A new worm, apparently completely different from Code Red but taking advantage of the same hole in Microsoft's server software, began spreading yesterday and is now being frantically analyzed by security people. The initial report may have been this one (read the subsequent discussion as well): Code Red II Worm Analysis http://www.dslreports.com/forum/remark,1226089;root=security,1;mode=flat Some draft analyses are here: SecurityFocus Code Red II Information Headquarters http://aris.securityfocus.com/alerts/codered2/ CodeRedII - New Non-Variant CodeRed Worm - Analysis http://www.securityfocus.com/archive/75/201877 CodeRed II ARIS Incident Analysis http://www.securityfocus.com/archive/75/201878 Here is the URL for current discussion on the Incidents mailing list: http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D75 Here is a broader analysis inspired by the first Code Red worm: How to Anonymously Get Root Access on a Quarter Million Machines Overnight http://braddock.com/cr2.html Here is another site for analysis of the first worm: http://aris.securityfocus.com/alerts/codered/ I'd also like to take a moment to vent about the so-called journalists who have been clucking about how overblown the Code Red hype was. Yes, as I pointed out here, there was some hype, in the form of reports that made it sound like regular users who aren't running servers needed to download the IIS patch. But that hype was perfectly understandable given the very real need to distribute an alert combined with the extremely technical nature of the problem. And yes, the worm was "never dangerous" in the sense that, by pure luck, it had a bug that prevented it from carrying out its planned destruction. But these faux-knowing "it's all hype" types of reports are grossly irresponsible nonetheless, for several reasons: (1) Anything that invades a quarter-million servers is a serious matter. Hello? Do we need any more reason to be raising alarms about the state of our information infrastructure? One particularly idiotic columnist even said, who cares if some eBay bids don't go through? I don't have words strong enough to denounce this foolishness. (2) The fact that the worm had a bug was not remotely obvious at first. It didn't become clear until some very smart people worked a lot of hard hours to capture a copy of it, disassemble it, study it, and run experiments on it. Have a good look at the URL's above if you want to get a clue of the kind of work that goes into this. (3) And even then the security people couldn't really be sure how the worm would interact with the full range of real systems out there in the world, with a quarter-million copies of the thing all probing machines at random to see what they could find. (4) The worm *could* have been extremely destructive through simple changes to its code. A distributed denial-of-service attack from a quarter-million servers -- that is, an attack in which a quarter-million of the most powerful, highest-bandwidth computers on the whole Internet send complete junk onto the network at their maximum capacity at the same time -- would bring large parts of the Internet to a halt. These attacks are nearly impossible to defend against, and the sites to which the junk is directed would be off-line for the duration. Nobody knows for certain how the network itself would react to that kind of load, but we do know that traffic was badly disrupted by the train fire in Baltimore last month that cut a single link. (5) The most destructive features of the worm were actually backward by the standards of current worm engineering. The worm was programmed to attack a single site, but other worms are programmed to lie dormant until they receive orders from headquarters. Much more sophisticated schemes are easy to imagine. (6) The vulnerability that the first Code Red worm exploited is still out there. A new worm could come along and infect the exact same quarter-million servers within about twelve hours at any time. That is what is appears to be happening now. The worm-writers read the trade press and the online security sites, and they know very well what went wrong with the first worm and how to fix it. (7) Both the first and second waves of that worm infected something on the general order of a quarter-million servers, even though between the two waves the vendors, government agencies, and media flooded the airwaves with publicity urging IIS server administrators to download the patch. Yes, I realized that some machines did get patched, and that the second wave of the worm may have been able to attack machines that the first version could not. Nonetheless, we are talking about the general order of a quarter of a million servers. Short of tracking all quarter-million of them down individually and yelling at them, nobody has any other way of compelling these server administrators to download the necessary patches. (8) Server administrators, furthermore, do not have enough incentives to load the necessary patches. These so-called zombie worms do not inflict their main damage on the servers they invade, but on the third-party sites that they attack. This is what economists call an externality. If server administrators had effective liability for the damage that their machines are used to attack then they'd have the necessary incentives, at least under idealized economic conditions. (9) The Code Red worm was not (i.e., is not, because it's still alive) a fluke. It exploits a type of security vulnerability -- a buffer overflow -- that results from grossly shoddy engineering, but that has nonetheless been seen many times, in many products from many vendors. The worm is, in other words, evidence of a systemic problem, and one that is getting steadily worse as black hats get more and more bored with not destroying the information infrastructure of the whole world. (10) The markets for many of the most security-sensitive categories of software are highly concentrated. In the present case the vendor, Microsoft, has been found to be a monopolist by a federal appeals court. Because of its market power, it experiences little market pressure to reform its shoddy engineering practices. Instead, it invests in dime-a-dozen propagandists who fashion misleading sound bites that dissociate responsibility from their own firm, either denying that the security vulnerabilities in their products are actually vulnerabilities, or that the users are at fault, or that it's about computers in general and not their own products in particular, or that the threat from worms is all hype. Am I predicting that the Internet will collapse? No, what I am doing is yelling at the bogus reporters (not the legitimate ones, who are great, just the losers) to get away from the simplistic dichotomy of "it's the end of the world" versus "it's all hype". This worm has already mobilized the security community, who are hard at work preparing alerts, remedies, patches, counterattacks, and everything else they can think of. They will probably succeed in preventing the Internet from shutting down, and more power to them. When they do, let's not talk about what hype it all was. Instead, let's talk about what heroes the white-hat security people are, what long hours they put it, and what a criminal shame it is that such heroic efforts were necessary to prevent critical infrastructure from collapsing. Phil
This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 15:38:47 PDT