Code Red Update: Where Are We Now ? - SANS provides Status Report

posted onAugust 3, 2001
by hitbsecnews

Many mixed opinions are being voiced in the face of the Code Red "incident" that has been consuming the time and attention of security professionals across the world. Some of the relevant, and seemingly conflicting, information is referenced below. What really happened? Probably we will never know completely.

In a case such as this, where the activity is distributed across so many organizations and continental boundaries, differences in data capture, analysis, and communication methods make it difficult to get a comprehensive and provably correct picture of what is happening. Many conclusions are by necessity based on a large degree of speculation, coupled with a strong desire to err on the side of asset protection...

Code Red Update: Where Are We Now?

Some people have been outspoken against the "hype" created
around Code Red, and their complaints have validity if we
consider that hype may have been generated in order to panic
the community. However, because of the relative immaturity
of our current abilities to collect, correlate, and analyze
detailed data on a global scale in near real time, we
believe that the alerts and information that have been posted
reflect the best possible attempts to protect and inform
all users of the Internet.

As a bit of background, we note a few of the difficult
challenges security professionals face when posting
alerts that must reach a global audience:

o How to reach the millions of non-technical Internet
users quickly and motivate them to take action fast. This
challenge is related to trying to formulate alert messages
that are clear, short, non-technical, but still technically
accurate, even in the case of incomplete threat information.

o How to report the state of an attack-in-progress, when
immediate, definitive results are demanded by the media.
The challenge is interpreting the data that is provided only
by the technically advanced sites that represent a small sample
space compared to the overall Internet population. This
task is further complicated by the variance in the fidelity
of tools and skill of administrators that are collecting
and submitting the data.

o How to accurately assess the true threat of some type
of self-propagating worm. Unknown variables related to
the assessment include how many systems are vulnerable,
how well the worm will be able to reach and infect vulnerable
systems, whether variants of worms with unknown capabilities
are involved, and how networks will cope with stresses arising
from hundreds of thousands of machines worldwide generating
traffic simultaneously.

Some of the relevant facts and differing opinions are
highlighted below.

----------------

An adminstrator of a Class B address space reports the following
statistics regarding the unique IP addresses that are scanning
his site. These statistics are posted to http://www.incidents.org
in the form of a graph. Some relevant information about the numbers:

o Code Red chooses targets randomly. The number of unique IP addresses
scanning this site does not equal the number of unique hosts that are
infected with the worm. Due to the random target selection mechanism
used by the worms, there is no guarrantee that any worm will send
probes to one or more IP addresses in this particular Class B network.

o There is no way to check if each and every probe is Code Red -related.
For example, many probes do not reach listening machines. In these cases,
a connection is never established, so the scanner never sends a GET
request that is verifiable as the buffer overflow signature of Code Red.
This administrator has recorded the successful connections received by
servers, and verified that the connections are Code Red infection attempts,
but the numbers of these successful connections are small compared to
the total number of probes.

o This data is used to provide insight into the attack in progress
because it currently comprises the overwhelming bulk of the data
contributed to DShield so far. DShield relies on administrators
to process and submit their logs, and most submitters have not yet
sent in their information. This site's data is the best up-to-the
moment information source available, fuller analyses will be possible
in a few days once more sites enter submissions.
------------------------

Attackers may be taking advantage of the Code Red traffic to hide
their own network scans. This means that the observed scanning
traffic is a combination of Code Red and other scans. Many people
have sent in webserver logs that prove that Code Red scans are
widespread. However a few posters have provided logs showing that
other types of HTTP scans are happening as well.

-----------------------

Several reports of new Code Red variants have been received, as
have reports of IDS signatures not detecting Code Red activity.
If variants are propagating that we do not yet know how to detect,
administrators using IDS' to gauge Code Red scanning will underestimate
the activity on their networks. Further, we have no ability
to estimate the threat posed by worms having unknown capabilities.
We can expect analyses of new variants to become available in the
next few days.

-------------------------

An BBC article explains how the network latency problems
associated with the previous outbreak of Code Red may have
been caused by a train wreck. The train wreck caused
a tunnel fire that melted network cables used by serveral
large service providers. There will never be a definitive way
to tell if the network slowdown was due to Code Red or the fire.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm

--------------------------

From the table above: While the total number of unique IPs observed
sourcing scans increases by approximately 6000 per hour, the
number of unique IPs observed scanning in any given hour is
approximately the same. Why aren't the two counts growing
together? Investigations are currently underway to determine
why this is the case.

--------------------------

A few closing remarks:

First, relatively speaking, Code Red is a benign worm. The
writers of this worm could have, but chose not to, made the
worm corrupt or steal files on servers, or DDoS more effectively.
The Leaves worm has taught us important lessons regarding the
sophistication of current worm technology. In Leaves, compromised
systems are completely controllable by a single attacker, and
have the capability to update their functionality on the fly
making the prediction of the fleet's actions nearly impossible.

Second, Code Red motivated security professionals and government
officials to work together and forge alliances that can be
called upon in the case of new threats of this nature. The
good news is that the public's and government's awareness of
the threat has been greatly increased, the bad news is
that attackers have also become intensely aware of the potential
of using these methods maliciously.

Third, the capabilities to predict, track, analyze and report
on attacks like Code Red are maturing every day. Incidents.org's
Internet Storm Center is attracting new participants every day,
allowing analysts to draw better conclusions and make better
predictions from a more complete information base. Administrators
and general Internet users alike are becoming more educated
on how to gather and interpret data, and how to respond to
incidents. The Storm Center Team personally responded to over
800 email requests for help via its help line at codered@sans.org
over the last two days. In addition, many sources worked to provide
worm analyses, IDS signatures, vulnerability scanners, and technical
support.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs