Obviously the Code Red worm was not a hoax, but the media coverage did not make it clear (as I said on CNN earlier this week) that most users do not have to worry about being infected; that Code Red was not that awful a threat since at least the versions I'm familiar with could be removed by rebooting; that claims of billions of dollars in damages were guesses at best. Of the recent security threats, Sircam's the one that's truly nasty -- how would you like *your* confidential documents to be leaked? Next up: Fedcam, which targets only .gov and .mil computers and sends any document marked "confidential" or "classified" to cypherpunks or Usenet. In response to: http://www.politechbot.com/p-02337.html -Declan ********** Date: Wed, 1 Aug 2001 23:22:02 -0700 From: Troy Davis <troyat_private> To: Declan McCullagh <declanat_private> Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen On Thu, Aug 02, 2001 at 12:27:03AM -0400, Declan McCullagh <declanat_private> wrote: > Even the term Code Red is a red herring. Just like Distributed Denial of > Service attack, it is more out of the Pentagon's lexicon than that of > computer crackers. Code Red is just too campy seems like it belongs in the > same league with the movies "Deep Impact" and "Armageddon." But Code Red is > just the kind of term that might impress our otherwise attention deficit > disordered President. Computer crackers, of course, like to be a bit more > original and artsy, opting for terms like "Melissa," "Back Orifice," and > "Michaelangelo" How many original code names ever came out of NSA? "Echelon," > for example. Boring! Now Code Red, that's something that could have been > conjured up by the Faulkners of the Fort! Conspiracy theories aside, the name "Code Red" was coined by the geeks who did the initial analysis, not by any governmental or regulatory agency. See http://www.eeye.com/html/Research/Advisories/AL20010717.html Its origins are pretty original; from the page: -- We've designated this the .ida "Code Red" worm, first because part of the worm is designed to deface Web pages with the text "Hacked by Chinese" and second because "Code Red" Mountain Dew was the only thing that kept us awake while we disassembled this exploit. .. Greetings: The guy at Del Taco that sold us food at 3am to allow us to perform this research. The guy who left the warm "Code Red" Mountain Dew in the eEye lab. -- Cheers, Troy ********** Date: Wed, 01 Aug 2001 23:03:48 -0500 From: Josh Archambault <joshat_private> To: declanat_private Cc: politechat_private Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen This is a joke right? Just because there is a couple of different organizations cooperated to head off a large potential problem there is a conspiracy afoot? Check out some of the excellent analysis and discussion that has come down reputable security mailing lists like Bugtraq. For example: http://www.securityfocus.com/templates/archive.pike?list=1&mid=197828 There is little question that the code red worm: 1) Presented a significant risk to a number of pieces of Internet infrastructure (including not just individual websites, but also routers, and other key pieces of equipment). 2) Was not named after any anything scandalous (it was named after a soft drink!). 3) Was not responsible for its own poor media coverage. 4) Was nipped in the bud and made a none-issue largely as a result of the wide-spread media coverage. In any case, this was clearly not a hoax. Please don't try and take media outlets to task for doing (though possibly over-doing) a good thing. -J ********** From: "L Gallegos" <jandlat_private> To: Declan McCullagh <declanat_private> Date: Thu, 2 Aug 2001 03:15:02 -0400 Reply-to: jandlat_private Whoever unleashed this thing, it's doing damage. I know a couple of sysadmins who are traveling all over the place for clients to eradicate this worm as it hits. It has mutated, it seems, and is hitting quite fiercely again. Calls are coming in consistently. The guys I know are estimating it will be weeks before the effects are minimized and that is if they can find the mutations. If it is our dear government, someone should expose it and soon. It has hurt many businesses and most importantly ISPs - even those who have applied the patch. Btw, many sysadmins hesitate to apply patches immediately because they many times break as much as they "fix." M$ doesn't do regression testing to make sure the patches won't break the system they are supposed to protect. Which is worse, a worm that wrecks a system or a patch that does the same thing? This is also one good example why having choice in OS's is a good thing, not a bad one. Having a "standard" that everyone uses is a single point of failure. All the crackers need is knowledge of the exploits in the one most used and down go the networks. Thanks M$ for the lousy security. LDG ********** Date: Thu, 2 Aug 2001 18:28:59 +1000 To: WMadsen777at_private (Wayne Madsen) From: Roger Clarke <Roger.Clarkeat_private> Subject: Re: Code Red = Red Herring Update Cc: Ari Schwartz <ariat_private>, Declan McCullagh <declanat_private>, gtaylorat_private (Greg Taylor) G'day Wayne (hi Ari, Declan, Greg) >CODE RED - A RED HERRING >Wayne Madsen >30 July 2001 >Washington, DC > >Here we go again folks. ... Cheez, and people call *me* cynical!! Seriously, I've not taken on the [Australian] national security and law enforcement agencies before, but I got stroppy a couple of weeks back and let a broadside go at them. See: Certainty of Identity: A Fundamental Misconception, and a Fundamental Threat to Security http://www.anu.edu.au/people/Roger.Clarke/DV/IdCertainty.html Keep it up! And make sure it's publicly known that plenty of friends are aware of your wherabouts at any given time, so that the boys-not-in-blue don't get the idea they can afford to dampen your enthusiasm! And start working on your proposal for a session at CFP'02 right now!! Regards ... Roger -- Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/ Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, and 6288 6916 mailto:Roger.Clarkeat_private http://www.xamax.com.au/ Visiting Fellow Department of Computer Science The Australian National University Canberra ACT 0200 AUSTRALIA Information Sciences Building Room 211 Tel: +61 2 6125 3666 ********** From: Robert Fleck <rfleckat_private> To: "'declanat_private'" <declanat_private> Subject: RE: Why the "Code Red" worm is a red herring, by Wayne Madsen Date: Thu, 2 Aug 2001 10:55:55 -0400 > From: WMadsen777at_private > Date: Wed, 1 Aug 2001 15:01:06 EDT > Subject: Code Red = Red Herring Update > To: [...] > > [..] > POSTSCRIPT: > > Not getting the media bounce from the 8:00 PM EST Code Red > meltdown hour on July 31 (nothing happened!), the FBI began > spinning the story the very next morning that 22,000 computers > had been hit with Code Red. Considering that viruses and worms > probably strike many more computers than that on any given > day, 22,000 is a relatively low number. The reason nothing happened at 8PM is very simple... - A few copies of the worm were still active on various systems around the world that had skewed dates, and hence never stopped trying to spread themselves. - At the mythical 8PM EST, computers in UTC+1h would begin trying to spread, if they had been infected by these stragglers. - Over the few hours following that, machines in the US would start to pick up too. So, this kind of attack doesn't immediately jump through the roof infecting everything connected, it has to spread, like a real virus. In fact, it didn't even hit it's stride until after the FBI had made it's statement. Early statistics that I've seen from some of the IDS analysts with a good view on large portions of the internet would seem to indicate that the growth curve this time around is very similar to last month. Differences: - The growth curve has a slower doubling rate. Most likely because of systems that have been patched. - The effect of straggling infected computers was to put the start of this curve at a comparable place to about 10 hours into the infection curve last month. (A 10 hour head start.) My point: July 31 8PM was too early to make a statement, Aug1 AM was too early to make a statement, it's still too early now. But, as of this writing (Aug2, 10:30am) it looks like possibly up to 240,000 have been infected so far, and it's continuing to spread at 5,000 hosts per hour. This rate is much lower than the peak rate which was nearly 22,000 hosts per hour. This is only slightly smaller than the last round of infections, which most analysts place somewhere between 300k and 400k hosts, and peaked out at nearly 2000 hosts per _minute_. As a side note, one of the reasons this attack was such a pain was that it generated tremendous amounts of traffic looking for new hosts to infect. The script kiddies also have been trying to use it as cover for other web server based attacks. Bob Fleck ********** Date: Thu, 2 Aug 2001 11:11:18 -0400 From: Nat <nathaniel.echolsat_private> To: Declan McCullagh <declanat_private> cc: politechat_private Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen In-Reply-To: <5.0.2.1.0.20010802002227.0210d890at_private> > But would the United States take advantage of such a situation in cyber-space > to advance a secret agenda? They've probably already done so. Back in 1988, > the Internet was treated to its first worm. Programmed and launched by Robert > Morris, Jr., the worm crippled hundreds of thousands of computers connected > to the Internet. It just so happened that young Mr. Morris's dad was the > Chief Scientist at NSA during a period when the agency was feverishly > trying to test the vulnerabilities of various operating systems and > application programs. Oooh, someone's watched "Enemy of the State" a few too many times. It's been a couple of years since I read "The Cuckoo's Egg", but I'm pretty sure Morris Jr. was just a young 'hacker' who didn't quite realize what a mess he'd created. I'd imagine if my dad was a top government researcher in the tech security field, I'd be interested in that kind of stuff too. If there's any evidence that Morris Jr. was working in collusion with the NSA, could Mr. Madsen please pass it along? And I'm sure I'm not the only one who finds the Goebbels references tiring. I didn't vote for Bush either, but I'm a firm believer in "Never attribute to malice that which can be explained by incompetence." It's obvious the administration has no coherent policies for dealing with the Information Age- why do so many people seem shocked by this? -Nat ********** ------------------------------------------------------------------------- POLITECH -- Declan McCullagh's politics and technology mailing list You may redistribute this message freely if you include this notice. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 07:21:07 PDT