Code Red worm set to flood Internetgreenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread |
Code Red worm set to flood InternetBy Robert Lemos
Special to CNET News.com
July 19, 2001, 1:30 p.m. PT
An analysis of the fast-spreading Code Red computer worm has discovered that infected computers are programmed to attack the White House Web site with a denial-of-service attack Thursday evening, potentially slowing parts of the Internet to a crawl.
The worm, which is thought to have compromised more than 15,000 English-language servers running Microsoft's Web server software, will cause every infected computer to flood the Whitehouse.gov address with data starting at 5 p.m. PDT, according to an analysis by network-protection company eEye Digital Security.
While the direct target of the worm's denial-of-service attack is Whitehouse.gov, the indirect effect is that an avalanche of data will hit the Net. Each infection--a server can be infected at least three times--will send 400MB of data every four hours or so, possibly leading to a massive packet storm.
"That's what I mean when I say, 'Boom!'" said Marc Maiffret, chief hacking officer of eEye. "If this goes along what it's looking like, parts of the Net will go down." He noted, though, that the code could have an error that causes the worm "to screw up and not work right."
Already, there are are reports that the worm's propagation is causing performance problems for some companies connected to the Internet. According to data from Internet performance company Matrix.net, the root domain servers--the central databases connecting numerical Net addresses to Web names--are showing 20 percent packet loss. That indicates a substantial increase in data flowing across the Net.
Even if the flood of data continues to increase as expected, it may go unnoticed by most Web users, said Fred Cohen, a security expert in residence at the University of New Haven and the author of the first paper on computer worms in 1984.
"If it is handled properly, it sounds like it's easily defeated," he said. "All those people (whose servers have been infected) can be notified. The Internet won't collapse; society won't end.
"Back 15 years ago, that (was) more bandwidth than the whole Internet had, but today the Internet can handle it."
Government officials on Thursday afternoon were reviewing the eEye analysis, according to sources. Calls to the White House were not immediately returned.
In June, eEye found the security vulnerability in Microsoft's Internet Information Server that is being used by the worm. Known as the index-server flaw, the security hole was detailed and patched by Microsoft more than a month ago.
Although system administrators have had more than a month to plug the hole, a large number have not.
The security hole, combined with the low priority normally given to patching systems, may cause history to repeat itself.
In November 1988, the Cornell Internet Worm overloaded an estimated 3,000 to 4,000 servers, or about 5 percent of those connected to the early Internet. The worm, which exploited flaws in Unix systems, was written and released by Robert T. Morris, a Cornell University graduate student. The effects on the early Internet are still debated, but some estimate that traffic slowed by 15 percent to 20 percent on average.
That may happen again.
The Code Red worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text: "Welcome to http://www.worm.com! Hacked by Chinese!"
Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software. However, many companies in other countries use the English version of Microsoft's software, said eEye's Maiffret.
"The majority of foreign companies run the English system, because updates come out first in the English," he said.
According to the eEye analysis, when the coordinated universal time hits midnight on Friday morning--5 p.m. Thursday--every worm infection will start sending nearly 400MB of data every four hours.
An apparent side effect of the worm seems to crash several varieties of DSL routers and higher-end network routers that direct data around the Internet, according to posts on the Bugtraq mailing list maintained by SecurityFocus. While apparently not an intended consequence of the worm, the problems could exacerbate the bandwidth problems once the data flood starts.
-- PHO (owennos@bigfoot.com), July 19, 2001
Worm has servers seeing 'Code Red'By Robert Lemos ZDNet News July 18, 2001 5:02 PM PT Almost 12,000 Web servers have been infected by a new Internet worm that takes advantage of a security flaw in Microsoft software to deface sites, security experts said Wednesday. The worm could also help attackers identify infected computers and gain control of them. Known as the Code Red worm because of evidence that it may have been launched from China, the self-spreading program infects servers using unpatched versions of Microsoft's Internet Information Server software and defaces the Web sites hosted by the servers.
The code is still being analyzed to see if it does any further damage. But the way the worm is written, it could allow online vandals to build a list of infected systems and later take control of them, said Marc Maiffret, chief hacking officer with eEye Digital Security.
"It is a very slick worm," Maiffret said. "Until all these people go out and patch their systems, it will keep going."
eEye found the vulnerability in Microsoft's software--the so-called index-server flaw--last month and reported it to the software giant, which acknowledged the flaw June 18 and posted a downloadable fix on its Web site. Microsoft urged people to patch the hole before the Internet underground could produce tools to take advantage of the estimated 6 million vulnerable systems.
"Obviously, not a lot of people patched it," Maiffret said. "Even with the press, a lot of people didn't hear about it."
System administrators first detected the Code Red worm this past Friday.
The worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole, and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text:
Welcome to http://www.worm.com! Hacked by Chinese!
Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software.
Believing that Worm.com acted as a collection point for information sent from compromised servers, Microsoft has successfully requested that Worm.com's Internet service provider pull the plug on the site. If Worm.com had built such a list, it could have allowed online vandals to target computers known to be vulnerable.
"That site was a collection point for data about what sites had been compromised," said Scott Culp, security program manager for Microsoft's security response center. "By taking it down, it prevents the malicious individual that created the worm from getting that information. It doesn't prevent the worm from spreading."
But according to eEye's Maiffret, removing Worm.com from the Web will probably have no effect, because the way Code Red is programmed can allow anyone--including an online vandal or malicious hacker--to make a list of every system that has been compromised.
That's because each instance of the worm will attack the same computers in the same order, according to eEye's analysis. Maiffret said that while the addresses of the computers attacked by the worm seem to be random, because the worm uses the same starting point, or "seed," to generate the list, the "random" lists that any two worms generate are identical. Like identical genes, which produce a clone, identical seed numbers produce attack lists that are the same.
That means any computer on the "randomized" list will be attacked by every newly infected computer. By monitoring who attacks a target machine, a list of attacking--thus infected--computers can be made.
One eEye client has done just that, said Maiffret, and found that almost 11,900 servers had been infected as of 7 a.m. PDT Wednesday. Unlike other worm attacks, where the actual number of infections can only be estimated, these numbers correspond to the actual infections, he said.
Unfortunately, if attackers have access to a machine on the target list, they, too, can make a list of compromised machines. Later, an attacker can use the list to take control of the servers.
For system administrators who have not patched their systems, now would be a good time, said Microsoft's Culp.
"We are going back out to customers and telling them that if they didn't put the patch on before, this is all the reason they need to put the patch on now," he said
http://www.zdnet.com/zdnn/stories/news/0,4586,5094345,00.html? chkpt=zdnnp1tp02
-- Martin Thompson (mthom1927@aol.com), July 19, 2001.
Almost 12,000 Web servers have been infected by a new Internet worm that takes advantage of a security flaw in Microsoft software to deface sites, security experts said Wednesday. The worm could also help attackers identify infected computers and gain control of them.Known as the Code Red worm because of evidence that it may have been launched from China, the self-spreading program infects servers using unpatched versions of Microsoft's Internet Information Server software and defaces the Web sites hosted by the servers.
The code is still being analyzed to see if it does any further damage. But the way the worm is written, it could allow online vandals to build a list of infected systems and later take control of them, said Marc Maiffret, chief hacking officer with eEye Digital Security. "It is a very slick worm," Maiffret said. "Until all these people go out and patch their systems, it will keep going."
eEye found the vulnerability in Microsoft's software--the so-called index-server flaw--last month and reported it to the software giant, which acknowledged the flaw June 18 and posted a downloadable fix on its Web site. Microsoft urged people to patch the hole before the Internet underground could produce tools to take advantage of the estimated 6 million vulnerable systems.
"Obviously, not a lot of people patched it," Maiffret said. "Even with the press, a lot of people didn't hear about it."
System administrators first detected the Code Red worm this past Friday.
The worm spreads by selecting 100 IP addresses, scanning the computers associated with them for the hole, and spreading to the vulnerable machines. The worm then defaces any Web site hosted by the server with the text:
Welcome to http://www.worm.com! Hacked by Chinese!
Code Red seems to deface only English-language servers, going into hibernation on non-English versions of Microsoft's IIS software.
Believing that Worm.com acted as a collection point for information sent from compromised servers, Microsoft has successfully requested that Worm.com's Internet service provider pull the plug on the site. If Worm.com had built such a list, it could have allowed online vandals to target computers known to be vulnerable.
"That site was a collection point for data about what sites had been compromised," said Scott Culp, security program manager for Microsoft's security response center. "By taking it down, it prevents the malicious individual that created the worm from getting that information. It doesn't prevent the worm from spreading."
But according to eEye's Maiffret, removing Worm.com from the Web will probably have no effect, because the way Code Red is programmed can allow anyone--including an online vandal or malicious hacker--to make a list of every system that has been compromised.
That's because each instance of the worm will attack the same computers in the same order, according to eEye's analysis. Maiffret said that while the addresses of the computers attacked by the worm seem to be random, because the worm uses the same starting point, or "seed," to generate the list, the "random" lists that any two worms generate are identical. Like identical genes, which produce a clone, identical seed numbers produce attack lists that are the same.
That means any computer on the "randomized" list will be attacked by every newly infected computer. By monitoring who attacks a target machine, a list of attacking--thus infected--computers can be made.
One eEye client has done just that, said Maiffret, and found that almost 11,900 servers had been infected as of 7 a.m. PDT Wednesday. Unlike other worm attacks, where the actual number of infections can only be estimated, these numbers correspond to the actual infections, he said.
Unfortunately, if attackers have access to a machine on the target list, they, too, can make a list of compromised machines. Later, an attacker can use the list to take control of the servers.
For system administrators who have not patched their systems, now would be a good time, said Microsoft's Culp.
"We are going back out to customers and telling them that if they didn't put the patch on before, this is all the reason they need to put the patch on now," he said.
-- PHO (owennos@bigfoot.com), July 19, 2001.
White House dodges Web wormBy Robert Lemos Special to CNET News.com July 19, 2001, 6:55 p.m. PT
update Administrators for the Web site of President George W. Bush dodged an Internet worm's denial-of-service attack by moving the site to an alternate Internet address, security experts said Thursday.
As previously reported, servers infected by the so-called Code Red worm--estimated to be in excess of 100,000 computers--were scheduled to flood a specific Internet address representing the White House Web site with a deluge of data starting at 5 p.m. PDT.
However, administrators for Whitehouse.gov apparently moved the site to an alternate address. In addition, a flaw in the worm's design caused the tactic to fool the program into sending a much-reduced amount of data.
White House spokesman Jimmy Orr said the White House took precautions, but would not confirm whether Internet addresses were switched.
"We have taken preventative measures aimed at minimizing the impact of any computer virus," he said Thursday night.
Marc Maiffret, chief hacking officer for eEye Digital Security, said Whitehouse.gov administrators "blackholed" the original address-- meaning that any data sent to the address would disappear into the Internet. eEye originally found the flaw that the worm exploits.
Computer worms are programs that have the ability to spread across Internet and execute instructions. In this case, the worm sought out vulnerable Web servers using Microsoft software. As for the instructions, the Code Red worm was written to flood the Whitehouse.gov site with a massive amount of data, overwhelming it to the point where it could not be accessed.
Before Thursday, anyone who tried to view Whitehouse.gov in a browser would be directed to a specific numeric address. After the address change, however, people who typed Whitehouse.gov into their browsers were automatically redirected to a new numeric address.
The worm, on the other hand, was programmed to attack a specific numeric address, which pointed to the White House Web site before Thursday's switch.
Maiffret, who warned earlier Thursday that the White House site was the target of the worm, also noted that the flood of data flowing across the Internet during the attack could degrade the overall performance of the Net.
However, the data flood never occurred because the worm checked for a valid connection before sending data--what could be considered a design flaw on the part of the author. Because the site's address was switched, the worm never established a connection and therefore did not begin sending data.
"You might have overload on the local networks where the worm was trying to get out, but the actual Web site looks okay," Maiffret said.
Others besides Maiffret warned of the potential for worm problems Thursday as well.
The Computer Emergency Response Team (CERT) Coordination Center issued an advisory predicting that the worm could cause performance problems on the Net.
"In addition to Web site defacement, infected systems may experience performance degradation as a result of the scanning activity of this worm," CERT stated in its advisory. "Non-compromised systems and networks that are being scanned by other hosts infected by the 'Code Red' worm may experience severe denial of service."
After slowing down earlier in the week, the Code Red worm spread wildly on Thursday, possibly due to someone modifying the code.
In addition to making the code spread faster, the person who changed the code may have made another important modification.
The original creator of Code Red apparently created the worm to stop spreading at midnight Friday morning coordinated universal time (UTC), or 5 p.m. PDT Thursday, and to attack the Whitehouse.gov site with a distributed denial-of-service attack. At that time the worm would stop spreading.
Yet Thursday evening, some early reports indicated that some infected machines continued to spread the worm.
Even Microsoft, which recently issued a patch to prevent the worm from infecting servers using its software, failed to protect all its servers. On Thursday, the company acknowledged that a "small number of servers" were infected by Code Red.
"We have investigations going on to look at other reports," said Scott Culp, security program manager for Microsoft's security response center.
Culp stressed that although their may be a lull in probes from the worm, customers still need to patch the servers.
"Our recommendation now is the same as our recommendation a month ago," he said. "If you haven't patched your software, do so now."
Until July 20, the worm is programmed to spread to new servers, according to eEye's analysis. From July 20 to July 28, the worm will attack the now-outdated address for the White House Web site.
If system administrators don't patch their systems Aug. 1, they could be re-infected with the worm, starting the whole process over again.
http://news.cnet.com/news/0-1003-200-6617292.html?tag=tp_pr
-- Martin Thompson (mthom1927@aol.com), July 20, 2001.
'Code Red' worm wreaking havocBy Dennis Fisher, eWEEK July 19, 2001 5:08 PM ET
Nearly a week after its first appear-ance, the so-called "Code Red" worm that attacks machines with a particular vulnerability in their IIS software is still wreaking havoc on the Internet.
The worm is not only infecting thousands of machines across the Internet, but it is also causing some Cisco Systems Inc. DSL routers to crash when it scans the Web for more IIS servers to attack.
Two posts on the Bugtraq security mailing list reported this same side effect of the worm, which was first discovered last Friday and that attacks a flaw in Microsoft Corp.'s Internet Information Services Web server. One of the requests that the worm sends during its search for other IIS machines causes the Cisco 675, 677 and 678 DSL routers with the Web Management Interface enabled to hang.
Cisco officials had no immediate comment.
The worm, which exploits an unchecked buffer in the Index Server in the IIS software, spreads by infecting one machine and then scanning a list of random IP addresses for other vulnerable machines. However, the worm starts the scan at the same point in the list each time, which not only means that machines could be infected multiple times, but also that an attacker could be monitoring one of the IP addresses on the list and building a database of all of the infected machines that attempt to connect to his machine.
Microsoft issued a patch for the IIS vulnerability more than a month ago
http://www.zdnet.com/eweek/filters/news/
-- Martin Thompson (mthom1927@aol.com), July 20, 2001.
'Code Red' Worm Slows Internet ServersWhite House Repels Attack That Hits 225,000 Servers Worldwide
WASHINGTON, 11:14 a.m. EDT July 20, 2001 --
A fast-growing Internet virus dubbed "Code Red" failed to shut down the White House Web site Friday, even after using the power of hundreds of thousands of other computers in its "attack." According to computer security experts, the virus had infected more than 225,000 computer systems around the world by Friday morning. That number was growing, experts said.
Even the Associated Press reported that some of its Internet servers had been affected.
The virus defaces Web sites maintained by "server" computers with the message "Hacked By Chinese," but the origin of the virus was still unknown Friday.
The code was still being analyzed to see if it will do any further damage to computer systems. But the way the code is written, it could allow online vandals to build a list of infected systems and later take control of them, said Marc Maiffret, chief hacking officer with eEye Digital Security.
"It is a very slick worm," Maiffret told CNET News. "Until all these people go out and patch their systems, it will keep going."
eEye found the vulnerability in Microsoft's software -- the so-called index-server flaw -- last month and reported it to the software giant, which acknowledged the flaw and posted a downloadable fix on its Web site.
The ultimate goal of the virus, known as a "worm," is to gather strength by spreading among computer servers and then have them all "attack" the Internet address that represents the White House Web site.
The assault, which began Thursday evening, was a "denial of service attack," designed to hamper or shut down a computer system by flooding it with huge amounts of data, experts said.
The White House shifted its Web site to a different numerical address, apparently to dodge the attack, said Stephen Trilling, director of research at Symantec Corp. of Cupertino, Calif., a computer security company.
A White House spokeswoman would say only that the White House had "taken preventative measures aimed at minimizing any impact from the computer virus known as the Code Red worm."
The FBI's National Infrastructure Protection Center issued a warning late Thursday, calling the virus a significant threat that could "degrade services running on the Internet."
At least 225,000 computers were infected, according to the CERT Coordination Center, the government-funded computer emergency response team at Carnegie Mellon University.
Code Red exploits a flaw discovered last month in Microsoft software used on Internet servers. While a software patch was made available to correct the flaw, not everyone has made use of it, Trilling said.
Vulnerable computers are those running the server software with the Microsoft Windows NT 4.0 or Windows 2000 operating system.
Only computers set to use English as their language will have their Web pages defaced.
Since the virus targets servers, mostly used by businesses, few individual computer users were affected.
-- PHO (owennos@bigfoot.com), July 20, 2001.