[LWN Logo]
[LWN.net]
From:	 Phil Agre <pagre@alpha.oac.ucla.edu>
To:	 "Red Rock Eater News Service" <rre@lists.gseis.ucla.edu>
Subject: [RRE]"code red" worm
Date:	 Mon, 23 Jul 2001 07:36:44 -0600

[The enclosed essay about the "Code Red" worm will appear in the
August issue of Crypto-Gram:

  http://www.counterpane.com/crypto-gram.html

The executive summary is that only pure luck saved the Internet from
a humongous denial-of-service attack that claims to have originated
in China.  And nobody's saying that the danger has passed.  The worm
authors can easily bring their code up to the standard of many other
worms and relaunch their attack on the many unprotected servers that
surely remain.

Here are some more URL's in addition to Bruce's:

The mainstream press reported it as just another virus because little
harm was done:

  http://www.cnn.com/2001/TECH/internet/07/20/computer.viruses/

Wired News briefly reported the White House's evasion tactics:

  http://www.wired.com/news/politics/0,1283,45410,00.html

Here are some interesting graphs suggesting the worm's perceptible but
not catastrophic impact on Internet performance.  Check out the graphs
labeled "Rolling 7-Day Latency, Packet Loss, and Reachability":

  http://average.miq.net/
  http://average.miq.net/Weekly/markMM.html

The worm also apparently harmed some Cisco routers:

  http://slashdot.org/article.pl?sid=01/07/19/2230246

Here are some more facts:

  http://slashdot.org/comments.pl?sid=01/07/19/2230246&cid=5

In addition, many people reported informally that their servers had
probed hundreds or thousands of times by various copies of the worm.
This suggests that every vulnerable server on the public network was
eventually infected, and could easily be again.

We dodged another bullet.  But we're still not talking about the
fundamental reforms that will be required to keep this pattern of
vulnerabilities and attacks from accelerating to the point where
someone gets hurt.]

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message was forwarded through the Red Rock Eater News Service (RRE).
You are welcome to send the message along to others but please do not use
the "redirect" option.  For information about RRE, including instructions
for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Date: Fri, 20 Jul 2001 16:56:16 -0500
From: Bruce Schneier <schneier@counterpane.com>

[...]

********************

Code Red Worm

On 19 July 2001, the White House narrowly averted a terrorist attack
when security personnel were able to exploit a flaw in a bomb's
trigger mechanism and evacuate key personnel to a remote location,
causing the bomb to fizzle.  The attack was a denial-of-service
attack, the target was the White House Web site, and the flaw was
in malicious code, but other than that the sensationalist story is
correct.  And this tale of attack and defense in cyberspace contains
security lessons for us all.

In June, eEye Digital Security discovered a serious vulnerability
in Microsoft's Information Internet Server (IIS) that would allow a
hacker to take control of the victim's computer.  Microsoft hastily
patched the software to eliminate the vulnerability, as they are
generally good about doing.

By now, we know that it is impossible for most system administrators
to keep their patches up to date, so it came as no surprise that
hacker tools developed to exploit the vulnerability were able to break
into unpatched systems.  One particularly nasty hacker tool was the
Code Red Worm.  This worm, estimated to have affected over 250,000
computers, spreads automatically without any user intervention (no
attachments to open).  When it infects a computer, it selects 100 IP
addresses and infects them if vulnerable.  Then, it defaces any Web
site on the server with the words: "Welcome to http://www.worm.com!
Hacked by Chinese!"

So far, this is a normal, if virulent, worm.  But there was an
additional feature.  The Code Red worm was programmed to flood
www.whitehouse.com in a massively coordinated distributed denial-of-
service attack at 8:00 PM on July 19.  The attack failed because of
some programming errors in the worm.  One, the attack was against
a specific IP address, and not a URL.  So whitehouse.gov moved
from one URL to another to avoid the attack.  And two, the worm was
programmed to check for a valid connection before flooding its target.
With whitehouse.gov at a different IP address, there was no valid
connection.  No connection, no flooding.

The worm was programmed to continue to spread until July 20, and try
to attack the former IP address of whitehouse.gov until July 28.

On the face of it, this looks to be a politically motivated attack:
hactivism, as it has come to be called.  The worm's defacement message
implies that it is Chinese, and it is only programmed to attack
English-language versions of Windows NT or 2000.  If it encounters
a foreign version, it goes into hibernation, neither spreading nor
attacking the White House.  But it's hard to know for sure; many
random hackers take on mantles of political activism either because it
gives them a cool cover story.

The White House got lucky.  The next worm writer won't make the same
programming mistakes.  The White House could have alerted their ISP
and the upstream network nodes to block the offending packets, but
only because they knew what the attack looked like and had enough
warning.  We can't count on that next time, either.

We all got lucky.  Code Red could have been much worse.  It had full
control of every machine it took over; it could have been programmed
to do anything the author imagined.  It spread using a random
walk through the Internet; if the author used a more intelligent
propagation system, it would have spread much faster.

The hundreds of thousands of infected networks could have had better
security, but I don't believe that everyone will always have their
patches up to date.  Even Microsoft, the company that continually
admonishes us all to install patches quickly, was infected by Code
Red in unpatched systems.  Firewalls wouldn't have caught this
problem.  Unless a network's IDS signatures were updated, it wouldn't
have caught this problem.  I have long been a proponent of security
monitoring by people; it's the only way to achieve security in an
environment where the threats change this rapidly.

But even if you can secure your particular network, what about the
millions of other networks out there that aren't secure?  One of
the great security lessons of the past few years is that we're all
connected.  The security of your network depends on the security of
others, and you have no control over their security.

Hacking is a way of life on the Internet.  Remember a few years ago,
when defacing a Web site made the newspaper?  Remember two years ago,
when distributed denial-of-service attacks and credit-card thefts made
the newspaper?  Or last year, when fast-spreading worms and viruses
made the newspapers?  Now these all go unreported because they are so
common.  Code Red ushers in a new form of attack: a preprogrammed worm
that unleashes a distributed attack against a predetermined target.
After a couple dozen of these, we'll think of it as business as usual
on the Internet.


Code Red Worm:
http://news.cnet.com/news/0-1003-200-6604515.html
http://news.cnet.com/news/0-1003-202-6616583.html
http://news.cnet.com/news/0-1003-202-6617292.html

CERT Advisory:
<http://www.cert.org/advisories/CA-2001-19.html>

Excellent mathematical analysis of the worm:
<http://www.silicondefense.com/cr/>

Original flaw in IIS:
<http://news.cnet.com/news/0-1003-200-6312870.html>
<http://www.eeye.com/html/Research/Advisories/AD20010618.html>

Microsoft's Patch:
<http://www.microsoft.com/technet/security/bulletin/MS01-033.asp>
**************************************************************************
Bruce Schneier, CTO, Counterpane Internet Security, Inc.  Ph: 408-777-3612
19050 Pruneridge Ave, Cupertino, CA 95014

Free Internet security newsletter. See: 
http://www.counterpane.com/crypto-gram.html