Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Code Red! All Hands to Battle Stations!

michael posted more than 13 years ago | from the bring-your-debian-install-CDs dept.

The Internet 445

We had thought we were done with Code Red last week, but CERT is sending out warnings that the entire internet will cease to exist if the Code Red MSTD [?] isn't stopped in its tracks. Even Scientific American has a story about it. Cringely tells us that the true threat is servers with mis-set clocks.

cancel ×


Sorry! There are no comments related to the filter you selected.

Re:The Entire Internet Will cease to exist... (1)

Anonymous Coward | more than 13 years ago | (#2180289)

Are you kidding? IIS runs less than 25% of the net's web servers, and what percentage of those do you think have the time mis-set? This sounds like the percentages in a *BSD is Dying troll.

Re:And the REALLY sad thing. . . (1)

echo (735) | more than 13 years ago | (#2180291)

The /REALLY/ sad thing is that patching a web server APPLICATION requires you to REBOOT the OPERATING SYSTEM!

Re:And the REALLY sad thing. . . (1)

echo (735) | more than 13 years ago | (#2180292)

I was basing my comment on what the previous poster said about rebooting, I haven't used the Code Red patch, because I don't run Windows.

So don't complain at me, I'm not the one scheduling reboots of servers.

Re:The Entire Internet Will cease to exist... (1)

Bob McCown (8411) | more than 13 years ago | (#2180302)

You forgot to include your <ZEALOT>...</ZEALOT> tags....

I dont belive that 40% of the world could kill (1)

johnjones (14274) | more than 13 years ago | (#2180305)


apart from the network traffic which the isp should regualte anyway what does this do ?

infects IIS servers but they run under 40% thats right UNDER now if apache had a whole like this then the world would be in for a shock !!

but I dont belive that this could do anything except give credance to the admins who pull plugs out of walls when they are labeled

"MIS webserver (win2000)"

fankly fools damn fools and microsoft IIS administrators

sorry but how can this bring the world to an end ?

"life finds a way " -> "randomness protects the internet"


john jones

Fire with fire (1)

bkocik (17609) | more than 13 years ago | (#2180306)

I had this idea earlier. It'd most certainly be illegal (even though you could convincingly argue that it shouldn't be), but it would still be fun, and probably effective if enough people used it.

I thought, why not write a servlet/JSP/cgi/whatever that detected an inbound hit from a Code Red infected server, and responded by using the same vulnerability to turn around and turn off the worm on the offending box?

Like I said, probably illegal...but a cool concept, I think. If I had the time I might put a servlet together, but I don't, and it's probably too late for today's attack anyways.


And the REALLY sad thing. . . (1)

Salgak1 (20136) | more than 13 years ago | (#2180309)

is that people still haven't patched. I have several managed webservers at a co-lo site, and to play it safe, asked them it they'd installed it yet.

And was asked when they could re-boot the boxen, a fairly strong indication that they hadn't installed a routine security patch until I asked about it. . .

Luckily, Cringely gave me an idea for a quick fix: since our Maintenance Window on the boxen is 0-dark-early in the morning, and the worm hits at 0000 GMT tonight (8 Eastern, 4 Pacific), TURN YOUR NT/2000 boxes back a day, and then reboot early tomorrow morning, and re-set your date to the correct one...

Of course, if they'd listened to me and used Apache, we wouldn't be having this problem...

Re:And the REALLY sad thing. . . (1)

Salgak1 (20136) | more than 13 years ago | (#2180311)

Most of my local IIS boxen did not require a reboot, 2 did. Damned if I know why, either. . .ya gotta LOVE Windows (NOT!)

Much Ado About Nothing (1)

drfalken (43743) | more than 13 years ago | (#2180321)

I don't think much will come of this. Cringley is an idiot. His comments that as long as there's one server with a broken clock the worm will always be with us is stupid. There are loads of viruses in the wild that continually spread but are harmless because the software they infect has been patched and/or anti-virus software continues to keep them at bay.

I have been getting calls from people all day asking why I haven't sent out a warning about this worm. The problem here is that the media has hyped this up and the average joe doesn't understand that it can't infect their Win9x desktop so everyone is freaking out.

I doubt that much will happen. I lived through Y2K and the Internet gold-rush. Things online are rarely what they seem.

Not from China? (1)

Palshife (60519) | more than 13 years ago | (#2180329) says:

Despite Web site postings that said "Hacked by Chinese," a Chinese network safety official says that the fast-spreading Code Red Internet worm was probably not made in China.

I'm inclined to agree. This is simply someone who wants to forcibly make their political views known through a worm. Probably the best way of going about it these days, but I certainly dont condone the method.

You CAN use Pine for windows, you know...

Overblown media hype (1)

jfp51 (64421) | more than 13 years ago | (#2180333)

Please... According to various security lists that I receive, once the worm goes into its dormant stage it does NOT wake up again. However, the risk is from new variants of the worm, or crackers finding a way to reactivate the dormant worm. Anyways, if people haven't patched their boxes by now (and they should have done it at least one month before Code Red erupted when MS released the security bulletin, even longer if you follow their IIS security checklist), I don't know what we should do with these people. If you don't patch your boxes, they will get compromised. How much time did it take to compromise the Honeynet project's Red Hat default install, 13 minutes or something? Not just an MS problem folks, it's a stupidity problem

Re:Microsoft should just give up on IIS (1)

jfp51 (64421) | more than 13 years ago | (#2180334)

We run IIS servers. We keep said IIS servers patched. We have had no probs with code red. Keeping our boxes current has turned out to be the right choice

Very Scary Quote (1)

medcalf (68293) | more than 13 years ago | (#2180336)

The government relies on Microsoft ... to secure everything from defence networks to financial systems.
Because, after all, their proven security record is a real inducement to trusting them with security.

New ways to patch MS holes (1)

Lew Pitcher (68631) | more than 13 years ago | (#2180338)

According to one of the articles, Microsoft is looking for new/improved ways to distribute security fixes to broken systems. My suggestion, with some qualifications, would be to distribute fixes through the identified security holes.

Just as attacks like "Code Red" take advantage of security holes to place priveledged code on vunerable systems, Microsoft could package hole-fixes into packages that prowl the internet looking for exposed systems. If the package (call it a 'worm') discovers a system with the appropriate hole, it enters the system, and replaces the faulty software with a patch.

Now, lest Microsoft be accused of unleashing attacks against exposed systems (beneficial attacks to be sure, but attacks none the less), the worms would only approach systems that have subscribed to this as a service. Additionally, each worm would inform the Administrator of the system (through email, or some other messaging service available in MS products) that an exposure has been discovered and a patch has been applied.

Of course, there would be an element of trust necessary here. The worm must also give the Administrator some sort of assurance that its changes are beneficial (we don't want attacks masquerading as patches), so there has to be some sort of confirmation/activation/deactivation process available to the Administrator, but I'm sure that, if Microsoft is serious about it's commitments (and it's revenues), this can be adequately worked out and implemented.

Re:Microsoft should just give up on IIS (1)

jhines (82154) | more than 13 years ago | (#2180345)

Or take a clue from the OpenBSD project, and audit their code, and fix all of the buffer overruns, and other problems that have plagued them in the past, and are usually repeated the same way throughout the code base.

Why can't MS be held responsible? (1)

JoeShmoe (90109) | more than 13 years ago | (#2180359)

Seriously. Compare this diaster to the Ford/Firestone mess:

A) Ford decides to ship vehicles with partially deflated tires.

B) MS decides to ship products in their least-secure state with every service running.

A) When this causes problems, Ford blames Firestone for not making tires that can handle it.

B) When this causes problems, MS blames system administrators for not being smart enough to patch their system.

A) The end result is that many people died because Ford passes the buck to Firestone and Firestone passed it right back to Ford.

B) The end result is that many servers are going to be knocked offline because MS passes the buck to sysadmins and sysadmins pass it right back to MS.

In my opinion, someone should force MS to take responability for issuing a product recall...just like in any other industry. That means they much contact their dealers and their dealers must contact their customers and get it patched. Obviously this is serious enough to warrant that kind of attention and MS can surely afford it.

- JoeShmoe

Re:Can't They... (1)

~Socrates (126796) | more than 13 years ago | (#2180386)

Yeah, and next thing is that the backbones will do routing if you try to use an encrypted link to I like my internet non-contaminated. traffic shaping is _not_ an option --Socrates

Just RBL infected machines (1)

Captain Kirk (148843) | more than 13 years ago | (#2180404)

It seems they have the IP addresses of the infected machines. So the routing tables of backbone providers could be updated to block those IP addresses. I think that might prompt the owners to patch their machines, disable IIS or whatever.

So what's the problem here...its just like rbl-ing a spam host.

Microsoft should just give up on IIS (1)

JimPooley (150814) | more than 13 years ago | (#2180405)

Maybe they could buy Apache instead. Or perhaps just licence the Windows version for bundling purposes. This has just got to be bad publicity. "The web server that ate the internet."
My boss has just told our head of technical support to download the patches.
I said to our head of technical support "We don't need no steenkin' patches!"
Running Apache on Linux has turned out to be the right choice!

Hacker: A criminal who breaks into computer systems

Odd quote... (1)

chinton (151403) | more than 13 years ago | (#2180406)

I found this quote a little odd in light of the current relationship between the government and Microsoft:

The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems. "The protection of the Internet requires a partnership with the government, private companies and the public as a whole," Dick said.

Kinka like letting the wolf guard the henhouse, don't 'cha think? What's next -- Gotti running the Secret Service?

Conspiracy Theory (1)

Oliver Wendell Jones (158103) | more than 13 years ago | (#2180408)

Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently.

Has anyone considered that maybe Microsoft released this worm in an effort to convince everyone to go to their .NET platform that would allow Microsoft to automatically download these kinds of patches to you?

Take a hint from bio systems (1)

Stultsinator (160564) | more than 13 years ago | (#2180410)

I wonder how long before MS et. al. start distributing their virus fixes in the form of self-replicating antiviruses. That seems the quickest way to defeat this sort of thing.

Re:Quarantine... (1)

OpenSourceRulez (183923) | more than 13 years ago | (#2180421)

I agree with you wholey on this. If some threatens the US way the govt should be able to say fix it or you won't be able to use it. However I have to say this about the worm: If MS knew what they were doing in the first place these security holes would not exist. This is like what the third or fourth IIs buffer overrun hole. You would have thought after the first one was found MS would have seen if others existed. I am just wondering, might these "holes" be intentionally left there as back doors to systems so that MS can get into them. Just some food for thought.

L0pht... (1)

datawar (200705) | more than 13 years ago | (#2180435)

At one point The L0pht (now @stake - said to a Congress Committee that they could take down the Internet in half an hour. Maybe this is what they meant.

Those silly hackers.

dunno 'bout you (1)

Gehenna_Gehenna (207096) | more than 13 years ago | (#2180440)

but I'm unable to get my yahoo email account to work. Other than that, no big problem. from my understanding only nt/2000 is at risk, the fixes are readily available, and all you have to do to stop it is reboot your server/pc. Is this really as bad as they are saying?

patent (1)

Planesdragon (210349) | more than 13 years ago | (#2180441)

You can patent the possition, not "copyright."


What ?!? AGAIN??? (1)

gully42 (212724) | more than 13 years ago | (#2180442)

is this just too-late media hype, or is there another variant out there now? I though the origional Code Red was timed to go off last week?
Best Regards, Nick
Patch IIS with Apache guys!

Re:Yikes! (1)

mr_exit (216086) | more than 13 years ago | (#2180446)

the internet is made to route arround troubble, and if this includes every unpatched iis box on the planet then thats ok.

Every internet user has had outages at some point, but this just makes it a outage for everybody at the same time, it might take a day or two to get over the slowdown but no biggie.

i've used a 28.8 modem before and it isn't THAT slow really.

Drink Coffee - Do Stupid Things Faster And With More Energy!

Re:Microsoft software: threat to national security (1)

Weh (219305) | more than 13 years ago | (#2180447)

can they be sued for that ?

Microsoft PR Machine (1)

CygnusTM (233935) | more than 13 years ago | (#2180454)

And through all of this, Microsoft comes of looking like the poor victim, instead of the purveyor of swiss cheese software.

Pots and black kettles (1)

necrognome (236545) | more than 13 years ago | (#2180457)

"Open Source is a threat to the American way of life."

-- residents of the glass house

Which is more likely? (1)

necrognome (236545) | more than 13 years ago | (#2180458)

  1. Evil, nefarious, satanic, Chinese hackers are enacting their plan of revenge on the United States for its global hegemonic practices.
  2. Yet another "feature" has been discovered in IIS, due to the tendency of Microsoft to leave "easter eggs" in its products.

Remember to use Occam's Razor.

Don't do it! (1)

rppp01 (236599) | more than 13 years ago | (#2180459)

No no, don't turn back your clocks. They guy on says that those IIS servers are causing all this problem! No, for the love of all that is good journalism, don't turn back your clocks!

Best IIS Patch (1)

bahtama (252146) | more than 13 years ago | (#2180467)

I recently patched all of our company's servers with a great patch that seemed to have fixed all IIS related problems. It's called Apache.

But seriously I did and now I can sit back and laugh at these silly MS Security Bulletins. Just another event that will cause Microsoft alternatives to gain popularity and notice. :)


Microsoft software: threat to national security (1)

clone22 (252516) | more than 13 years ago | (#2180468)

"The Internet has become indispensable to our national security and economic well-being," said Ron Dick, head of the National Infrastructure Protection Centre, an arm of the FBI. "Worms like Code Red pose a distinct threat to the Internet." Duck and cover.

Re:Idiots in journalism (1)

Anonymvs Cowardvs (253637) | more than 13 years ago | (#2180470)

Or maybe they read the part in the original advisory [] where the eeye folks mention that they took the name from the bottle o' Dew in the room:

The guy at Del Taco that sold us food at 3am to allow us to perform this research. The guy who left the warm "Code Red" Mountain Dew in the eEye lab.

IIS? What's that? (1)

Proud Geek (260376) | more than 13 years ago | (#2180475)

Cringely says the other big threat, and the reason they didn't simply email the administrators of all the infected servers, is that most of them are simply run as services by people who don't even suspect they have a web server. I hope every one of you reading this knows whether Apache is running on your box!

Sometimes the cluelessness of people writing software at Microsoft astounds me, but then I look at the cluelessness of the users, and it's even worse. With a combination like that, we're lucky the Internet exists at all anymore.

Microsoft can fix this! (1)

zerofoo (262795) | more than 13 years ago | (#2180478)

Microsoft could actually fix all this crap by having windows update support IIS patches! Why MS would go through the effort of developing windows update and have it not support IIS baffles me!

What? (1)

shaunak (304231) | more than 13 years ago | (#2180480)

"Steve Lipner, head of Microsoft's security response centre, said the company was looking for new ways to distribute patches more efficiently."

So they're going to provide upgrades^H^H^H^H^H^H^H^H patches at more locations?

"The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems. "

Defence networks secured by MS (and others ...)?
Well, the FBI might as well give up counter-intelligence, 'cause the 'farners' already have easier access. Who needs cumbersome Dead Letter Boxes when you have MS.

Re:dunno 'bout you (1)

shaunak (304231) | more than 13 years ago | (#2180482)

"and all you have to do to stop it is reboot your server/pc. Is this really as bad as they are saying?"

Well, yes.
You could reboot to stop it, but once you're online, its highly probable that you're machine will get infected again.
So it isn't that easy.
Besides, n number of servers (as n-> infected IIS server numbers) sending packets out to an IP addy at a given time is enough to make sure /. doesn't load quickly enough for you to check you're KARMA every m seconds (shudder).

Re:Can't They... (1)

shaunak (304231) | more than 13 years ago | (#2180483)

"Can't the backbones do some routing thing and reroute traffic to the targetted address to /dev/null (Or better yet, someplace in China?)"

Well, yes. They can (I hope I'm right), but then the data packets DO NOT CEASE TO EXIST. They still move around, and EAT BANDWIDTH. Besides, getting enough backbones to do this is logistically painful.

Chinese or not? (1)

Haxx (314221) | more than 13 years ago | (#2180496)

So where does this virus say Code Red?
Because if the coder named it Code Red than it's
not from China. Code Red is that yummy American
caffiene booster drink stuff that kids are drinking these days.

~ If I were a missionary I would copywrite the position

Yikes! (1)

misnoma (315008) | more than 13 years ago | (#2180499)

I guess it's a hell of a worry in some ways... but to be realistic... The internet's not gonna cease to exist... maybe for a wee ehile would it be slowed.. but no...

Apache problem (1)

s20451 (410424) | more than 13 years ago | (#2180503)

From Cringely's article:

Many of the infected servers aren't really being used at all. They are still showing their default Microsoft homepages and are simply running as a service under Windows NT. In those cases, the people on whose computers IIS is running probably don't even know they have a web server.

It seems to me that this is a potentially larger problem with most distros of Linux. Quite often a default installation package will include Apache, which is happily installed and activated without the user being actively informed how to care for it. I know for a fact that this was true for RedHat 6.2, though more recent distributions of RedHat have fixed this. Since Apache is free (as in beer), while IIS is not, more Linux users generally have Apache than Windows users have IIS.

How vulnerable is Apache to an attack of this sort? And, furthermore, could there be a more prudent way to distribute Apache? (Such as with a disclaimer? Or only by specific request?)

Are there any non-microsoft viruses anymore? (1)

Dan Ost (415913) | more than 13 years ago | (#2180506)

It seems that all the recent viruses require
you to be running outlook or IIS.

When will virus writers turn their efforts
towards open source OS's?

Quarantine... (1)

powerlinekid (442532) | more than 13 years ago | (#2180509)

It would seem to me that if the govt is allowed to quarantine a small town due to some disease, etc... then they should be able to tell some dumb sysadmin to either A)Get rid of the worm or B)Disconnect the machine from the network. I understand that certain privacy, rights groups would throw a fit but this is important. The internet is way too important to how we live now (although I don't believe this worm is nearly as crippling as the media has been portraying), and we need to protect it. Seriously folks, think about it... say Bob has ebola and the govt tells him he not only can't leave his house, but has to go live in a bubble. Do you think the Human Rights organizations would bitch??? So why should it be different with a sick computer... ps- I, too, have some issues with the govt telling me whether my computer could be on or not... however I would never have the worm long enough to do any damage, and would be responsible enough to accept the fact that I was a fuck up. Interesting question: If this thing does start to rack up damage $$$, who is responsible: the virus writer, or the virus users???

Isn't this illegal? (1)

sup4hleet (444456) | more than 13 years ago | (#2180511)

I thought pointing out the shoddy design in some one's Intellectual Property was illegal according to the DMCA. Is Washington breaking their own law?

---===[end sarcasm]===---

Re:Microsoft PR Machine (1)

Genoaschild (452944) | more than 13 years ago | (#2180518)

It's not just the fact that Microsoft writes "swiss cheese software(although they do)" it is the fact that people hate Microsoft so much that they write software in order to destroy Microsoft. When is the last time you seen a virus that targeted Apache Web server. Fewer people hate Unix or Apache then they do hate Microsoft so more people are likely to target their software and OS. It's like, who is more likely to get assasinated, Adolf Hitler or Theodore Roosevelt? Who do you think has more of a love-hate relationship.

Re:I dont belive that 40% of the world could kill (1)

StueyB2U (458490) | more than 13 years ago | (#2180526)

Just a few points:

1. I agree that admins who dont patch servers are pretty stupid !!!
2. Some of us dont know enough unix to competantly administer such box if things do really go wrong.

Surely it is a better idea to have a well patched and secured IIS Server that behaves and is robust and hacker resistant (not hacker proof you note, no system can be totally secure) than a dodgy Apache installation.

I'd love to be able to run Apache on our web server, its faster, more robust and doesnt crash all the time, but you need to know what you are doing !! I have a lot of knowledge (no I aint an MCSE - dont want to be !! all paper and no tech knowledge) but if I where to implement a RedHat/Apache solution, it wouldnt be as secure (due to me not bieng up on *nix systems)and it would be harder for me to maintain when you get things like kernel panics (wouldnt know what to do)

Re:Chinese or not? (1)

ph8ts2l (462801) | more than 13 years ago | (#2180530)

if you read one or two related stories about this thing, the people at eEye who first analyzed it named it for a version of Mountain Dew (seems like a test market thing) called "Code Red" Mountain Dew, which they aparrently drank a lot of while back-engineering.

That, plus it makes an appropo reference to the worm's Chinese origin (according to the defacement it leaves on an infected server).

Calling BS on some of this (1)

ph8ts2l (462801) | more than 13 years ago | (#2180531)

Cease to exist?

this sounds like the kind of sensationalist teasing for which most cities' local TV news productions are known and despised, and most /.ers i've known can see past it. This problem has an elegantly Darwinian element to it, no? Only the most stable servers and subnets will survive, if worse comes to worst.

Re:What? (1)

thetman (465742) | more than 13 years ago | (#2180534)

Ha ha ha, you wrote patches, but you actually meant upgrades!!! Very clever!!

Re:Conspiracy Theory (1)

thetman (465742) | more than 13 years ago | (#2180535)

How stupid can you be?

Down with the internet! (1)

OverDrive33 (468610) | more than 13 years ago | (#2180539)

Does anyone know how/where I can get my computer infected with Code red? I mean I think it'd be cool to throw my small amount of bandwidth in with the DESTRUCTION OF THE INTERNET!! (Does this sound like a really bad movie to anyone?)

Somehow I have my doubts that the internet will "cease to exist"... then again...

The fuss... (1)

Runt-Abu (471363) | more than 13 years ago | (#2180543)

From my point of view all this fuss appears to be beacuase the intial attack targeted US govermental web sites, it ain't no W32.Sircam.Worm@mm after all...

Why is nobody using this as a propaganda tool? (2)

Ami Ganguli (921) | more than 13 years ago | (#2180550)

All the articles I've read about Code Red seem to be carefully avoiding pointing the finger at Microsoft.

A statement like "Microsoft IIS servers run less than 25% of the Web, but the congestion created by the attack could affect all servers" would be accurate, informative, and make it clear that the problem is caused by a minority of systems. It would also make PHBs think twice about implementing IIS.

How do we get this message out to PHBs everywhere?

Re:The Entire Internet Will cease to exist... (2)

jd (1658) | more than 13 years ago | (#2180555)

Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock.

Re:Idiots in journalism (2)

unitron (5733) | more than 13 years ago | (#2180563)

Being a Mountain Dew drinker since they had a hillbilly on the bottle, I tried Code Red out of curiosity and don't see how anyone could stand to drink an entire bottle, much less copious quantites of it, and wouldn't trust any work done by anyone who did. It's that bad.

Re:Mis-set clocks? (2)

handorf (29768) | more than 13 years ago | (#2180576)

No, he really goes off on the off-clock machines.

As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.

I don't know WHERE he gets that idea. As long as ANY machines still have the work and ANY machines remaine unhardened, we'll still have this problem.


IIS Explained (2)

macsforever2001 (32278) | more than 13 years ago | (#2180577)

I just cracked the advanced *32-bit* encryption scheme used on Microsoft IIS with my hi-tech Pentium processor - even with the logic bug. Boy did it heat up my apartment doing all those calculations - I have the AC on and it's the dead of Winter here in Siberia! I found out this *top secret* information from the source code about what IIS stands for:

  • Is It Serving?
  • Idiotic Information Server
  • I Ignore Standards
  • I'd Invest in Sun
  • It Is Stupid
  • It Irritates Sysadmins
  • It Irritates Surfers
  • Information Is Stopped

Re:Mis-set clocks? (2)

gorilla (36491) | more than 13 years ago | (#2180579)

And Cringely is just reposting Gibson's alert, and Gibson has shown himself to be clueless.

As The register [] pointed out, if the clock is misset so that it's in infection mode, then it's just going to find that the servers it infects AREN'T in infection mode, so the whole mis-set clock thing is a red herring.

Re:Apache problem (2)

nevets (39138) | more than 13 years ago | (#2180583)

I also know that RedHat was criticized for having Apache and several other services running as the default behavior. So the later versions (7.x) don't default as web servers, and the users need to configure them to get them started.

I also believe that this is true for the other distros. Now with XP coming with sockets, I can just imagine the new impact that will have.

Steven Rostedt

This is not new (2)

wiredog (43288) | more than 13 years ago | (#2180588)

When the Morris worm hit, around 10 years ago (IIRC), it was on all the major newscasts, and on the front page of many papers.

Maybe it will change peoples minds about Microsoft (2)

alteridem (46954) | more than 13 years ago | (#2180590)

Funny, another highly visible vulnerability in a Microsoft operating system. You think that sometime soon, people would start waking up and choose a more secure and efficient OS for important servers (like BSD or Linux of course.) There is an old adage that 'nobody can get fired for buying 'Microsoft' (used to be IBM). Well, maybe it's time that changed.

When people make statements like this;

The government relies on Microsoft and other technology companies to secure everything from defence networks to financial systems.

and then call this worm,

the largest ever dangers to the Internet.

and then go on to state

Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems.

When are people going to put the pieces together and start holding the people that choose Microsoft and maybe even Microsoft responsible for these things?

Of course this is only a pipe dream. There are too many people out there willing to believe Microsofts propoganda.

The Internet will "cease to exist" ? (2)

theEd (61232) | more than 13 years ago | (#2180596)

As of July 2001 IIS only represented ~25% of the web servers on the Internet. So even if Code Red achieved 100% infection (highly unlikely), about 3/4 of the web would be untouched. Explain to me how this would cause the Internet to cease to exist.

Besides, don't think of it as a virus, but rather "natural selection" in the digital world :)

die, monster devil, die! (2)

nobody/incognito (63469) | more than 13 years ago | (#2180597)

i am really looking forward to midnight uct tonight -- it's a code red party!

we'll have all our packet sniffers running full tilt and plan to laugh and laugh at all the losers running iis! die! die! die!


No email to infected owners? (2)

SirSlud (67381) | more than 13 years ago | (#2180599)

.. where in, Sir Slud's suspicion that humans are dumber than rocks is confirmed: They decided NOT to email the owners of infected webservers. I'm guessing they felt that those server admins have far more important emails to read, like "MAKE $$$ IN A WEEK - TRUE STORIES FROM PEOPLE LIKE YOU"?

Can't They... (2)

Greyfox (87712) | more than 13 years ago | (#2180610)

Can't the backbones do some routing thing and reroute traffic to the targetted address to /dev/null (Or better yet, someplace in China?) You can do a lot of cool stuff as a backbone provider. I remember one time when an MCI engineer accidentally routed all their traffic through one router in Mexico...

Please cut the sensationalist crap. (2)

TomatoMan (93630) | more than 13 years ago | (#2180611)

Michael, how on earth can you justify linking the phrase (the entire internet will) "cease to exist" to the article Washington sounds alarm over "Code Red" worm virus [] , when the article itself says or implies no such thing?

You might as well link the phrase "alien attack imminent" or "Elvis seen in Redmond" - it has as much to do with the story as your title suggested. Of course, most people won't read the story, they'll just remember the catchy phrase that "the internet might cease to exist" - how exciting! - and that they read it first on slashdot.

Code Red is a pretty serious situation as it stands; we don't need to mislead people while we talk about it.


Re:I find this a bit offensive. (2)

TomatoMan (93630) | more than 13 years ago | (#2180612)

Did you read the article, or just get offended that UNIX and NT were mentioned in the same sentence?

Maybe you should read it before you get huffy. It contains generic steps for establishing and reviewing security policies, and then a methodical approach to recovering control. They add this useful link to all of their security advisories dealing with topics relating to the possibility of system compromises.


Re:The Entire Internet Will cease to exist... (2)

Sc00ter (99550) | more than 13 years ago | (#2180613)

The problem isn't that everybody uses IIS, it's just that there's enough IIS server to create enough traffic to cause latency issues.


Code Red Sci-Am article (2)

mikeage (119105) | more than 13 years ago | (#2180618)

Although I'm normally somewhat of a fan of CPM's articles, I think this one was just a _little_ weird... the Chinese did it to get back at us? It might be the US government trying to frame the Chinese? I know she doesn't make these claims, just quotes others, but still... not every crackpot idea has to be covered.

Other than that, quite an interesting article ;)... I wonder who they'll have write the "more in-depth" article referenced at the bottom of the article. Speaking of which... quick poll.. how many of y'all read that far to see that section? ;) (yes, the only way I got this so fast is by reading the article yesterday... if you subscribe to, you got this yesterday).

self-defense (2)

peccary (161168) | more than 13 years ago | (#2180629)

I think that Bush should just sign an executive order making it legal to take out any machine trying to infect you with CodeRed, on the grounds that it's self-defense (of other innocent standers-by, obviously). Just like if I see a rapist attacking a lady at the bus-stop, I can probably legally kill him. We should be able to do the same thing re: CodeRed.

It wouldn't last too long, in that case.

Idiots in journalism (2)

InfinityWpi (175421) | more than 13 years ago | (#2180634)

According to the Yahoo story, Code Red was named after a soft drink prefered by programmers...

Excuse me? The Code Red drink hasn't been around long enough to be prefered by programmers... don't you think it's far more likely to say that 'Code Red' was chosen simply to make people think it's more dangeous than it really is?

They also blame the thing on the Chinese... sure, if a virus made to doS the White House puts text saying 'Hacked By Chinese' on your screen, you're going to believe it? Just like all those guys on Counter-Strike servers a few months ago talking about Wang Wei were really Chinese, too...

Journalists are so -gullible- when they're trying trying to start a panic...

Re:Idiots in journalism (2)

InfinityWpi (175421) | more than 13 years ago | (#2180635)

*sigh* I really need to remember to research everything before making comments about journalism... this is why I'd never make it as a reporter. I stand corrected.

Still can't believe everyone's decided it's either the Chiense or a US frame-job, tho...

Re:The Entire Internet Will cease to exist... (2)

Chundra (189402) | more than 13 years ago | (#2180643)

And of course we all know what this means. Unreal Tournament will be practically unplayable over dsl.

It could have been much worse.... (2)

canning (228134) | more than 13 years ago | (#2180659)

Then, at midnight, all Code Red zombies quit searching for new victims. Instead the horde of enthralled computers all focused on flooding one of the servers that hosts Slashdot Web site with junk connections threatening its shutdown. "Slashdot essentially turned off one of its two DNS servers, saying that any requests to should be rerouted to the other server," says Jimmy Kuo, a Network Associates's McAfee fellow who assisted slashdot in finding a solution. Luckily, Code Red couldn't cope with the newly altered address and waged war on the inactive site. "The public didn't notice anything because any requests went to the other server," Kuo says. We feel that this is payback for the numerous servers the "Slashdot Effect" has grinded to a halt. The author of this worm has made it personal.

Re:Why can't MS be held responsible? (2)

OpCode42 (253084) | more than 13 years ago | (#2180665)

This is an interesting point. Can MS be held responsible for holes and bugs in their software that cost businesses money?

MS Could say that part of running a machine connected to the internet is checking for bug fixes and applying them, and that it is the users responsiblity.

However, companies pay a lot of money for MS software, which is marketed as secure and easy to maintain.

Can anyone with an MS licence agreement tell me if they have a disclaimer absolving them from any responsiblity if their software goes wrong and costs you money, either due to downtime or data loss?

I always knew... (2)

Lobsang (255003) | more than 13 years ago | (#2180666)

Yes, I always new Microsoft would destroy the internet one day! Either by incompetence or by... incompetence (what else?). :))

If only there was this much attention... (2)

baptiste (256004) | more than 13 years ago | (#2180667)

when the original hole was found :)

I can't figure out all this chicken little/sky is falling media coverage (well hey its yet another SCARY Internet story, but still). CNN had an article [] that kinda made me chuckle. It was a story on ISS founder and "worm splattering" "worm hunter" Chris Klaus. It talked about how the 'patch may not hold' What a great thing to be telling everyone. If a new version of the worm hits and spreads liek wildfire, it will be due to a new vulnerability I'd expect. Amazing how mainstream media tries to cover situations like this.

As for the real threat, I expect there will be a large # of infections tonight/tomorrow. Why? Just look at the analysis at CAIDA [] They found that the majority of servers infected were from domains used primarily by small businesses and residential users (@home, etc) While many of these will have patched themselves, I'm sure many just restarted when problems arose and the problem went away - problem solved. I mean that's standard MO with a Microsoft OS - if it starts acting strangely, reboot.

The good news is, perhaps ISPs have been able to put plans in place to try and block the worm from spreading. Only time will tell.

Don't get me wrong - I think publicizing this issue is a good thing. But I expect that the problem will not be as awful as the media is trying to protray (Internet slowdown, websites knocked offline, etc)

Of course on the flip side - we know that the patch won't be applied to every IIS server out there - what will be done and by who to track down and irradicate the remaining servers that are still infected or are being re infected day after day? I'd expect hte ISPs but given the service level of many DSL and cable providers - you haev to wonder if they'll all pursue this diligently unless the courts get involved (yuck)

Re:Yikes! (2)

misnoma (315008) | more than 13 years ago | (#2180671)

Will the internet route arround trouble like this Virus may cause... That's debatable. I'm sure there's enough Cisco gear out there to cause some major issues... However, people may be (sic) stupid enough not to patch their IIS boxes (let alone run them at all!) but watch how fast ISP's kick customers that are causing mayhem by being infected. It's a similar situation to open relays, there are plenty of ISP's out there (at least here in New Zealand) who actively disconnect permanently connected customers with open relays. The internet as we know it has become almost a self supporting entity, the people (us) involved in any way will not stand for it to be out of service or degraded for long. Sure, we may lose a few websites in the process, but the internet as it stands will always exist. How long do you really think someone's gonna sit looking at an IIS box or Cisco router that's malfunctioning before they actually decide to remove it from the network or fix it. (or someone decides it shouldn't be part of this global network for them!). -- Stop listening to that rock!

The Entire Internet Will cease to exist... (2)

loconet (415875) | more than 13 years ago | (#2180672)

The Entire Internet uses IIS??

blew another chance to make millions ! (2)

beanerspace (443710) | more than 13 years ago | (#2180676)

Darn ! If I would have known this issue was going to recycle, I would have modified some old Y2K tripe with "Code Red" stuff, bought some time on some religious broadcasting network and made beacoup dollars peddling fear to survivalist-types.

I find this a bit offensive. (2)

Anomynous Cowand (459781) | more than 13 years ago | (#2180678)

CERTs page has this to say under the III Solutions section:
If you believe a host under your control has been compromised, you may wish to refer to
So, they've given UNIX first billing on a distinctly Microsoft problem? Spin! Spin!

Re:Idiots in journalism (3)

phil reed (626) | more than 13 years ago | (#2180682)

The fellows at eeye, who are the ones who found the IIS hole, and then found and analyzed the worm called it Code Red, because they drank copious quantities of Code Red Mountain Dew while they worked on it. Check the archives at SecurityFocus.


Re:Idiots in journalism (3)

astrosmash (3561) | more than 13 years ago | (#2180684)

Excuse me? The Code Red drink hasn't been around long enough to be prefered by programmers... don't you think it's far more likely to say that 'Code Red' was chosen simply to make people think it's more dangeous than it really is?
No. The guys (from eEye Security) who initially reverse engineered the worm were drinking Code Red at the time, so that's what they named the worm. []

CNN this morning (3)

iso (87585) | more than 13 years ago | (#2180689)

I saw the "special report" on CNN this morning. Pretty standard stuff for a non-technical news show but what was funny (or disturbing, depending on your take) was when the "technology expert" said that "a simple re-boot" would solve the problem in the near-term. He went on to say that regular reboots (on your servers) are a "good idea," as it's like "cleansing your system." The host agreed and said she solveds all her computer problems with a reboot :).

They took a while to explain that only Windows NT/2000 are at risk while Windows 98/Me are not. No mention of any other alternatives besides Windows of course (I guess that's too much to ask :). Of course what I can't believe is that they're still talking about this! Are there that many admins that still haven't patched this?

- j

Code Red Sci-Am article (3)

mikeage (119105) | more than 13 years ago | (#2180690)

Although I'm normally somewhat of a fan of CPM's articles, I think this one was just a _little_ weird... the Chinese did it to get back at us? It might be the US government trying to frame the Chinese? I know she doesn't make these claims, just quotes others, but still... not every crackpot idea has to be covered.

Other than that, quite an interesting article ;).

Best-case scenario (3)

legLess (127550) | more than 13 years ago | (#2180695)

A friend of mine runs a Cold Fusion/NT website, and has IIS installed on his home box for development. I called him last week to alert him to this thing, and it was the final straw. He dragged an old P133 out of the closet and installed Mandrake, Apache and PHP on it. Now he's migrating his site away from Cold Fusion.

There are a few points of interest here:

  • First, as we've all been saying, Microsoft's security flaws are hitting them where it hurts - market share.
  • Second, this guy had *never* used Linux before (although he'd seen me use it, and we've talked about it for a long time). In less than 3 days he started from scratch and got a running development machine. This is evidence of a huge step forward for Linux usability.
  • Third, Allaire/Macromedia just lost a customer. Microsoft is not a safe bet in many applications, and tying yourself to them will hurt in the long run.

"We all say so, so it must be true!"

Re:The Entire Internet Will cease to exist... (3)

peccary (161168) | more than 13 years ago | (#2180699)

The problem was that there were just enough Cisco routers running down-rev software that crashed when you send "GET ?" to port 80. Fix those, and the Internet will be fine. The traffic is a non-issue.

Re:Steve Gibson Made this Worse (3)

tb3 (313150) | more than 13 years ago | (#2180708)

Yep, 'journalists' seem to have forgotten how to 'consider the source' and blithely believe everything handed to them. I love the way the Reg trashes Gibson, but I wish somebody in the mainstream would pick up on the other side of the story.

Along the same lines, am I the only person who has a problem with Cringley? After watching his PBS show about building an airplane in thirty days, I was convinced the guy has more money than brains, and that his infamy is due more to who he knows than what he knows.

Mis-set clocks? (3)

Violet Null (452694) | more than 13 years ago | (#2180710)

Cringely tells us that the true threat is servers with mis-set clocks

No, Cringely mentions 2,000 IIS servers that are still in "infection" mode because they have misset clocks. The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.

They seem to be making a real publicity effort (3)

kiwimate (458274) | more than 13 years ago | (#2180711)

I got the following mail from MS yesterday. (The ironic part is I initially was suspicious because the subject line was in all caps -- how rude!)

The following is a Security Bulletin from the Microsoft Product Security Notification Service.

Please do not reply to this message, as it was sent from an unattended mailbox.


The Microsoft Security Response Center, along with other organizations listed below, is jointly publishing this alert that ALL IIS ADMINISTRATORS ARE ASKED TO READ

A Very Real and Present Threat to the Internet: July 31 Deadline For Action


The Code Red Worm and mutations of the worm pose a continued and serious threat to Internet users. Immediate action is required to combat this threat. Users who have deployed software that is vulnerable to the worm (Microsoft IIS Versions 4.0 and 5.0) must install, if they have not done so already, a vital security patch.

How Big Is The Problem?

On July 19, the Code Red worm infected more than 250,000 systems in just 9 hours. The worm scans the Internet, identifies vulnerable systems, and infects these systems by installing itself. Each newly installed worm joins all the others causing the rate of scanning to grow rapidly. This uncontrolled growth in scanning directly decreases the speed of the Internet and can cause sporadic but widespread outages among all types of systems. Code Red is likely to start spreading again on July 31st, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous. This spread has the potential to disrupt business and personal use of the Internet for applications such as electronic commerce, email and entertainment.

Who Must Act?

Every organization or person who has Windows NT or Windows 2000 systems AND the IIS web server software may be vulnerable. IIS is installed automatically for many applications. If you are not certain, follow the instructions attached to determine whether you are running IIS 4.0 or 5.0. If you are using Windows 95, Windows 98, or Windows Me, there is no action that you need to take in response to this alert.

What To Do If You Are Vulnerable?

a. To rid your machine of the current worm, reboot your computer.
b. To protect your system from re-infection:
Install Microsoft's patch for the Code Red vulnerability problem:

- - Windows NT version 4.0: easeID=30833

- - Windows 2000 Professional, Server and Advanced Server: easeID=30800

Step-by-step instructions for these actions are posted at asp? url=/technet/itsolutions/security/topics/codeptch. asp

Microsoft's description of the patch and its installation, and the vulnerability it addresses is posted at: t. asp? url=/technet/security/bulletin/MS01-033.asp

Because of the importance of this threat, this alert is being made jointly by:

The National Infrastructure Protection Center
Federal Computer Incident Response Center (FedCIRC)
Information Technology Association of America (ITAA)
CERT Coordination Center
SANS Institute
Internet Security Systems
Internet Security Alliance

From cringely's article (4)

wiredog (43288) | more than 13 years ago | (#2180713)

while there is a solution ... many people will see the cure as being nearly as bad as the disease

I suspect this [] is the cure.

Why all the public hullaballoo (4)

Random_Eyes (168298) | more than 13 years ago | (#2180716)

The general public, for the most part can do nothing to stop this. It is sysadmins and those running servers who need to pay attention.

Why then is this threat suddenly everywhere?

They're FUDing the Net!

The logic is simple. Business wants a new manageable internet. First, prove to the world that end-to-end is broken. Then, advance proposals to fix it.

Waiting for the other shoe to drop. . .

Great marketing ploy (4)

T1girl (213375) | more than 13 years ago | (#2180717)

Can you think of a better marketing ploy to make your soft drink sound hip and edgy and get the name plastered all over the media? This could be even better for free publicity and name recognition than the Verizon strike.

Vote today for Dilbert's list of Top 869 Things Programmers Are Least Likely To Say [] .

Steve Gibson Made this Worse (4)

cyphon (467846) | more than 13 years ago | (#2180720)

The only reason that the media is style hyping about this is because steve gibson is wailing like a little bitch about things like: Raw sockets, and "Logaritmic Axis Graphs".

Gimme a break.

Stevie boy is very insane, but he generates hype, which generates headlines, which makes the media look good. So wake up you government and corperate morons. The world will not come to an end. And steve gibson is not the prophet of the internet world.

Worms and market share (5)

jmv (93421) | more than 13 years ago | (#2180721)

It's funny that everytime a Windows worm/virus propagates and (of course) Linux and other UNIX are not affected, it's just because they don't have much market share and nobody bothers writing a virus for an OS like Linux. Now, it's IIS that's being hit. If it were only about market share, Apache would get twice as much virii/worms as IIS, right? Maybe the most important factor after all is the number of security breach in a product and not market share.

Re:Mis-set clocks? (5)

mike260 (224212) | more than 13 years ago | (#2180726)

The real "problem" is that disassembly of the worm indicates that it might have a monthly cycle, instead of being a one shot wonder; y'know, when the other x00,000 IIS servers join in again.

IIRC, the worm is memory-resident-only and therefore can't survive a reboot. It's not picking up where it left off, it's starting over infecting the internet almost from scratch, so it should be the same thing as last time. Except that this time everyone's forewarned.

Microsoft knew it all along: It isn't a bug that Windows requires rebooting every few days, it's a security feature.

Re:Steve Gibson Made this Worse (5)

agallagh42 (301559) | more than 13 years ago | (#2180727)

The Register has a good summary of Gibson's ravings here []
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>