[The enclosed essay about the "Code Red" worm will appear in the August issue of Crypto-Gram: http://www.counterpane.com/crypto-gram.html The executive summary is that only pure luck saved the Internet from a humongous denial-of-service attack that claims to have originated in China. And nobody's saying that the danger has passed. The worm authors can easily bring their code up to the standard of many other worms and relaunch their attack on the many unprotected servers that surely remain. Here are some more URL's in addition to Bruce's: The mainstream press reported it as just another virus because little harm was done: http://www.cnn.com/2001/TECH/internet/07/20/computer.viruses/ Wired News briefly reported the White House's evasion tactics: http://www.wired.com/news/politics/0,1283,45410,00.html Here are some interesting graphs suggesting the worm's perceptible but not catastrophic impact on Internet performance. Check out the graphs labeled "Rolling 7-Day Latency, Packet Loss, and Reachability": http://average.miq.net/ http://average.miq.net/Weekly/markMM.html The worm also apparently harmed some Cisco routers: http://slashdot.org/article.pl?sid=01/07/19/2230246 Here are some more facts: http://slashdot.org/comments.pl?sid=01/07/19/2230246&cid=5 In addition, many people reported informally that their servers had probed hundreds or thousands of times by various copies of the worm. This suggests that every vulnerable server on the public network was eventually infected, and could easily be again. We dodged another bullet. But we're still not talking about the fundamental reforms that will be required to keep this pattern of vulnerabilities and attacks from accelerating to the point where someone gets hurt.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Fri, 20 Jul 2001 16:56:16 -0500 From: Bruce Schneier <schneierat_private> [...] ******************** Code Red Worm On 19 July 2001, the White House narrowly averted a terrorist attack when security personnel were able to exploit a flaw in a bomb's trigger mechanism and evacuate key personnel to a remote location, causing the bomb to fizzle. The attack was a denial-of-service attack, the target was the White House Web site, and the flaw was in malicious code, but other than that the sensationalist story is correct. And this tale of attack and defense in cyberspace contains security lessons for us all. In June, eEye Digital Security discovered a serious vulnerability in Microsoft's Information Internet Server (IIS) that would allow a hacker to take control of the victim's computer. Microsoft hastily patched the software to eliminate the vulnerability, as they are generally good about doing. By now, we know that it is impossible for most system administrators to keep their patches up to date, so it came as no surprise that hacker tools developed to exploit the vulnerability were able to break into unpatched systems. One particularly nasty hacker tool was the Code Red Worm. This worm, estimated to have affected over 250,000 computers, spreads automatically without any user intervention (no attachments to open). When it infects a computer, it selects 100 IP addresses and infects them if vulnerable. Then, it defaces any Web site on the server with the words: "Welcome to http://www.worm.com! Hacked by Chinese!" So far, this is a normal, if virulent, worm. But there was an additional feature. The Code Red worm was programmed to flood www.whitehouse.com in a massively coordinated distributed denial-of- service attack at 8:00 PM on July 19. The attack failed because of some programming errors in the worm. One, the attack was against a specific IP address, and not a URL. So whitehouse.gov moved from one URL to another to avoid the attack. And two, the worm was programmed to check for a valid connection before flooding its target. With whitehouse.gov at a different IP address, there was no valid connection. No connection, no flooding. The worm was programmed to continue to spread until July 20, and try to attack the former IP address of whitehouse.gov until July 28. On the face of it, this looks to be a politically motivated attack: hactivism, as it has come to be called. The worm's defacement message implies that it is Chinese, and it is only programmed to attack English-language versions of Windows NT or 2000. If it encounters a foreign version, it goes into hibernation, neither spreading nor attacking the White House. But it's hard to know for sure; many random hackers take on mantles of political activism either because it gives them a cool cover story. The White House got lucky. The next worm writer won't make the same programming mistakes. The White House could have alerted their ISP and the upstream network nodes to block the offending packets, but only because they knew what the attack looked like and had enough warning. We can't count on that next time, either. We all got lucky. Code Red could have been much worse. It had full control of every machine it took over; it could have been programmed to do anything the author imagined. It spread using a random walk through the Internet; if the author used a more intelligent propagation system, it would have spread much faster. The hundreds of thousands of infected networks could have had better security, but I don't believe that everyone will always have their patches up to date. Even Microsoft, the company that continually admonishes us all to install patches quickly, was infected by Code Red in unpatched systems. Firewalls wouldn't have caught this problem. Unless a network's IDS signatures were updated, it wouldn't have caught this problem. I have long been a proponent of security monitoring by people; it's the only way to achieve security in an environment where the threats change this rapidly. But even if you can secure your particular network, what about the millions of other networks out there that aren't secure? One of the great security lessons of the past few years is that we're all connected. The security of your network depends on the security of others, and you have no control over their security. Hacking is a way of life on the Internet. Remember a few years ago, when defacing a Web site made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit-card thefts made the newspaper? Or last year, when fast-spreading worms and viruses made the newspapers? Now these all go unreported because they are so common. Code Red ushers in a new form of attack: a preprogrammed worm that unleashes a distributed attack against a predetermined target. After a couple dozen of these, we'll think of it as business as usual on the Internet. Code Red Worm: http://news.cnet.com/news/0-1003-200-6604515.html http://news.cnet.com/news/0-1003-202-6616583.html http://news.cnet.com/news/0-1003-202-6617292.html CERT Advisory: <http://www.cert.org/advisories/CA-2001-19.html> Excellent mathematical analysis of the worm: <http://www.silicondefense.com/cr/> Original flaw in IIS: <http://news.cnet.com/news/0-1003-200-6312870.html> <http://www.eeye.com/html/Research/Advisories/AD20010618.html> Microsoft's Patch: <http://www.microsoft.com/technet/security/bulletin/MS01-033.asp> ************************************************************************** Bruce Schneier, CTO, Counterpane Internet Security, Inc. Ph: 408-777-3612 19050 Pruneridge Ave, Cupertino, CA 95014 Free Internet security newsletter. See: http://www.counterpane.com/crypto-gram.html
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 16:42:17 PDT