TNL.net is designed for modern browsers but the content is still readable in older ones. If you want to ensure the best experience, please install a browser that was developed after 2009.

tnl.net

Seeing Red

Last week, for the sec­ond week in a row, IIS admin­is­tra­tors have had to face Code Red. More than a sim­ple virus, Code Red could rep­re­sent a new accel­er­a­tion in the online virus war and shows that we may not be ready, as an indus­try, for the era of web services.

A Rapid Epidemic

Now that I’ve got your atten­tion, let’s take a quick look at how Code Red spread. First of all, there was a sim­ple buffer over­flow prob­lem in Microsoft Index Server, for which the com­pany pro­duced a patch. A month later, Code Red start­ing show­ing up. How­ever, its rate of growth was rel­a­tively slow at the begin­ning. The true epi­demic did not start until July 19th, when Code Red exploded onto the scene, increas­ing the num­ber of infected servers from just around 300 at 00:15am to 2994 by 7:30am, over 30,000 by 14:40pm and over 300,000 in the 6 hours after that. In other words, in less than a day, Code Red went from a rel­a­tively small annoy­ance to a full blown attack on the net infra­struc­ture. Had no one rung the bell on it, it would have taken only a cou­ple of days for it to infest every sin­gle ver­sion of Microsoft IIS (or about a quar­ter of all web sites on the net).

Who’s respon­si­ble?

While the hunt is on for the per­son who devised this virus, the list of peo­ple who have some level of respon­si­bil­ity in the spread of this virus is a very scary one: Microsoft, of course, for first putting out a faulty prod­uct, a web server with a big secu­rity hole. How­ever, credit goes to Microsoft for putting out a patch before they even knew of the worms’ existence.

Another group which deserves some blame is IIS sys­tem admin­is­tra­tor of infected sys­tems. Let’s face it, we all know that Microsoft soft­ware is rid­dled with holes. We also know that Microsoft puts out patches on a reg­u­lar basis. We all know that those patches solve most of the prob­lems before they occur. Well, the peo­ple who were infected by Code Red did not fol­low the basic rule of patch­ing sys­tems early and often.

Many Unix admin­is­tra­tors are laugh­ing right now at IIS users: they shouldn’t!

The secu­rity on some Linux sys­tems is so dis­mal that a virus sim­i­lar to code red but aimed at Apache servers could have done much more dam­age much more quickly.

What have we learned?

The first thing that we have learned out of the code red offen­sive is that we can’t rely on peo­ple to update their sys­tems prop­erly. When sys­tem admin­is­tra­tors fail at that task, they con­tribute to a lower level of secu­rity for the net as a whole. But SAs are human and to err is human. The truly scary thing is that Code Red is only the first of a series of viruses that will gain pre­em­i­nence on the net.

The truly scary thing is when an appli­ca­tion used by gen­eral con­sumers gets attacked by a sim­i­lar worm.

Ear­lier this year, I cov­ered a set of secu­rity prob­lems in AOL’s Instant Mes­sen­ger. One of the ways hack­ers are tak­ing over AIM is using buffer over­flow, throw­ing large strings of appar­ently non­sen­si­cal char­ac­ters to the client in order to take it over. Unfor­tu­nately, Code Red acted the same way with IIS servers. What will hap­pen when some­one uses the Code Red approach to cre­ate an attack on AIM? The thought sends chills down my spine as I can see hun­dreds of mil­lions of com­put­ers act­ing as zom­bies in a pos­si­ble net-wide denial of ser­vice attack.

Muta­tions

Dur­ing the August 1st attack, web­mas­ters noticed not one but two (and pos­si­bly three) dif­fer­ent types of code red attacks. The first one was the same as the July 20th worm but the sec­ond was much more nefar­i­ous, a worm that did not announce itself (it did not deface web sites) but instead added a back­door allow­ing hack­ers access to the com­pro­mised servers. When work done on one virus reap­pears in another, we call it a muta­tion. What is truly wor­ri­some is that Code Red was not a very sophis­ti­cated virus. Oth­ers, like Hybris can update themselves.

What hap­pens when Code Red is merged with one of those other viruses? This is yet another scary ques­tion that I send out for discussion.

Infra­struc­ture

For the past year, I’ve been pay­ing more atten­tion to the secu­rity space. I wasn’t sure of why but I felt that this was an area I needed to pay atten­tion to. More and more of our tech­no­log­i­cal infra­struc­tures are mov­ing to the Inter­net. These days, tele­phone com­pa­nies, cable com­pa­nies and many oth­ers are tying into the grid. How­ever, it seems to me that lit­tle atten­tion is being given to secu­rity. As we move into the era of web ser­vices, there needs to be an impor­tant dia­logue in our indus­try as to how we increase the secu­rity and reli­a­bil­ity of the Internet.

Fur­ther­more, as new oper­at­ing sys­tems come out, they should be thor­oughly proofed for secu­rity holes. Apple recently released OSX and already, a num­ber of holes are being noticed. Microsoft is still set on releas­ing Win­dows XP within the next few months but few in the secu­rity com­mu­nity have had a chance to test out its secu­rity. With all that said and done, I would also like to encour­age all of you to ques­tion whether any of your con­nec­tions are secure. For exam­ple, if you are run­ning a DSL or cable line at home, have you fire­walled your envi­ron­ment? These days, it’s lit­tle things like that that make a lot of difference.

Originally published on August 5, 2001 in Technology . You may find related thoughts pieces under the following terms: , , , , ,