Code Red Worm Reveals Flaws In Network Stewardship

posted onAugust 1, 2001
by hitbsecnews

Internet users are an hour away from finding out if front-page headlines in the mainstream press and televised warnings from government cyber-security officials will do the trick of getting network administrators to protect their computer systems from the Code Red worm.

With hundreds of thousands of Windows Web servers already hit by the Internet worm called Code Red, the one thing on which almost all experts agree is that the intruder's self-imposed nap, which was coded to begin on by the 28th day of the month, has not put the threat to rest.

Instead, they say, there are enough infected Web servers running out of sync with the calendar to ensure plenty of active worms when servers with correctly set dates become vulnerable again. And that happens at midnight GMT Wednesday, or 8 p.m. EDT tonight.

Code Red likely was released into the wild in mid-July, and had infected more than 300,000 computers running Microsoft's IIS Web server software by the end of the day July 19, when the worm was programmed to stop spreading and being firing data at an Internet protocol (IP) address that once backstopped a White House Web site.

But the vulnerability in the Windows Web servers that makes Code Red possible was announced nearly a month earlier when Microsoft posted a fix for the problem on its Web site. Still, some estimates suggest that - even after all the Code Red headlines - there could still be hundreds of thousands of servers still vulnerable for a renewed onslaught tonight.

"Microsoft reports that there were several hundred thousand downloads of the patch in the last few days," said Scott Blake of the RAZOR security research team of Houston, Texas-based BindView Corp. "Well, there are 6 million IIS servers on the Internet, and there are probably more that are behind corporate networks."

The 6 million servers represent about 20 percent of all the servers on the Internet, Blake said, adding that the best way to get a good response to guard against virus is "scaring the bejesus out of people."

Officials from organizations such as the FBI's National Infrastructure Protection Center and the security clearinghouse called the CERT Coordination Center might have been hoping to do just that when they joined together Monday for an unprecedented call to arms against Code Red.

The danger, they said, is that Code Red may not have shown its entire hand before it began halting its own spread to go on the White House attack.

In research conducted by David Moore and others at the Cooperative Association for Internet Data Analysis (CAIDA), Code Red went from barely noticeable on the Net in the early morning hours of July 19 to more than 359,000 infections in less than one day. At one point, CAIDA said, new infections were appearing at a rate of more than 2,000 a minute.

That stupendous burst was aided that day by the appearance of a second version of the worm - one that seeks out new IIS hosts to infect by generating IP addresses randomly.

There's a certain irony in the fact that the fast-spreading worm is so simple to remove from an individual server: rebooting the machine kills it and the quick patch from Microsoft can keep it from coming back.

"(Administrators) should know better, but often don't install patches," BindView's Blake said. "And there are a couple reasons for that. For one thing, when a vulnerability is announced, no one has any way of knowing whether it is going to be widely exploited or not.

"There are plenty of really bad vulnerabilities that are in the public domain right now that are very rarely, if ever, exploited."

Marc Maiffret, "chief hacking officer" at eEye Digital Security, the Aliso Viejo, Calif., company that discovered the Web-server vulnerability exploited by Code Red, said that his team had no idea the IIS bug would soon become headline news.

"When we found the hole, we didn't think this would be going on today," he told Newsbytes. "But any time a hole affects a very large installation base, it makes things like this a possibility."

What eEye's "white hat" researchers found was that the IIS vulnerability could give a hacker the ability to run their own code on a compromised system. At the time, it affected every NT 4.0 and Windows 2000 server with IIS installed, as well as the Beta version of Microsoft's new XP platform.

The problem is rooted in program code supporting functionality known as Microsoft Index Server 2.0 on Windows NT and as Indexing Services on Windows 2000 and XP. Even if administrators have no plans to use the indexing technology, a default installation of IIS will load software supporting the technology. That software fails to ensure that incoming data will fit within the computer memory reserved for it, leaving the system vulnerable to what's known as a buffer overrun.

The researchers at eEye demonstrated to Microsoft that a hacker could use this particular IIS-related buffer overrun to turn a specially crafted series of bytes into executable code on a target computer.

Maiffret said that, a month after Microsoft made a fix available, he was disappointed to see how many administrators had apparently failed to upgrade their systems.

"It was pretty shocking," he said. "The last report we had was that there were more than 300,000 unique IPs that got infected the first time around. That's just an outrageous number of servers that didn't have the patches installed."

"It would be one thing if you got broken into with a vulnerability that came out an hour ago, but for it to come out a month ago, that's really poor administration of your network."

However, Maiffret said, not all fault lies with the servers' owners.

"I talked to a handful of administrators who saw the Microsoft bulletin, and thought that it was only an indexing server vulnerability, (something) they didn't have installed on their system," he said. "They didn't realize that, with or without the indexing server, you are still vulnerable if you have an IIS Web server."

While the initial version of the worm did little more harm to compromised servers than deface their Web sites, Maiffret said he's among those who fear the impact of an renewed outbreak on Internet traffic could be greater the second time around.

The alternate variation of the worm has been described as a "mutated" incarnation of the original, but Maiffret said it doesn't mutate by itself.

"How that second version got out is really unclear," he said. "Whether it was the same person who wrote the first one or someone modified (it), we don't know. But it is a little more devious because the way it generates the IP address to attack is random, whereas the first one was in sequence.

"Also, the second one doesn't deface Web sites, so it's going to spread more quickly than the first one, and with stealth - which is not a good combination."

Maiffret said the total of more than 300,000 infected Web servers during the first outbreak doesn't illustrate the full power of a worm that might have been just getting rolling when it switched to White-House-attack mode late on the 19th.

"The first time it had seven days to spread," he said. "This time, it's going to have about 19 days. And this version spreads faster. I'd say there's easily a few hundred more thousands servers that the first wave never actually got to."

While administrators are patching servers now, he said, "there's going to be the increased number that the worm never got to the first time around. That will kind of balance it out in a way so that another few hundred thousands servers are going to be hit by this thing."

Among those receiving criticism after the Code Red outbreak has been eEye itself, but Maiffret said his company doesn't apologize for its "full-disclosure" policy on Internet security issues.

"There are a lot of people (who said) that the information we gave out was too much," he said. "That's totally cool with us because, in a way, we do set ourselves up: when the full disclosure (issue) comes up, eEye is usually going to be mentioned somewhere, because we are a little more vocal about how we feel about it."

"The thing they don't understand is that (all the details) are in Microsoft's security bulletins themselves, as vague as the wording might be to all of us, " he added. "And all it takes is for someone to sit down and look at the patch that gets installed ... and compare those files to the files on the system and they can easily pinpoint where the buffer overflow is. These are methods that have been around forever."

Maiffret says IIS's creator should shoulder more of the blame.

"With the money and resources Microsoft has, they could be doing really amazing things for security," he said. Instead, he pointed out, Microsoft's own Windows Update Web site was among those briefly claimed by the worm.

"A lot of times, NT administrators are more afraid of installing the security patch than of the vulnerability itself," he said. "There have been so many times where a Microsoft patch will actually break another component on the system. So, it's like, 'Do I leave it open and wait for the net service pack - which a lot of NT administrators do - or do I risk installing the patch?'

"Of course, there are a lot of administrators who don't understand the importance of installing patches right away. The most common way that that systems get broken into is (though) a vulnerability that that has had a patch out for a while."

Newsbyte

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs