[EAS]Code Red Worm

Sun Jul 22 03:39:33 EDT 2001

Subject:   Code Red Worm

Dear Colleagues -

It has been all over the Internet last week, so you've surely heard
about this momentous latest creation from the hacker world (this
time from China, it appears). From the usual diligent mailings by
Phil Agre of UCLA I've gathered some material further below.

The worm may be stopped for now, it may even help serve as
'vaccine' building up the antibodies among Web server suppliers and
customers, as one article suggests
<http://www.zdnet.com/zdnn/stories/comment/0,5859,2792689,00.html>.

I'm troubled by Phil Agre's question, "What's wrong with us?" in
the first item below. Part of my answer is that we live in a world
of specialists. The White House has one specialist for bashing
Liberals, another for turning around the President's image as
quickly as possible if circumstances call for it. In technology we
know we have specialists, but don't always realize the possible
consequences, such as major security holes in major software. No,
the answer isn't more "police", even more specialists, it is
software (or hardware) used in the appropriate ratio of its
reliability to its scale of purpose. That requires a more
generalist viewpoint.

On occasion specialists turn their 'lens' from the normal
narrow-angle working setting to wide-angle and deliver themselves
of generalist views. But they usually haven't lived generalist
lives so they can get it quite wrong. "Everything will be connected
via the Web," they say, "not just your computer, but also your
appliances, your home's environmental controls, your car." And then
follow wondrous predictions of working and living convenience, a
world you can just float through guided by your whim. But note that
these predictioncs come from the folks whose enterprise Web servers
are the subject of spectacular breakins. How much attention can we
expect to be devoted to the security of these many proposed smaller
Web-enablements, ones that by the likely nature of their firmware
are probably not even patchable?

I don't claim to know what disposes one toward a generalist
viewpoint. Enough time to reflect, away from specialized
intensity, is surely a factor. Personalities and educational
opportunities differ widely. One quality, be it cause or effect,
that I associate with generalists I know, is that they "care." They
do things that aren't "part of their job description,", they seek
to understand, and when possible help improve, the larger context
within which they occupy their smaller realm. This quality of
caring ought to be natural and important to engineers, who are
supposed to be educated to understand how larger wholes ("systems",
even on a social scale) depend on the interactions of the smaller
entities that comprise them.

So my fledgling response to Phil Agre's "What's wrong with us?" is
that the specialists in us and among us don't care enough.

   --PJK

-------------------------------------
Date: 7/19/2001 8:42 PM
From: Phil Agre
The "Code Red" worm, currently exploding on the Internet courtesy
of a hole in Microsoft's server software, is fascinating.  I don't
want to overhype it, but it's symptomatic of how fundamentally
screwed-up Internet security is.  Yes, I realize that Microsoft has
issued a patch.  But even if 95% of sites installed the patch, the
remaining 5% represent enough fire-power to organize a catastrophic
DDOS attack. There are millions of sites out there, and scores of
patches that they ought to be installing, and it's not surprising
that vast numbers of sites, Microsoft and Sun and everything else,
are full of known holes. I'm not saying a catastrophic attack is
going to happen tomorrow, but day by day we're so close to the edge
that it blows my mind.  We have been rebuilding our whole
civilization on top of a technology that is imploding before our
eyes.  The lights stay on only because none of the malicious
hackers, or the 13-year-olds who use their scripts, feels like
turning them off yet.  What's wrong with us?

Thanks to the Internet reader who gathered most of these URL's.

"Code Red" Worm Set to Flood Internet
http://news.cnet.com/news/0-1003-200-6617292.html

This article opens as follows:

  An analysis of the fast-spreading "Code Red" computer worm reveals
  that infected computers are programmed to attack the White House Web
  site with a denial-of-service attack Thursday evening, potentially
  slowing parts of the Internet to a crawl.

  The worm has compromised more than 100,000 English-language servers
  running Microsoft's Web server software as of late Thursday.  In
  addition, each of those infected computers are expected to flood the
  Whitehouse.gov address with data starting at 5 p.m. PDT, according
  to an analysis by network-protection company eEye Digital Security.

That's right now.  The White House Web site appears to be operational,
however.

This article is more skeptical about the potential for damage, though
impressed by the numbers:

  More Up-to-date CRW news, including updated infection estimates
  http://www.newsfactor.com/perl/story/12154.html

Here are more technical analyses:

Original analaysis of "Code Red" Worm from eEye
http://www.securityfocus.com/templates/archive.pike?list=1&start=2001-07-15&mid=197828&end=2001-07-21&fromthread=0&threads=0&

Updated analysis of CRW from eEye
http://www.securityfocus.com/templates/archive.pike?list=1&start=2001-07-15&mid=198068&end=2001-07-21&fromthread=0&threads=0&

SANS Incident diary for 18 July, with lots of statistics
  (content of the URL may change - as of 19 July 2350 GMT, was good)
http://www.incidents.org/diary/diary.php

Code Red Worm: Killed By Reboot
http://www.newsfactor.com/perl/story/12116.html

Various topics, including CRW:
http://www.eeye.com/~apps/modules/Forum/threads.asp?cat=t%2E0430%2E225832%2E446478&filter=90

--------------------------------------
Date: 7/20/2001 7:12 PM
From: Phil Agre
[The enclosed essay about the "Code Red" worm will appear in the
August issue of Crypto-Gram:

  http://www.counterpane.com/crypto-gram.html

The executive summary is that only pure luck saved the Internet
from a humongous denial-of-service attack that claims to have
originated in China.  And nobody's saying that the danger has
passed.  The worm authors can easily bring their code up to the
standard of many other worms and relaunch their attack on the many
unprotected servers that surely remain.

Here are some more URL's in addition to Bruce's:

The mainstream press reported it as just another virus because
little harm was done:

  http://www.cnn.com/2001/TECH/internet/07/20/computer.viruses/

Wired News briefly reported the White House's evasion tactics:

  http://www.wired.com/news/politics/0,1283,45410,00.html

Here are some interesting graphs suggesting the worm's perceptible
but not catastrophic impact on Internet performance.  Check out the
graphs labeled "Rolling 7-Day Latency, Packet Loss, and
Reachability":

  http://average.miq.net/
  http://average.miq.net/Weekly/markMM.html

The worm also apparently harmed some Cisco routers:

  http://slashdot.org/article.pl?sid=01/07/19/2230246

Here are some more facts:

  http://slashdot.org/comments.pl?sid=01/07/19/2230246&cid=5

In addition, many people reported informally that their servers had
probed hundreds or thousands of times by various copies of the
worm. This suggests that every vulnerable server on the public
network was eventually infected, and could easily be again.

We dodged another bullet.  But we're still not talking about the
fundamental reforms that will be required to keep this pattern of
vulnerabilities and attacks from accelerating to the point where
someone gets hurt.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service
(RRE). You are welcome to send the message along to others but
please do not use the "redirect" option.  For information about
RRE, including instructions for (un)subscribing, see
http://dlis.gseis.ucla.edu/people/pagre/rre.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Fri, 20 Jul 2001 16:56:16 -0500
From: Bruce Schneier <schneier at counterpane.com>

[...]

********************

Code Red Worm

On 19 July 2001, the White House narrowly averted a terrorist
attack when security personnel were able to exploit a flaw in a
bomb's trigger mechanism and evacuate key personnel to a remote
location, causing the bomb to fizzle.  The attack was a
denial-of-service attack, the target was the White House Web site,
and the flaw was in malicious code, but other than that the
sensationalist story is correct.  And this tale of attack and
defense in cyberspace contains security lessons for us all.

In June, eEye Digital Security discovered a serious vulnerability
in Microsoft's Information Internet Server (IIS) that would allow a
hacker to take control of the victim's computer.  Microsoft hastily
patched the software to eliminate the vulnerability, as they are
generally good about doing.

By now, we know that it is impossible for most system
administrators to keep their patches up to date, so it came as no
surprise that hacker tools developed to exploit the vulnerability
were able to break into unpatched systems.  One particularly nasty
hacker tool was the Code Red Worm.  This worm, estimated to have
affected over 250,000 computers, spreads automatically without any
user intervention (no attachments to open).  When it infects a
computer, it selects 100 IP addresses and infects them if
vulnerable.  Then, it defaces any Web site on the server with the
words: "Welcome to http://www.worm.com! Hacked by Chinese!"

So far, this is a normal, if virulent, worm.  But there was an
additional feature.  The Code Red worm was programmed to flood
www.whitehouse.com in a massively coordinated distributed
denial-of- service attack at 8:00 PM on July 19.  The attack failed
because of some programming errors in the worm.  One, the attack
was against a specific IP address, and not a URL.  So
whitehouse.gov moved from one URL to another to avoid the attack. 
And two, the worm was programmed to check for a valid connection
before flooding its target. With whitehouse.gov at a different IP
address, there was no valid connection.  No connection, no
flooding.

The worm was programmed to continue to spread until July 20, and
try to attack the former IP address of whitehouse.gov until July
28.

On the face of it, this looks to be a politically motivated attack:
hactivism, as it has come to be called.  The worm's defacement
message implies that it is Chinese, and it is only programmed to
attack English-language versions of Windows NT or 2000.  If it
encounters a foreign version, it goes into hibernation, neither
spreading nor attacking the White House.  But it's hard to know for
sure; many random hackers take on mantles of political activism
either because it gives them a cool cover story.

The White House got lucky.  The next worm writer won't make the
same programming mistakes.  The White House could have alerted
their ISP and the upstream network nodes to block the offending
packets, but only because they knew what the attack looked like and
had enough warning.  We can't count on that next time, either.

We all got lucky.  Code Red could have been much worse.  It had
full control of every machine it took over; it could have been
programmed to do anything the author imagined.  It spread using a
random walk through the Internet; if the author used a more
intelligent propagation system, it would have spread much faster.

The hundreds of thousands of infected networks could have had
better security, but I don't believe that everyone will always have
their patches up to date.  Even Microsoft, the company that
continually admonishes us all to install patches quickly, was
infected by Code Red in unpatched systems.  Firewalls wouldn't have
caught this problem.  Unless a network's IDS signatures were
updated, it wouldn't have caught this problem.  I have long been a
proponent of security monitoring by people; it's the only way to
achieve security in an environment where the threats change this
rapidly.

But even if you can secure your particular network, what about the
millions of other networks out there that aren't secure?  One of
the great security lessons of the past few years is that we're all
connected.  The security of your network depends on the security of
others, and you have no control over their security.

Hacking is a way of life on the Internet.  Remember a few years
ago, when defacing a Web site made the newspaper?  Remember two
years ago, when distributed denial-of-service attacks and
credit-card thefts made the newspaper?  Or last year, when
fast-spreading worms and viruses made the newspapers?  Now these
all go unreported because they are so common.  Code Red ushers in a
new form of attack: a preprogrammed worm that unleashes a
distributed attack against a predetermined target. After a couple
dozen of these, we'll think of it as business as usual on the
Internet.

Code Red Worm:
http://news.cnet.com/news/0-1003-200-6604515.html
http://news.cnet.com/news/0-1003-202-6616583.html
http://news.cnet.com/news/0-1003-202-6617292.html

CERT Advisory:
<http://www.cert.org/advisories/CA-2001-19.html>

Excellent mathematical analysis of the worm:
<http://www.silicondefense.com/cr/>

Original flaw in IIS:
<http://news.cnet.com/news/0-1003-200-6312870.html>
<http://www.eeye.com/html/Research/Advisories/AD20010618.html>

Microsoft's Patch:
<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>
**************************************************************************
Bruce Schneier, CTO, Counterpane Internet Security, Inc.  Ph: 408-777-3612
19050 Pruneridge Ave, Cupertino, CA 95014

Free Internet security newsletter. See: 
http://www.counterpane.com/crypto-gram.html

=================================================================