Maybe these items have been discussed already: First, connecting back to systems attacking me, I notice that most now are returning "403 Access Forbidden: Too many users are connected". I'm thinking that every time CodeRedII re-infects a system, it uses up another connection resource until nobody else can connect. This prevents people from exploiting the /scripts/root.exe backdoor -- the worm is DoSing its own backdoor. This likewise makes it hard to create defensive measures, such as a counterattacking worm or a counterattack of the form "/scripts/root.exe?/c+net+stop+w3svc". Code Red has design flaw: it uses blocking sockets. This can be exploited in a couple of ways to stop scans. I've tweaked a webserver so that upon detecting an .ida attack, it sets aside the TCP connection in a special list. When the worm does a recv(), it will block until it either gets a response from the server, or the server closes the connection. By doing neither, my webserver holds onto the thread INDEFINITELY. I've over a hundred now, many more than a day old. At any time, I could stop the webserver, which would release the worms caught in my snare to continue scanning other people. I created another program (<http://robertgraham.com/deredoc>) that sniffs the wire looking for SYNs to port 80 and responds with SYN-ACK. This also causes the worm to halt (in the send() function I think). Putting this on a /8 Class A subnet that is dark (either firewalled or unused) could almost completely halt the original Code Red (because every thread will eventually hit the /8 within a few hours). However, since pretty much all the vulnerable systems are now infected, I'm not sure that's useful. I've noticed that a lot of the scans that wedge themselves on my server are coming from NATted connections. When you ask sockets for a random port, Microsoft gives you one between 1024 and 5000. However, I see inbounds attack were the client's port is 38000. The only way this can occur is if a NAT has translated the port. I estimate about 20% of my non-local-subnet probes used a high port number. This indicates to me that the worm has successfully managed to penetrate behind a LOT of firewalls on the Internet. Talking with various large corporations, I'm finding that Code Red has successfully penetrated deep within their corporations. This demonstrates that there are clear infection paths around firewalls, which means that hackers can likely also bypass firewalls. The CodeRedII method of scanning nearby machines is much better than randomizing across the entire Internet space. First of all, it spreads better behind firewalls. Second, it causes dramatically less traffic across backbones - the less you annoy people, the longer you'll have a chance to spread. I think this will become an important algorithm for future worms. Third, it builds a larger base locally before people remotely detect that there is a worm. Code Red is certainly a wake up call showing how easily a few hundred thousand machines can be hacked in a day. However, I get several exploit attempts from Linux worms on my machine every day. (About half of all port 111 attempts are from Linux worms according to my measurements). Whether you are a Linux distro supplier or Microsoft, the single most important thing you can do is to ship boxes in a relatively locked down mode. Virtually everyone that got hit by the worm today doesn't care to run Microsoft's Index Server (remember, it is an Index Server exploit, not an IIS exploit). Why was that installed by default? Microsoft is removing default features in IIS 6/WinXP, and the latest RedHat installs less. If we want to stop worms in the future, this has to be a higher concern for vendors. The same applies to samples and demo features likewise supplied with software. The biggest danger the net now faces is the next IIS exploit. I saw something similar back in 1988 - the Morris Worm injected the community with a lot of knowledge about worms. We saw that with the ADMworm that spawned numerous similar Linux worms that compromised other vulnerabilities. There are thousands of hackers out there studying the details of the two Code Red worms. When the next IIS exploit is announced, we've got two weeks to patch a million systems before that next worm takes down the Internet. There is even a danger that a worm will be written first, then the next exploit added to it later. Thus, the worm may appear on the first day the next vulnerability is announced, even though the writer didn't have 0-day knowledge. I'm sure people have fully grasped the situation. We read a lot about website defacements and DDoS zombie networks with a few thousand machines under the control of a single hacker. However, when you consider that hundreds of thousands of machines are vulnerable, we are seeing a surprisingly little amount of hacking. My own measurements of ISP backbone traffic show that potentially hundreds of thousands of desktop machines have been compromised with remote admin Trojans. There are DoS attacks looming on the horizon that make the current ones look like child's toys. The hacking culture within our school systems has risen to levels where it might become a cultural force similar in scope to the hippies in the 1960s, preaching "free information" instead of "free love". This isn't an alarmist diatribe - it's just in the past we thought of hacking/infosec as specialty areas, but now these areas are defining the big picture. If anybody has a large dark subnet to play with, I'd love to install by deredoc program mentioned above. It not only plays with the current worms, it can be used to encourage 0-day worms to reveal themselves. Does anybody know how I can apply for a large address range simply for this purpose (and backscatter monitoring)? (E.g. rather than leaving unassigned Class As dark, put them in a pool somewhere off a an interexchange point until to sniff packets until they are removed and assigned for actual use). Robert Graham _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:30:24 PDT