FC: Replies to the Code Red worm, red herrings, and media coverage

From: Declan McCullagh (declanat_private)
Date: Fri Aug 03 2001 - 07:03:34 PDT

  • Next message: Declan McCullagh: "FC: Why Dmitry Sklyarov belongs in jail, by inside.com's R. Parloff"

    Obviously the Code Red worm was not a hoax, but the media coverage did not 
    make it clear (as I said on CNN earlier this week) that most users do not 
    have to worry about being infected; that Code Red was not that awful a 
    threat since at least the versions I'm familiar with could be removed by 
    rebooting; that claims of billions of dollars in damages were guesses at 
    best. Of the recent security threats, Sircam's the one that's truly nasty 
    -- how would you like *your* confidential documents to be leaked? Next up: 
    Fedcam, which targets only .gov and .mil computers and sends any document 
    marked "confidential" or "classified" to cypherpunks or Usenet.
    
    In response to:
    http://www.politechbot.com/p-02337.html
    
    -Declan
    
    **********
    
    Date: Wed, 1 Aug 2001 23:22:02 -0700
    From: Troy Davis <troyat_private>
    To: Declan McCullagh <declanat_private>
    Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen
    
    On Thu, Aug 02, 2001 at 12:27:03AM -0400, Declan McCullagh 
    <declanat_private> wrote:
    
     > Even the term Code Red is a red herring. Just like Distributed Denial of
     > Service attack, it is more out of the Pentagon's lexicon than that of
     > computer crackers. Code Red is just too campy ­ seems like it belongs in the
     > same league with the movies "Deep Impact" and "Armageddon." But Code Red is
     > just the kind of term that might impress our otherwise attention deficit
     > disordered President. Computer crackers, of course, like to be a bit more
     > original and artsy, opting for terms like "Melissa," "Back Orifice," and
     > "Michaelangelo" How many original code names ever came out of NSA? 
    "Echelon,"
     > for example. Boring! Now Code Red, that's something that could have been
     > conjured up by the Faulkners of the Fort!
    
    Conspiracy theories aside, the name "Code Red" was coined by the geeks
    who did the initial analysis, not by any governmental or regulatory agency.
    See http://www.eeye.com/html/Research/Advisories/AL20010717.html
    
    Its origins are pretty original; from the page:
    
    --
    We've designated this the .ida "Code Red" worm, first because part of the
    worm is designed to deface Web pages with the text "Hacked by Chinese" and
    second because "Code Red" Mountain Dew was the only thing that kept us awake
    while we disassembled this exploit.
    
    ..
    
    Greetings:
    The guy at Del Taco that sold us food at 3am to allow us to perform this
    research. The guy who left the warm "Code Red" Mountain Dew in the eEye lab.
    --
    
    
    Cheers,
    
    Troy
    
    **********
    
    Date: Wed, 01 Aug 2001 23:03:48 -0500
    From: Josh Archambault <joshat_private>
    To: declanat_private
    Cc: politechat_private
    Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen
    
    This is a joke right?
    
    Just because there is a couple of different organizations cooperated to
    head off a large potential problem there is a conspiracy afoot?  Check
    out some of the excellent analysis and discussion that has come down
    reputable security mailing lists like Bugtraq.  For example:
    
    http://www.securityfocus.com/templates/archive.pike?list=1&mid=197828
    
    There is little question that the code red worm:
    
    1) Presented a significant risk to a number of pieces of Internet
    infrastructure (including not just individual websites, but also
    routers, and other key pieces of equipment).
    
    2) Was not named after any anything scandalous (it was named after a
    soft drink!).
    
    3) Was not responsible for its own poor media coverage.
    
    4) Was nipped in the bud and made a none-issue largely as a result of
    the wide-spread media coverage.
    
    In any case, this was clearly not a hoax.  Please don't try and take
    media outlets to task for doing (though possibly over-doing) a good
    thing.
    
    -J
    
    **********
    
    From: "L Gallegos" <jandlat_private>
    To: Declan McCullagh <declanat_private>
    Date: Thu, 2 Aug 2001 03:15:02 -0400
    Reply-to: jandlat_private
    
    Whoever unleashed this thing, it's doing damage.  I know a couple
    of sysadmins who are traveling all over the place for clients to
    eradicate this worm as it hits.  It has mutated, it seems, and is
    hitting quite fiercely again.  Calls are coming in consistently.  The
    guys I know are estimating it will be weeks before the effects are
    minimized and that is if they can find the mutations.
    
    If it is our dear government, someone should expose it and soon.
    It has hurt many businesses and most importantly ISPs - even
    those who have applied the patch.  Btw, many sysadmins hesitate
    to apply patches immediately because they many times break as
    much as they "fix."  M$ doesn't do regression testing to make sure
    the patches won't break the system they are supposed to protect.
    Which is worse, a worm that wrecks a system or a patch that
    does the same thing?
    
    This is also one good example why having choice in OS's is a
    good thing, not a bad one.  Having a "standard" that everyone uses
    is a single point of failure.  All the crackers need is knowledge of
    the exploits in the one most used and down go the networks.
    
    Thanks M$ for the lousy security.
    
    LDG
    
    **********
    
    Date: Thu, 2 Aug 2001 18:28:59 +1000
    To: WMadsen777at_private (Wayne Madsen)
    From: Roger Clarke <Roger.Clarkeat_private>
    Subject: Re: Code Red = Red Herring Update
    Cc: Ari Schwartz <ariat_private>, Declan McCullagh <declanat_private>,
             gtaylorat_private (Greg Taylor)
    
    G'day Wayne (hi Ari, Declan, Greg)
    
    >CODE RED - A RED HERRING
    >Wayne Madsen
    >30 July 2001
    >Washington, DC
    >
    >Here we go again folks.  ...
    
    Cheez, and people call *me* cynical!!
    
    Seriously, I've not taken on the [Australian] national security and law 
    enforcement agencies before, but I got stroppy a couple of weeks back and 
    let a broadside go at them.  See:
    Certainty of Identity: A Fundamental Misconception, and a Fundamental 
    Threat to Security
    http://www.anu.edu.au/people/Roger.Clarke/DV/IdCertainty.html
    
    Keep it up!  And make sure it's publicly known that plenty of friends are 
    aware of your wherabouts at any given time, so that the boys-not-in-blue 
    don't get the idea they can afford to dampen your enthusiasm!
    
    And start working on your proposal for a session at CFP'02 right now!!
    
    Regards  ...  Roger
    
    -- 
    Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/
    
    Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                     Tel: +61 2 6288 1472, and 6288 6916
    mailto:Roger.Clarkeat_private         http://www.xamax.com.au/
    
    Visiting Fellow                       Department of Computer Science
    The Australian National University     Canberra  ACT  0200 AUSTRALIA
    Information Sciences Building Room 211       Tel:  +61  2  6125 3666
    
    **********
    
    From: Robert Fleck <rfleckat_private>
    To: "'declanat_private'" <declanat_private>
    Subject: RE: Why the "Code Red" worm is a red herring, by Wayne Madsen
    Date: Thu, 2 Aug 2001 10:55:55 -0400
    
     > From: WMadsen777at_private
     > Date: Wed, 1 Aug 2001 15:01:06 EDT
     > Subject: Code Red = Red Herring Update
     > To: [...]
     >
     > [..]
     > POSTSCRIPT:
     >
     > Not getting the media bounce from the 8:00 PM EST Code Red
     > meltdown hour on July 31 (nothing happened!), the FBI began
     > spinning the story the very next morning that 22,000 computers
     > had been hit with Code Red.  Considering that viruses and worms
     > probably strike many more computers than that on any given
     > day, 22,000 is a relatively low number.
    
    The reason nothing happened at 8PM is very simple...
    -  A few copies of the worm were still active on various
        systems around the world that had skewed dates, and
        hence never stopped trying to spread themselves.
    -  At the mythical 8PM EST, computers in UTC+1h would begin
        trying to spread, if they had been infected by these
        stragglers.
    -  Over the few hours following that, machines in the US would
        start to pick up too.
    
    So, this kind of attack doesn't immediately jump through the
    roof infecting everything connected, it has to spread, like
    a real virus.  In fact, it didn't even hit it's stride
    until after the FBI had made it's statement.
    
    Early statistics that I've seen from some of the IDS analysts
    with a good view on large portions of the internet would seem
    to indicate that the growth curve this time around is very
    similar to last month.
    
    Differences:
    -  The growth curve has a slower doubling rate.  Most likely
        because of systems that have been patched.
    -  The effect of straggling infected computers was to put the
        start of this curve at a comparable place to about 10 hours
        into the infection curve last month.  (A 10 hour head start.)
    
    My point: July 31 8PM was too early to make a statement,
    Aug1 AM was too early to make a statement, it's still too early
    now.  But, as of this writing (Aug2, 10:30am) it looks like
    possibly up to 240,000 have been infected so far, and it's
    continuing to spread at 5,000 hosts per hour.  This rate is
    much lower than the peak rate which was nearly 22,000 hosts
    per hour.
    
    This is only slightly smaller than the last round of infections,
    which most analysts place somewhere between 300k and 400k hosts,
    and peaked out at nearly 2000 hosts per _minute_.
    
    As a side note, one of the reasons this attack was such a pain
    was that it generated tremendous amounts of traffic looking
    for new hosts to infect.  The script kiddies also have been
    trying to use it as cover for other web server based attacks.
    
    Bob Fleck
    
    **********
    
    Date: Thu, 2 Aug 2001 11:11:18 -0400
    From: Nat <nathaniel.echolsat_private>
    To: Declan McCullagh <declanat_private>
    cc: politechat_private
    Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen
    In-Reply-To: <5.0.2.1.0.20010802002227.0210d890at_private>
    
     > But would the United States take advantage of such a situation in 
    cyber-space
     > to advance a secret agenda? They've probably already done so. Back in 1988,
     > the Internet was treated to its first worm. Programmed and launched by 
    Robert
     > Morris, Jr., the worm crippled hundreds of thousands of computers connected
     > to the Internet. It just so happened that young Mr. Morris's dad was the
     > Chief Scientist at NSA ­ during a period when the agency was feverishly
     > trying to test the vulnerabilities of various operating systems and
     > application programs.
    
    Oooh, someone's watched "Enemy of the State" a few too many times.  It's
    been a couple of years since I read "The Cuckoo's Egg", but I'm pretty
    sure Morris Jr. was just a young 'hacker' who didn't quite realize what a
    mess he'd created.  I'd imagine if my dad was a top government researcher
    in the tech security field, I'd be interested in that kind of stuff too.
    If there's any evidence that Morris Jr. was working in collusion with the
    NSA, could Mr. Madsen please pass it along?
    
    And I'm sure I'm not the only one who finds the Goebbels references
    tiring.  I didn't vote for Bush either, but I'm a firm believer in "Never
    attribute to malice that which can be explained by incompetence."  It's
    obvious the administration has no coherent policies for dealing with the
    Information Age- why do so many people seem shocked by this?
    
    -Nat
    
    **********
    
    
    
    
    -------------------------------------------------------------------------
    POLITECH -- Declan McCullagh's politics and technology mailing list
    You may redistribute this message freely if you include this notice.
    To subscribe, visit http://www.politechbot.com/info/subscribe.html
    This message is archived at http://www.politechbot.com/
    -------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 07:21:07 PDT