[ISN] Code Red Tribulation is nigh, Steve Gibson warns

From: InfoSec News (isnat_private)
Date: Tue Jul 31 2001 - 00:33:43 PDT

  • Next message: InfoSec News: "[ISN] SANS Security Alert. Code Red Is Set to Come Storming Back!"

    http://www.theregister.co.uk/content/4/20719.html
    
    By Thomas C Greene in Washington
    Posted: 30/07/2001 at 08:17 GMT
    
    The first Angel blew his trumpet, 
    And there followed hail and fire mixed with blood, 
    Which fell upon the Earth.... 
       --Revelation 8:7 
    
    Techno-hypemeister and headline glutton Steve Gibson has joined the
    Electronic Pearl Harbor dog and pony show alongside Ron Dick's NIPC,
    bellowing and trumpeting about lakes of fire to be ignited by the Code
    Red IIS worm which is due to return from dormancy this week.
    
    The worm went silent on the 28th, though a few machines with
    incorrectly set clocks will undoubtedly continue to scan, perpetuating
    the infection somewhat.
    
    However, according to Gibson's hysterical reasoning, this represents
    nothing short of a catastrophe. Referring to a report by CAIDA (the
    Cooperative Association for Internet Data Analysis), he borrows a few
    charts and graphs and technical-sounding phrases and runs us through
    the grease:
    
    "Be sure to notice that the vertical axis of Figure 3 is LOGARITHMIC,
    so that nice straight and linear 'growth line' is actually
    exponential!" he warns us frantically.
    
    He's saying that a handful of machines will manage to re-infect the
    entire Internet in short order.
    
    So to break it down: during this current period of dormancy, remnants
    of the first worm, along with a second strain possessed of a more
    random IP generator, have been scanning for and infecting vulnerable
    machines, and will continue doing so until all the infected machines
    begin packeting the former IP of whitehouse.gov on 20 August.
    
    This they will do mercilessly through the 27th; and during this
    electronic Tribulation the worm will devour enough bandwidth to bring
    all of Christendom to its knees.
    
    Now get this: the real burn here, Gibson reckons, comes from the
    presumption of a single IIS machine, or a small handful of them, with
    incorrectly set clocks, which will re-ignite the whole thing after 31
    August, keeping us at the mercy of badly-set clocks for all eternity.
    
    "Note that at the start of NEXT MONTH it will only take ONE SINGLE
    MACHINE -- with an out-of-sync date whose infection threads have
    remained active in a mistaken belief that the date is < 20 -- to
    re-initiate an exponential growth starting at midnight of August
    31st," Gibson writes. [hyperventilation original]
    
    The rational observation that this dependence on out-of-date clocks
    will greatly reduce the seed population has somehow passed through
    that scientifically-tuned and reputedly immense brain of his without
    effect. The rational observation that the media have been banging out
    Code Red headlines for all they're worth, and will continue (and so
    inspire a considerable patching of systems) has, similarly, failed to
    make an impression on the Digital Messiah's rarified gray matter.
    
    No, he's been far too busy to use his head: "This weekend I have been
    in dialog with eEye's Marc Maiffret, law enforcement agencies of the
    US government, NAI, cert.org, and others," Gibson informs us,
    bolstering that phony authority on which he trades so slickly.
    
    "After finally making time to examine the Code Red worm code, I have
    been trying to assemble a picture of the next 23 days," he claims.
    
    One wonders if he's even seen the Code Red worm code, much less
    'examined' it. We wonder because he keeps telling us what others
    imagine it will and won't do next month.
    
    Damned sockets
    
    Naturally Gibson can't resist trying to persuade us that Code Red
    beefs up his absurd paranoia regarding Win-XP raw sockets. "Imagine if
    this powerful autonomous replication capability -- enhanced with
    Windows XP full raw sockets -- had gone out to the Windows XP audience
    -- as it almost did," he frets.
    
    "Oh well, everyone knows I tried hard to prevent it," the Prophet
    finally sighs.
    
    In fact, raw sockets have no relevance to this particular worm. I
    actually have examined it, and while I'm impressed by its compactness
    and power, and the speed with which it was hacked out, it's clear that
    the author wanted to know which machines it had infected. Packet
    spoofing would have frustrated that ambition perfectly. (Oh, and
    because the .IDA hole which the worm exploits yields system-level
    access, knowing which among thousands of boxes are infected is a whole
    lot nastier than any spoofed-packet flood could hope to be.)
    
    I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself,
    has debunked Gibson at length before an ungrateful army of GRC
    patsies, agrees.
    
    "[Gibson] contends Code Red would've been more effective if it used
    raw sockets. I contend it would've been less effective. The
    router/spoofing RFCs would've negated some of the zombies by refusing
    to let them push," Rosenberger says.
    
    "Gibson is so overly paranoid about raw sockets that he can no longer
    see the obvious," he added.
    
    It's interesting to note that Rosenberger's latest column exposes
    Gibson's utter fraudulence in the area of virus research -- in
    particular his prediction nine years ago that the "Dark Avenger
    Mutation Engine" was going to make all anti-virus software permanently
    ineffective.
    
    It was, Stevarino assured us, going to spawn the Mother of all
    polymorphic viruses, because it involved "a sophisticated reversible
    encryption algorithm generator."
    
    And that's why we all depend on Steve Gibson's genius. He, unique
    among mortal creatures, can understand such techno-superstitious
    gobbledygook.
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 03:17:47 PDT