[ISN] FBI under fire for Code Red response

From: InfoSec News (isnat_private)
Date: Fri Sep 07 2001 - 00:02:18 PDT

  • Next message: InfoSec News: "[ISN] Verizon Wireless site gives up customer data"

    By Wendy McAuliffe
    ZDNet (UK) 
    September 6, 2001 12:05 PM PT
    LONDON--The security company that discovered the software hole
    exploited by the Code Red worm has launched an attack on the FBI for
    its reluctance to publicize the flaw.
    The self-propagating worm infected an estimated 975,000 servers in
    July and August 2001. But representatives of eEye Digital Security,
    which discovered the flaw in Microsoft's Internet Information Server
    (IIS) exploited by the worm, say the FBI should have been more
    proactive in warning people about a "test" version of the worm to
    which it was alerted in April.
    "Had the FBI been more vigilant in its warnings, Code Red would have
    had less of an impact than it did," said Mark Jones, U.K. manager of
    eEye Digital.
    FBI representatives could not immediately be reached for comment.
    The FBI's National Infrastructure Protection Center (NIPC) had
    received earlier reports of a Code Red-like worm that affected a
    buffer overflow vulnerability in Microsoft IIS 4. It is now thought
    that this was a test version, as the more virulent Code Red was
    adapted to target a similar hole in the more widely used IIS 5
    In a buffer overflow, an attacker floods a field, typically an address
    bar, with more characters than it can accommodate. The excess
    characters in some cases can be run as "executable" code, effectively
    giving the attacker control of the computer without being constrained
    by security measures.
    The earlier worm also propagated in a manner similar to Code Red, by
    infecting a random list of Internet addresses and then resetting
    itself to attack the same machines again.
    "The mechanism that the initial worm used to spread was exactly the
    same mechanism that was used by Code Red," Jones said. "If we had had
    access to the methodology used in the previous worm, we would have
    been able to decode Code Red sooner."
    According to eEye, six days were lost investigating Code Red as a
    result of the delay.
    Sandia National Laboratories spotted the initial worm on its systems
    in February, March and May 2001. It handed over complete logs of the
    worm's activity as well as a copy of the malicious code to the NIPC in
    April, but the FBI ignored the warnings. It said it decided against
    publicizing the worm on the basis that the Computer Emergency Response
    Team at Carnegie Mellon University had posted a report of the
    vulnerability when it was first detected in June 1999.
    "It is key that the NIPC didn't publicize how the worm's methods were
    proliferating across machines," Jones said.
    It is suspected that the two worms were written by the same person,
    but eEye would not confirm this without a full investigation into the
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 02:25:43 PDT