Tell us about this dinner that was so rudely interrupted by Code Red II.
During the last course of a seven-course meal, I had fireworks set to go off outside, but I hadn't seen anyone come to join me outside to watch them. Instead, Nick Fitzgerald (of Computer Associates) checked his e-mail and was already disassembling the new version (of Code Red II). It looked like they were looking at fireworks already. I checked my e-mail and it turns out I had been getting advisories all afternoon from my contact in Australia, so we began looking at different logs. We do this stuff all the time, but we're just never in the same room. It took about five-to-six hours to get to the bottom of things. At about 3 a.m., we were ready to put out the final advisory when we discovered the two virtual Web directories it creates, and that's far more devastating than what we had seen until then because it was leaving root directories exposed. We took a step back and ran it ourselves. Bruce Hughes, a manager at our Death Row (testing) Lab began infecting our test systems there. We sent out the final advisories around 5:15 a.m. Eastern Standard Time Sunday. Later, we did light the fireworks and gave the chef his three cheers. We got around to eating his desserts, but probably not as formally as he would have liked. What can ISPs do to help?
It's time for ISPs to start blocking IP addresses that are connected to the Net that are sending attacks and the consequences be damned. If 400,000 IP addresses are blocked, that's a good thing. If the IP address is a firewall or a proxy and several hundred thousand cable modem users are cut off, so be it. If we have to cut off Road Runner from the Net for a couple of days while we cut off IP addresses that are sending attacks to servers, so be it. Let the ISPs stand up and tell us why they are not cutting of those IP addresses and we can either laugh at their answers or honestly sympathize with them. Again, they're looking at those 96%-to-98% reachability numbers and may be saying 'What's the big deal?' The big deal is with this version, machines lay bare to the Net and this is going to be with us for years. Is the number of infections significant?
The numbers thing is getting a bit old, isn't it? It's very difficult to be sure that log entries were not counted twice or if they're accurate at all. Initially, there were thought to be 293,000 infected servers, but 150,000-170,000 of those were infected - the rest were dynamically assigned addresses. I've backed off the numbers game. I believe there are two million to five million infectable computers. ISPs are not dropping vulnerable computers off the Internet. ISPs have to do a better job of recognizing how big this thing is. But, I guess they choose not to participate in the preservation of the Internet. I guess ISPs are looking at sites like Matrix.net and seeing 96-98% reachability and they're saying 'what's the big deal?' There are more copycats coming, aren't there?
We knew these copycats were coming. It's funny the way the hacker community thinks and reacts. Sometimes they think an exploit is so lame, there are no duplicates. This one is attractive for a variety of reasons. There are more variations to come that can cause more harm. This one has a number of naiveties in it and it's not as destructive as it could be. There's room for expansion here and that is the reality. I imagine work will be done on it monthly between the 19th and the 1st. There have been three variations found in the wild and none has caused the previous one to stop working. What we need is a variation that will kill the other one down by shutting down and corrupting the infected machines, rather than leaving them up and running doing two or three other things.
FOR MORE INFORMATION:
Share your Code Red and Code Red II success stories and failures inside searchSecurity's anonymous Discussion Forum Is Code Red II just another indication that systems administrators are not keeping up with patches?
The rapid rise in the number of infected machines suggests that a lot of people put a filter rule on their firewall and have not patched their box. That's my take. A lot of companies may have put off applying their patches. Or, a lot of these computers sending attacks belong to people who have been laid off or fired, or they are rogue machines - something a developer set up for a reasonable purpose, and was never reported to the security people, so the security people don't know they have to patch them. Rather than trying to find IIS, they should just send a request to Port 80 to every IP address in the company. Every response they get is a server and they should investigate it. Investigating log reports? Those reports could be old or inaccurate. Also, there are a lot of pirated versions of Microsoft software out there and users may be hesitant to get a patch if it's going to come back that their registration is invalid. They may be afraid that their software will stop working.