Interesting People mailing list archives
IP: Did download failures increase Code Red's success?: [risks] Risks Digest 21.54
From: David Farber <dave () farber net>
Date: Tue, 24 Jul 2001 05:20:20 -0400
Date: Sun, 22 Jul 2001 18:43:09 -0700 From: Scott Renfro <scott () renfro org> Subject: Did download failures increase Code Red's success? [For those of you who slept through it, the Code Red worm was intended to attack the whitehouse.gov Web site at 5pm EDT on 19 Jul 2001. With just-in-time reverse engineering, the code was discovered to contain the target IP address, thus enabling the White House staff to reconfigure to avoid the attack. (The attack clearly could have been more subtle.) It is of course ironic that current efforts to outlaw reverse engineering (DMCA, UCITA, etc.) could ban efforts to stave off this and other attacks! The relevant CERT advisory is at http://www.cert.org/advisories/CA-2001-19.html pointing out that Code Red exploited a vulnerability noted earlier in CA-2001-13. YABO: Yet Another Buffer Overflow, aimed at Microsoft IIS servers. PGN] On the morning of 19 Jul 2001, I notified a small company (whom I sometimes advise since they have no dedicated IT staff) of the then-latest Microsoft advisory. An hour later, they proudly replied, reporting success and noting that this hot fix was much easier to apply than most -- especially since this one didn't force a reboot. Suspicious that they hadn't really applied the hot fix, I downloaded a separate copy of the hot fix using Internet Explorer and sent it to them via e-mail. This time they replied that the attachment I sent resulted in an error message: ''not a valid Windows NT application.'' I soon realized that the connections were terminating prior to completion and Internet Explorer was not reporting the failures. In the user's mind, silence was equivalent to success. We were able to successfully download the hot fix using wget on FreeBSD, which restarted the transfer four times due to reset connections -- each time picking up where it had previously left off. The company's server was soon patched, and they have had no problems with the Code Red worm. I've confirmed that Internet Explorer 5.0 on Win2k reports no failures in (at least) the following situations: - When the user has selected 'Run this program from its current location' and the connection is prematurely reset, the download dialog silently disappears. This is the same visual behavior as a program that was successfully transfered and completed execution without pausing for user input. - When the user has selected 'Save this program to disk' and the connection is closed normally but prematurely (i.e., before the number of bytes specified in the Content-Length header were received), the total file size is silently changed. For example, during the download, the dialog displays: Estimated time left: 2 sec (87.2 KB of 236 KB copied) but once the connection has closed, the dialog changes to: Downloaded: 180 KB in 1 sec An error does result in the inverse of these situations (i.e., when running a program where the connection is closed normally but prematurely or when saving a program where the connection is reset). One wonders how many naive admins thought they *had* installed the hot fix, but ended up with a truncated download and a Code Red worm infestation instead. P.S. As of 22 Jul 2001, transfers from mssjus.www.conxion.com (to which download.microsoft.com at least sometimes redirects) still result in frequent resets from some networks.
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Did download failures increase Code Red's success?: [risks] Risks Digest 21.54 David Farber (Jul 24)