Code Red Back For More 866
Brian Stretch writes: "The Code Red II worm was unleashed early this morning and appears to be very different than the original and far more dangerous. CR2 infected servers only attack servers within their Class A address block and their Class B address block in particular: since 9:11am EST I've logged 148 CR2 attack attempts, 89 of which are from within my Class B subnet, suggesting that only servers within Class A networks that were deliberately seeded are being attacked. The 24.x.x.x range is one of the hardest hit, and as before, it's folks with cable modems and DSL connections that are providing the most victims." Several @home customers have written about slowed service today, but they're definitely not alone.
Re:If this can't break Microsoft's back nothing wi (Score:3, Insightful)
>
> SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
For his track record of trading security for market share, I'm just as happy as any Slashdotter to see Bill Gates' nuts roasted over a fire until they pop.
But the fact is, your PC - whether it runs CP/M, BeOS, FreeBSD, Linux, or Windows XP - is fundamentally different from embedded systems like your microwave and your car.
Design flaws can exist - in medicines, in consumer products, in closed-source applications, and yes, in open-source applications.
The reason the "core functionality" of your PC is "allowed" to distribute your private information is because it has to be able to do so if you're going to write emails to your friends.
The reason it's "allowed" to crash is the same reason automobiles are "allowed" to crash -- sometimes it's a design flaw (Code Red IIS exploit, BIND exploit, Ford Pinto gas tank that exploded on rear impact), and sometimes it's operator error (SirCam worm, drunk driver).
> I hope no one keeps personal, private, confidential and financial data on there pc's.
The only truly secure machine is the one that's been unplugged, powered down, encased in concrete, wrapped up in a Faraday cage, and then dropped into the Marianas Trench. Ya gotta do what ya gotta do.
Of course... (Score:3, Insightful)
Might not remove the worm, but at least gets the "admin" (ha) to pay some attention. Maybe make a request for YOU_HAVE_THE_CODE_RED_WORM_YOU_MORON.HTML right before you do it in case they check the logs :)
Re:If this can't break Microsoft's back nothing wi (Score:5, Insightful)
Unlike a car that explodes to a design flaw, software that explodes due to a design flaw seems to be immune to the civil justice system.
Re:Why don't they... (Score:3, Insightful)
Re:What are you talking about? (Score:3, Insightful)
This is very interesting. I've recently been studying spatial population models of dispersal, e.g. when trees release seeds, should they go a short distance or a long distance? I.e. which will make them more likely to survive, and what combination of strategies will be evolutionarily stable?
Short-distance dispersal is best on aggregated landscapes, where good habitat is likely to be nearby, although such strategies end up competing with themselves quite intensely. Long-distance dispersal is good on unclustered landscapes, where you're better off hoping to colonize a good site far away. But it turns out that mixed seem to really kick butt; they exploit local rich patches of resources, but an occasional long-distance propagule allows them to colonize far-off patches once in a great while, and also reduces intraspecific competition somewhat.
It would be really interesting seeing a few different Code Red's going with different proportions of near versus far dispersal, to see which one does best. It would tell us something about the aggregation of exploitable machines on the net. Although I suppose some people may object to such a study.
As an AC pointed out in another reply, the really clever thing to do would be to have an adaptive strategy with a bit of randomness in it (i.e. the parameters in the strategy are changing too). That way, it would eventually "find" the strategy that works best, and in fact different subpopulations could converge to different locally optimum strategies.
what is code red. . (Score:1, Insightful)
The end is near... (Score:3, Insightful)
So that means any loser with this list of infected IPs and some knowledge of perl literally has a small army of computers at their command?
I think we might be seeing some rather impressive DDoS attacks by this evening.
Hmm.. 3 more XXX's in the time it took me to write this... frequency's increasing...
What are you talking about? (Score:4, Insightful)
It's fast because that's how exponential growth works.
If this can't break Microsoft's back nothing will. (Score:3, Insightful)
I'm warned that smoking and drinking are bad for my health
Medicines and drugs aren't legal unless they're fully tested and approved
My car doesn't lock up and freeze
My microwave doesn't blue screen and cook my brain inside out.
SO WHY THE HELL IS THE CORE FUNCTIONALITY OF MY PC allowed to distribute my personal information, crash during critical functionality, be succeptable to cracks and attacks that are easily preventable.
WHY do i have to pay extra for the functionality of NOT being succeptable to virii and net attacks?
WHY doesn't microsoft NOTIFY me of the risks of using its OS?
I hope no ones bank is trusting microsoft, i hope anyone doing online transactions don't trust microsoft. I hope no one keeps personal, private, confidential and financial data on there pc's.
I hope no one running Windows is on the internet for that matter.
Never name a virus by the name its author intended (Score:3, Insightful)
If this beast is truely wicked, it will scan assorted websites such as Slashdot, Wired, etc, and as soon as it will see talk about itself [slashdot.org] it will enter its active phase...
Re:A few more details:It's a root trojan (Score:1, Insightful)
for address in `cat
do
wget -t 1 'http://'$address'/scripts/root.exe?/c+ren+root.e
done
Not clean nor graceful and it only works if all you accessess come from red alerts, but it works and its quite easy to adjust.
Re:A few more details (Score:5, Insightful)
The fact the old code red is turned off tells me that they might be linked to the same person/organization or something.. if I were some independant cracker I wouldn't bother getting rid of the old one since that's another thing which might break when I launch the new worm.
It's not safe to install IIS while on a network... (Score:5, Insightful)
Solution, never ever have your box plugged into the network while installing a Windows server. Only plug it in after all patches, service packs, and hot fixes have been applied first.
Re:Source? (Score:2, Insightful)
#!/bin/sh
grep default.ida
Why don't they... (Score:4, Insightful)
Free r00t for all! (Score:1, Insightful)
And with people so nicely distributing their logs here in this forum, the collection of ips is easier than ever!
Now that they have the backdoors, though, how hard would it be to patch them remotely? I'm thinking that if you put up a single exe on any old webserver, you could tell each infected host to just download and execute it. The only problems are writing the exe (not too hard), and figuring out how to get the host to download it, using the backdoor (probably trivial).