62390)

just don't ... see why they should do this for their PC, which is just another appliance

You just described my Father.

And I'll bet that 95% or more of Slashdotters wouldn't fix their car themselves

I suspect you would lose that bet. Many of us were hacking on cars before we hacked on computers.

Bob Cringely (4)

wiredog (43288) | about 13 years ago | (#62392)

Wrote about the coming DDoS from Hell [pbs.org] .

Re:Absolutely correct (1)

Monte (48723) | about 13 years ago | (#62395)

If they catch the author, I think this should be grounds for leniency. He had the sense to put in a cutoff so that the worm wouldn't grow out of control.

"Your Honor, I would like to point out that my client could have chosen to shoot all the children in the schoolyard, but he purposely held himself to an even dozen. Please keep this act of self restrain into account during sentencing. Thank you."

Uh, no.

Re:sheer stupidity (1)

Monte (48723) | about 13 years ago | (#62396)

I don't know, somebody could release a nice, polite worm instead. They don't all have to be surly, you know.

That's not a bad idea - you could create the Exploit Detecting Panda worm for the express purpose of finding exploitable servers and notifying them of their vulnerability...

"...and when the sysop doesn't apply the latest patches, that makes me a Sad Panda."

But you know the helpful author of such a worm would get nailed right to the barn door.

Re:Unpatched version of server software (1)

Monte (48723) | about 13 years ago | (#62397)

If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.

If you were an insurance product manager you'd make sure there was an exclusion on the policy that denied claims on servers that were 30 or more days behind in the latest patches. (Yeah, I work for an insurance company)

Of course this would make everyone apply patches as soon as they came out, which could very well create more problems than it solves. Damned if you do, damned if you don't.

Wait til August 1st (5)

LinuxHam (52232) | about 13 years ago | (#62398)

I'm surprised that no one is mentioning that the random infection part of Code Red is programmed to restart on the 1st of *every month*. Sure, by changing the IP of whitehouse.gov and short circuiting packets destined for the old IP to the bit bucket, the attack phase will never be a problem.

However, since it appears the number of infections capped at about 359,000 machines, I would venture that at least a quarter of those machines will not be repaired/rebooted by August 1st. If the number of infections went from zero to 359,000 in a couple of days at most, imagine what kind of storm is going to kick off on August 1st when nearly 100,000 machines restart the infection phase of the worm! How long will it take for the estimated 6 *million* vulnerable IIS servers to be patched?

Just for the sake of gloom-and-doom, how long will it take before the Internet only becomes usable between the 20th and the end of each month, due to Code Red infection storms between the 1st and the 19th? I don't think the core Internet routers can perform stateful-enough inspection as to route "Code Red infection" attacks to /dev/null. Perhaps that would drive enough white hat hackers to spread a repair worm, and start that whole argument all over again.
--
Steve Jackson

Re:Unpatched version of server software (3)

jakeblue (62815) | about 13 years ago | (#62400)

The insurance adjuster idea is a good one, but I don't agree with the patch policy limitation. Instead, give the policy a rate structure that makes it *very* appealing for an organization to have a dedicated security person/department on hand (and not just a part time guy in IT).

As for the law and patching, you need to realize that for many Fortune 1000 organizations, patching is a bad thing. They want stable systems and have a rigorous change control process to guard against problems. Throwing many MS OS/App patches into the mix without testing the effects of the patch on your systems environment is just as foolish as not installing the patch. For some, applying a patch to server software is a several day process!

Disturbing thought (4)

Zigg (64962) | about 13 years ago | (#62402)

Take a look at the domains that were the most-infected -- they were, by and large, cable modem providers, and the study concludes that home and small business users (read: Microsoft's target market for most of their products) were responsible for most of the worm's spread.

It's really disturbing to think that the Internet's stability rests on the shoulders of these people, half of whom probably don't even understand the concept of keeping up-to-date with security patches.

The ironic thing is that this tide is probably being held back by the fact that in order to "legitimately" run a server off a broadband connection, you generally have to pay through the nose, meaning that those who don't have a vested interest or Daddy's money need not apply.

Disturbing all around, really...

Redcode was hitting my Apache (2)

z4ce (67861) | about 13 years ago | (#62403)

I was reading my transfer log file and saw the following:

212.244.30.10 - - [19/Jul/2001:18:28:35 -0500] "GET /default.ida?NNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN N% u9090%u6858%ucbd3%u7801%u9090%
u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9 090%u8190%u00c3%u0003%u8b00%u5
31b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 252

There were about half a dozen such requests from other hosts. I thought it might be interesting to show those of you who don't have webservers running what it looks like.

Ian

Re:You can't blame them entirely (1)

mrseth (69273) | about 13 years ago | (#62404)

"I think it's safe to say that most people on Slashdot are not only competent enough to apply patches, but interested enough in computers (for work or a hobby or whatever) to actually do it".

And also lazy enough to write scripts to push all the patches automatically to all the servers so we can have time to sit around and get paid to read slashdot.

Re:Don't be a jackass (1)

JWW (79176) | about 13 years ago | (#62406)

Sombody please mod the above post into oblivion. Do you really think this guy can hire the help on his own? If the CEO doesn't know what he does, do you think he's going to hire more help. Oh and before you go off claiming that the CEO should be show they need more help, maybe the company really can't afford it.

What gets me about this is that Microsoft came out telling everyone there was a patch, so it wasn't their fault. Well its their bug in the first place. Not all admins can spend all day finding all patches for their stuff. There's also the added problem of patches ocassionaly breaking the application they patch. What do you say when that happens, the CEO's not going to care that you "needed" the patch he'll be pissed that the systems are down. The only real solution is better systems from the getgo.

more powerful than a DDOSing red code (1)

xemacs (79360) | about 13 years ago | (#62407)

The /. DDOS effect.

I bet the author of the virus planned the /. effect on websites talking about the defeat of his creation as a revenge...

mirrors anyone?

summary of "a thousand words" (1)

Ender Ryan (79406) | about 13 years ago | (#62408)

It is a bad idea to click on executable attachments from people you do not know...

DUH!

You'd think people would learn, but then you'd also think that we'd learn that thinking people would learn is incorrect... heh, ; )

Re:IIS can be restricted and protected (3)

billh (85947) | about 13 years ago | (#62410)

At the risk of being slightly off topic...

Changing anything that Microsoft considers 'default' or 'normal' can be a problem, even when the change is relatively easy to make. In your example, I have a feeling that if you installed any additional software to work with IIS, especially MS software, it would have issues with your simple change. It just assumes that everything is the default, even if it could just check the registry during install.

To make myself a little bit clearer (while my coffee is still kicking in this morning), I'll give an example. I am a command line user, even in Linux and Windows. Try using Program Files in a command line path. It gets very, very repetitive. So I changed it to Programs. Registry search and replace, rename, a couple of other things. Yes, there is a registry key for the location of Program Files, and properly written software looks for it during an install or run. But try to install a a patch, or an upgrade, or anything else, and watch your Program Files directory magically reappear. The assumption is that nobody changes it, so Program Files is hard coded.

My point? Even when MS leaves a way to change things, they often don't honor it. So the harder you try to customize or secure a system, the more you have to work to make sure that you haven't broken something else. A sad state of affairs, it is.

Re:Unpatched version of server software (2)

Observer (91365) | about 13 years ago | (#62413)

If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.

If you're seeking insurance against the costs of a DDoS attack, your insurance assessor can reasonably insist on knowing details of your infrastructure and what procedures you have in place to decide what premiums to charge. But the administrators of the population of vulnerable machines that the DDoS attack is exploiting are not the ones likely to be asking for insurance (the report suggests from the distribution of attack host domains that "at home" machines on cable and DSL were playing a significant role, for example), so the scope for direct pressure is rather limited. And the statistics on what makes a vulnerable DDoS target are still very inexact, and will continue to be for as long as victim corporations are unwilling to go public and admit they've been DOS'd.

Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.

I can't see that proposal flying. What I can see is that the current free-for-all where there are no controls whatever on the fitness for use of software products will be brought to an end. You want to produce software for commodity sale and use? Fine, then you/ your company must have the appropriate certificate of good practice and have your products and procedures reviewed regularly, and you'll probably need malpractice insurance, as well. If you just want to play with software as a hobby, then that's OK, but you need a license before you're allowed out on the public net, and/or you need to put your creations behind a certified firewall.

Re:The world is safe again ... (3)

Fjord (99230) | about 13 years ago | (#62415)

Brought the heros to his/her secret mountain lair to kill them personally rather than letting a henchman do it at great distance

This is a damned-if-you-do-damned-if-you-don't situation. If you order your henchmen to do it, they will certainly screw it up, and, depending on the movie rating, will be severely injured to killed.

At least if you have your henchment bring the hero(es) to the secret lair, you don't have to pay out as much disability or have as high employee life insurance. This is why usually contractors are brought in, not because they really are the badest killers from the four corners of the earth, but because by going corp-to-corp, you won't impact your premiums when they are killed. Plus it keeps employee morale up.

Re:DoS Attacks (4)

cybercuzco (100904) | about 13 years ago | (#62416)

Simple, just have Jon Katz write all the articles posted.

Don't be a jackass (4)

Dman33 (110217) | about 13 years ago | (#62422)

Speaking of being a jackass... don't blame it completely on the admins either. There is about 3 security bulletins from M$ per week. This patch in question requires SP1 to be installed as well. If the IIS server was up withoug SP1 then that requires 2 reboots to get the server patched. In many cases, the admins are overworked and cannot get to every patch all the time. Sure, the admins should be able to get the patch on before hell breaks loose but hindsight is always 20/20.

Personally, I had 1 of 3 IIS servers at my job vulnerable and it was 'ploited. Of course, when it the Code Red worm infected that server, the server took out one of my 2500 series Cisco routers. That was fun since it was still too early in the day to know that it was indeed the worm causing the problems. I am the only IT person here, supporting 75 users, 17 servers, 100+ workstations. I do support, net admin, and IT department management. I am currently upgrading the corporate website, doing a software audit, a hardware audit, reconfiging our routers, I have 30+ helpdesk issues in my queue and I am late on 4 projects. I also advise our development team on network related aspects and I am trying to put up a new FTP server, backup server and mail server. I have enough on my plate then to jump at every damn MS Security Bulletin. There are just so damn many of them! I am overworked as it is yet my CEO still asks "What exactly does he do again?".

In the future will I put a little more time at getting the patches on the IIS servers when they come out? Sure will. Did I learn a lesson? Yes. Did my company learn a lesson? Nope. Not until I leave this place and they have nobody around...

You can't blame them entirely (5)

Dr_Cheeks (110261) | about 13 years ago | (#62423)

It's really disturbing to think that the Internet's stability rests on the shoulders of these people, half of whom probably don't even understand the concept of keeping up-to-date with security patches.
I think it's safe to say that most people on Slashdot are not only competent enough to apply patches, but interested enough in computers (for work or a hobby or whatever) to actually do it.

But we're not a typical cross-section of the public. People are used to buying something and having it work. They don't need to patch their TV every couple of months to prevent people abusing it, and they just don't (and probably never will) see why they should do this for their PC, which is just another appliance (to them at least). And I'll bet that 95% or more of Slashdotters wouldn't fix their car themselves if it started burning a lot of oil - it's all a matter of whether you're willing and able to do the job.

The only way you're going to stop people like this propagating worms or virii or whatever in this manner is by taking that need for vigilance out of their hands. Quite how you do that without infringing on their privacy is beyond me. But just think about the fuss that would be kicked up here on Slashdot if Microsoft wrote it's software to require MS full access to it's OS at all times over the phone line under the pretext of helping home users keep their machines up to date.

Don't criticise the regular consumers unless you've got a better solution. And I don't count banning them from the net as better (even if it does have a certain appeal).

Re:Openness Good... (3)

Richy_T (111409) | about 13 years ago | (#62424)

who's to say that hubris won't set in?

That's very true actually. I mean, I'm pro *nix, anti Microsoft/Windows but lets not forget that buffer overflows come from the use of the crappily designed stdlibc which is only still a standard because of years of acceptance in the Unix community.

I mean, sure it's the developers fault for using these functions but as a community, we should have kicked scanf and friends out decades ago. Compilers should complain if you use them. Heck, they should refuse to use them unless you define #NOTTOBEUSEDONAPRODUCTIONSYSTEM or something.

Rich

Re:You can't blame them entirely (1)

DrSkwid (118965) | about 13 years ago | (#62426)

But we're not a typical cross-section of the public

there is no we
nobody is typical

can sell a car with defective brakes?
.oO0Oo.

Re:Redcode was hitting my Apache (1)

The Wicked Armadillo (123058) | about 13 years ago | (#62427)

Ah, so that is what that is. I was looking at my server logs this morning, and figured it was a script kiddie. I was half right.

Re:I see a nice research paper in this (1)

348 (124012) | about 13 years ago | (#62429)

Nice post. At least someone did a little homework.

Regards.

More race stuff in one place,

Re:IIS can be restricted and protected (1)

stand (126023) | about 13 years ago | (#62430)

It is Possible to run a secure NT Based Web/SQL server. The problem is that MS makes everything run as the system acocunt on the machine by default. ...Most M$ admins are to lazy to [change the defaults].

Well designed systems expect that the admins will be lazy/unreliable/clueless and provide appropriate defaults. Don't blame the admins, blame Microsoft

if he/she wanted to bring down whitehouse.gov... (1)

frknfrk (127417) | about 13 years ago | (#62431)

all he/she really had to do was post a story to slashdot with a link [whitehouse.gov] in it.

Re:Version 2.0 (1)

dlevitan (132062) | about 13 years ago | (#62432)

I'm sure that version 2.0 of the worm will fix all of the problems.

And version 3.1 will take over the world :)

innocent bystander? (1)

MrPotatoeHead (136285) | about 13 years ago | (#62435)

so he was watching as all these servers were being infected.....

and all he did was doddle some graphs? :)

I'm back from the future... (2)

BadDoggie (145310) | about 13 years ago | (#62436)

CAIDA Released Slashdot-effect Post Mortem
Posted by CmdrTaco on Monday, July 30, @14:01PM
from the scalpel-video-camera dept.

BadDoggie writes "David Moore at CAIDA (The Cooperative Association for Internet Data Analysis) was monitoring his /8 network again after this story [slashdot.org] appeared in Slashdot. His findings are somewhat interesting and show just how swiftly Slashdotters across the world can take down a server." It was shier stoopidity of the Editurs and the bad luk of CAIDA that noone mirord the siet and grafiks. note: Chek the the grafs, these pikshirs really dew tell a 1000 word.

Re:Redcode was hitting my Apache (2)

JimPooley (150814) | about 13 years ago | (#62438)

I got those, on both our webservers. About 20 on each, late 19th early 20th.
I spread the news around, just to illustrate what a good idea it had been picking Apache on Linux for our webservers!

Hacker: A criminal who breaks into computer systems

Re:Slashdotted already... (1)

Hazzl (161889) | about 13 years ago | (#62440)

Ughhhh! First this Worm and now they're hitting me with the slashdot effect!!!

Re:lessons learned (1)

Bender_ (179208) | about 13 years ago | (#62444)

Compare this to the FreeBSD Telnetd exploit which was used to deface several websites lately.(stileproject etc..)

Can you imagine there is any sane admin with a frequented webserver who runs telnetd on it, instead of using SSH ? Appearantly there are a lot.

Not only a bad administered IIS is prone to attacks. No OS helps over bad administration.

Re:lessons learned (1)

Bender_ (179208) | about 13 years ago | (#62445)

here [google.com] is the FreeBSD security advisory, just in case you ARE still running telnetd on your freebsd box.

Available animation formats (4)

Alien54 (180860) | about 13 years ago | (#62446)

The animation is available in three formats: flipbook/flic (207k), QuickTime (13.4 MB), or as an animated gif (4.1 MB) [...] Note: The recommended way to view the flipbook format is to use xanim on a Unix platform, or QuickTime Player 5 on Macintosh and Windows boxes. Use the "open URL" feature of a QuickTime player and paste in the URL.

how much you want to make a bet that a lot of folks are going to grab the 13 meg quicktime file?

The .fli file works just fine.

Check out the Vinny the Vampire [eplugz.com] comic strip

IIS can be restricted and protected (3)

haplo21112 (184264) | about 13 years ago | (#62451)

It is Possible to run a secure NT Based Web/SQL server. The problem is that MS makes everything run as the system acocunt on the machine by default. Most people don't change the defaults. Things get further complicated if you do change the account that these services run as, due to the fact that nowhere do they tell you all the things that these services need access to, or to talk too. Then things get even worse as they make assumptions in upgrades, patches, and addons that you are running as system.(This is a major problem when it comes to frontpage at times) The fact still remains though that you can infact change the service account that these services run as, to a different account and then restrict the access these accounts have to other parts of the system. For instance, only the IIS, service account has access to the SQL server that backends it. Then you make the service account for IIS only a local account on the Web box, with no global domain access. Then you take the actual logon rights away from that account, then restrict it from access to anything outside of wwwroot of the IIS box. Then give ownership of all the files that make the web site to a different account and give the IIS account read only access. The same can be done with the SQL account, only a local account, no access to anything on the box. it can be done it just takes work, and Most M$ admins are to lazy to do it.

Re:Disturbing thought (2)

superdk (184900) | about 13 years ago | (#62452)

I work for a company which provides broadband services to small to medium sized businesses. Many of our customers host their own mail/web/etc servers from their site on their connection. The big downside to that is that most of these operations either have a guy in house who stumbled around IIS long enough to get it working and hasn't touched it since or they contract someone who charges them way too much money to do a shoddy job. In short, 9 out of 10 of our customers have their pants down to the world because they lack expertise and/or experience.

The problem of course gave our trouble resolution group fits.
To make matters worse most of the CPE (customer premise equipment) on the network has some type of web based interface. I don't know all the ins and outs of this worm but I do know that it caused a bit of havoc on all these routers stitting out there listening for port 80 requests. This also gave our trouble resolution group fits.

Just goes to show, worms don't just kill servers.

Re:Unpatched version of server software (1)

gscott (187733) | about 13 years ago | (#62453)

I don't run any servers but I run W2K at home and Win98 at work on my PCs. At work I don't have a choice and really at home I have to use windows to keep everything compatible. Anyway, my point is that I gave up trying to keep up with the patches for Windows, Office, and every other software package I am running. I'm trying to learn to use OpenBSD so that for ANYTHING where I need to get internet access, I can run it on the OpenBSD box. There are so many damn pathces and repatches for software that it can be impossible to keep up. I don't think you can point the blame at the manufacturer, because there will always be new hacks, nor can you blame the operator, because he/she MIGHT need to get some work done outside of patching the damn software. That's why as far as I can tell, the only safe route is to pick the most secure OS you can and go with that for anything where you will allow outside connectivity. At least this way you lessen the risk. You will never be truly safe, but you will spend a lot less time patching and be less likely to be the object of anger when something like Code Red hits.
PS - I'm not trying to say theat OpenBSD is the most secure. I have very little experience with any OS besides Windows and I'm picking that one to try based on observations and comments. I'm sure there are Linux distributions that are just as safe once they are locked down. But it sure seems like OpenBSD warnings come across Bugtraq a lot less than most.

Sheer stupidity? (1)

shawnkirst (188856) | about 13 years ago | (#62454)

I don't really think it was stupidity. Maybe the author hard coded the IP address so it could be stopped easier. Maybe it was just to show the world how easily crappy software can be comprimised. A worm that attacks whitehouse.gov is bound to get lots of attention. Maybe all of it was intentional.

Speaking of worms... (1)

Chundra (189402) | about 13 years ago | (#62455)

In a distributed OS class I took a few years ago, we split up into teams and built worms that would compete with each other. Break into a machine, suck up resources, kill the other worms, spread, repeat. Ahhh, what a great class.

Re: The worm's author should have read... (1)

tigris (192178) | about 13 years ago | (#62456)

The Evil Overlord List [eviloverlord.com]

Mirror (2)

ronny_magic (196859) | about 13 years ago | (#62462)

I've put up a mirror here [ntlworld.com] .

Re:Disturbing thought (1)

nuser (198161) | about 13 years ago | (#62463)

'It's really disturbing to think that the Internet's stability rests on the shoulders of these people, half of whom probably don't even understand the concept of keeping up-to-date with security patches.' And one of the sites logged by my (Apache) server sending that get request? Stand up Microsoft.com! Seriously though you make some good points.

Microsoft Bundles Worm with IIS (3)

cbowland (205263) | about 13 years ago | (#62464)

BBspot [bbspot.com] has a great satire of a new bundled feature for IIS from Microsoft.

Take a look at Microsoft Bundles Worm with IIS [bbspot.com] !

Give a man a fish and he will eat for a day.

Re:Absolutely correct (2)

pezpunk (205653) | about 13 years ago | (#62465)

not only a cutoff, but also it was more or less harmless -- like the article said, it could have easily destroyed data, but it didn't. it just sat there reproduced like a bunny in heat. oh and launched a half-hearted attack on bush's website. big frickin deal, right? yeah, this was not so much a malicious attack as a blueprint for one.

Openness Good... (2)

TOTKChief (210168) | about 13 years ago | (#62466)

At the risk of sounding like a /. drone, I'm happy to see this sort of analysis done. There are surely some who'd argue that the conclusions drawn [i.e., the next attack could be designed better and be much more effective] might spur someone on to building a nastier worm. Sure. Probably will happen. But if everyone will learn what causes this problem--duh, not updating the security fixes--then the problems will become minimized.

Of course, it also provides every reason for non-IIS/MSFT users and sysadmins to chuckle, but who's to say that hubris won't set in?

Re:Still Out There (2)

AlXtreme (223728) | about 13 years ago | (#62470)

You got the two worms/trojans of the week mixed up:

Code Red: The IIS-worm that would have attacked whitehouse.org, but blew over for most of us

SirCam: The email-driven trojan infecting millions of Windoze PC's and sending misc. files to the whole OE-addressbook or every emailaddress in memory, presumably sent to wipe out the harddrive somewhere in October.

Code Red wasn't nearly as tough as SirCam, as there are more people on this world who open attachments without checking the filename than people able to set up IIS.

Actually, both groups should be dragged out on the street and shot...

The code Slashdot virus (1)

gwizah (236406) | about 13 years ago | (#62471)

Should read:
It was the sheer stupidity of the slashdot readers and the skill of some network admins which aggravated the slashdot effect and it's DoS potential.
thank you.

My analysis (1)

Kryptolus (238444) | about 13 years ago | (#62473)

http://www.kryptolus.com laugh!

Re:Priorities (4)

alanwj (242317) | about 13 years ago | (#62474)

Personally, I had 1 of 3 IIS servers at my job vulnerable and it was 'ploited. Of course, when it the Code Red worm infected that server, the server took out one of my 2500 series Cisco routers. That was fun since it was still too early in the day to know that it was indeed the worm causing the problems. I am the only IT person here, supporting 75 users, 17 servers, 100+ workstations. I do support, net admin, and IT department management. I am currently upgrading the corporate website, doing a software audit, a hardware audit, reconfiging our routers, I have 30+ helpdesk issues in my queue and I am late on 4 projects. I also advise our development team on network related aspects and I am trying to put up a new FTP server, backup server and mail server. I have enough on my plate then to jump at every damn MS Security Bulletin. There are just so damn many of them! I am overworked as it is yet my CEO still asks "What exactly does he do again?".
And you find time to read Slashdot? Well, at least you have your priorities straight.

DoS Attacks (1)

ratguy (248395) | about 13 years ago | (#62476)

I wonder... how do we limit the DoS potential of the Slashdot virus?

Ratguy

Re:What the hell are they waiting for? (1)

Deag (250823) | about 13 years ago | (#62477)

.. the grammar errors in the e-mail are usually enough to tip me off it's a virus to begin with...

So the fact that some lad you hardly know is sending you love letters doesn't tip you off at all? Or the dodgy .txt.vbs extension?

Unpatched version of server software (3)

perdida (251676) | about 13 years ago | (#62478)

Around 10:00 UTC in the morning of July 19th, 2001 a random seed variant of the Code-Red worm (CRv2) began to infect hosts running unpatched versions of Microsoft's IIS webserver.

If I were an insurance adjuster trying to insure peoples' information technology assets, I would have my own experts supervising everyone who was on the insurance plan to ensure that they patched their fucking software.

Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.

Re:lessons learned (1)

morcego (260031) | about 13 years ago | (#62483)

Then again, why would I use Microsoft if I don't trust its so called "security" ?

---

Re:Don't be a jackass (1)

morcego (260031) | about 13 years ago | (#62484)

The moral of the story is not to hire dumbass admin's who don't do their job. A patch for this was realeased *1 month* before this virus hit the streets!

You sir, are being too simplist about this.

Not only corporate machines where infected. Lost of machines from homeusers (I saw somewhere the number of DSL machines they found infected).
If hiring good admin's were the case, we could look at the machines that were not infected, not couse of the patch, but couse of some firewall rules, or couse the admin had disabled .ida support on IIS (couse once they didn't use it, there is not reason to leave it enabled).

---

Re:Unpatched version of server software (1)

Cutriss (262920) | about 13 years ago | (#62486)

Or I would make it against the law not to patch one's software, similar to the laws ensuring the vaccination of children, and for the same reasons; such an epidemic, viral or virtual, delivers a powerful blow to our economy and is a matter of national security.

Yeah...so that Microsoft can use this "law" to introduce "features" into my operating system without my consent? Nah...They've already done a fine enough job of making the government think that Linux is bad. I think I'll just let them lobby about while I enjoy the little paradise Linux has made out of my tiny CPU...

Right on Hemos! (2)

egommer (303441) | about 13 years ago | (#62489)

Right on Hemos!
It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.

Let's reverse engineer this sucker and get this thing working better next time!
Okay NSA,. you should hire better Worm Coders next time if you want to frame the Chinese.

Graphic of infection (1)

pgpckt (312866) | about 13 years ago | (#62490)

That graphic is very cool. Seeing how a computer worm can spread is a wake up call. I am convinced that people won't patch with regularity until a worm comes along that *really* screws things up and billions of dollars are lost in cost of data. That will be a sad day.

As long as I am on the graphic, did it remind anyone else of the scene in Wargames where the computer is plotting out all the nuke scenarios? It gave me a cool flashback :)

Re:Unpatched version of server software (1)

JohnSmith1138 (313010) | about 13 years ago | (#62491)

Agreed. We are a small company with 3 live web servers and 1 test server. Service pack 1 killed our app and took us about 2 days to figure out what it had done to make our app not work. Everything goes on the test server first and the live servers later even if it means waiting a day or two.

Hacker Ethic? (1)

Haxx (314221) | about 13 years ago | (#62493)


It was the sheer stupidity of the worm's creator

Or was is Hacker Ethic?

Maybe the guy was just trying to further expose IIS's vulnerablility and net admins lack of security measures without causing any real damage.

The difference between theory and practice is that, in theory, there is no difference between theory and practice.

Re:Don't be a jackass (1)

Haxx (314221) | about 13 years ago | (#62494)

Ever heard of hiring some help.

Don't be a jackass (1)

Win-Developer (316016) | about 13 years ago | (#62496)

The moral of the story is not to hire dumbass admin's who don't do their job.

A patch for this was realeased *1 month* before this virus hit the streets! Frankly any admin who bothers to actually check for patches/updates are going to find them. Hell, after a 2 minute search I found the patch.

Frankly, if someone wants to use IIS that's fine, I'd rather use Apache than IIS. But this virus got around because of Admin incompetence.

Re:Don't be a jackass (1)

Win-Developer (316016) | about 13 years ago | (#62497)

Ok, my thought wasn't complete enough. Maybe I'm being a bit naive about this situation, but someone who doesn't know enough to look for patches in the Microsoft Software Download area, or even to bother to configure things properly, they deserve to get infected.

These home users probably just ran the setup program and never checked things again! My mom has IIS running as her web server, and she *IS* on DSL, she know next to nothing about computers, but she knows enough to keep up with updates and patches. She also knows enough to attempt to figure out the documentation on how to use a product she has installed.

Btw...it's "cause" or "because" not "couse". :)

G7 summit (1)

Marcus Brody (320463) | about 13 years ago | (#62499)

Has nobody else noticed that the Code Red worm was timed to attack whitehouse.org at the same time as the G7 summit started in Genoa?

There has been romours about some activists (anti-capatalist, pro-environment, anti-globilisation, whatever, etc) gaining technical knowledge to launch DDoS attacks against their targets. Perhaps this was the beggining?

Goerge Bush is particulrly unpopular with these groups, particularly due to the "Son of Star Wars" project and his attitude to the Kyoto agreement. The target of this worm, the timing of the attack and the "red" agenda all suggest to me that this is a political attack. When will the next one strike?

The world is safe again ... (5)

s20451 (410424) | about 13 years ago | (#62501)

It was the sheer stupidity of the worm's creator and the skill of some network admins which limited the worms attack and DoS potential.

Once again, evil is thwarted because, just as on television, the villans are incompetent while the virtuous are strong and intelligent.

I wonder if the virus author also committed any of the following classic villan errors:

  1. Brought the heros to his/her secret mountain lair to kill them personally rather than letting a henchman do it at great distance
  2. Explained his/her dastardly plan in detail to the heros before killing them
  3. Arranged for a dramatic but overly-complicated and easily escapable death for the heros
  4. Once the heros escape, get a squad of elite ninjas to track them down, but have the ninjas attack one at a time so as to ensure defeat in spite of superior numbers

So, the world is safe again ... but ... for how long?

Re:Absolutely correct (2)

Hilary Rosen (415151) | about 13 years ago | (#62502)

If they catch the author, I think this should be grounds for leniency. He had the sense to put in a cutoff so that the worm wouldn't grow out of control.
--

How about a Free Dimitri worm (1)

masoncooper (443243) | about 13 years ago | (#62503)

We program a worm that when infected, decrypts all e-books and places the unlocked PDF file on their hard drive, then quietly spreads via Outlook. I mean, If you actually PAY for an e-book you are probbably an oulook user too, right?

Re:lessons learned (1)

archen (447353) | about 13 years ago | (#62505)

I think the moral of the story is not to trust Microsoft's so called "security".

Still Out There (1)

Sanford (450041) | about 13 years ago | (#62506)

I am wondering if the darn thing ain't still crawling around. I got to the office today and found a couple more in the mail box, not to mention these were from folks with whom I have never been in communication. (si habla espanole?) - so I wonder about the address book feature I seem to remember from last week? Anyhow, the messages were the same, too attachments.

What's wrong with IIS? (2)

Gzusfreak (458543) | about 13 years ago | (#62509)

I don't see what is wrong with IIS. I also don't understand all these security patches they keep putting on thier web site. I just don't bother with them though, I mean all that time to download and install. I would much rather have M$ email the patch to me so I can easily open it through Outlook, I mean I open all of my attachments through Outlook anyway even if I don't know the person... ...Wait...I'm growing a brain!!! Please disregaurd everything I said about IIS and Outlook. I think I will start using Apache...

Slashdotted already... (1)

A Commentor (459578) | about 13 years ago | (#62510)

Apparently has enough bandwidth/processing to handle an entire /8 class... but can not seem to handle the slashdot effect...

Re:innocent bystander? (1)

A Commentor (459578) | about 13 years ago | (#62511)

What is he suppose to do, shutdown the corporation's entire network? Doubtful that he would have the ability or permission to take that type of action.

It may have been after-the-fact... post-processing/knowledge of the Code-Red that caused him to analysis the data in this manner...

Unix = Server (2)

cyphon (467846) | about 13 years ago | (#62513)

Everyone knows that you shouldn't let anybody run a WinNT server at all. There is really no practical reason. The IIS server is run as root to the Windoze machine, so any file access that would have been restricted in unix by running Apache as Nobody is now gone and I can have, perhaps, write access to your boot.ini by just hacking in a .bat file through a ftp bug, then connecting to the address with the .bat file so it executes server side. And it takes even more power. So if anybody can think of a good reason for using IIS, WinNT, MS SQL, or anything like that, by all means say it so I can laugh in your face.

A jpeg is worth 1024 DWORDS.

lessons learned (1)

emoeric (470708) | about 13 years ago | (#62514)

so the moral of the story is to not use MS IIS, right? Thats what we all learned from the previous article on security and how to avoid the script kiddies taking over everything.

I gotta know... (2)

dermotfitz (470733) | about 13 years ago | (#62515)

I think this worm was relatively sophisticated. Was there a similar expolit of IIS put to such use in recent history? I think most people just rebooted and it went away (of course they are open to exploitation again now). And they will get infected by this worm or a variant. Also, how many servers didn't even get hit this time around? They could be waiting to be expolited. Has anyone seen worms hitting their (patched) servers since the weekend? If so, has the code changed? Sorry, I have a lot of questions.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>