FC: Replies to the Code Red worm, red herrings, and media coverage

[Declan McCullagh <declan () well com>]

Obviously the Code Red worm was not a hoax, but the media coverage did not 
make it clear (as I said on CNN earlier this week) that most users do not 
have to worry about being infected; that Code Red was not that awful a 
threat since at least the versions I'm familiar with could be removed by 
rebooting; that claims of billions of dollars in damages were guesses at 
best. Of the recent security threats, Sircam's the one that's truly nasty 
-- how would you like *your* confidential documents to be leaked? Next up: 
Fedcam, which targets only .gov and .mil computers and sends any document 
marked "confidential" or "classified" to cypherpunks or Usenet.

In response to:
http://www.politechbot.com/p-02337.html

-Declan

**********

Date: Wed, 1 Aug 2001 23:22:02 -0700
From: Troy Davis <troy () nack net>
To: Declan McCullagh <declan () well com>
Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen

On Thu, Aug 02, 2001 at 12:27:03AM -0400, Declan McCullagh 
<declan () well com> wrote:

> Even the term Code Red is a red herring. Just like Distributed Denial of
> Service attack, it is more out of the Pentagon's lexicon than that of
> computer crackers. Code Red is just too campy ­ seems like it belongs in the
> same league with the movies "Deep Impact" and "Armageddon." But Code Red is
> just the kind of term that might impress our otherwise attention deficit
> disordered President. Computer crackers, of course, like to be a bit more
> original and artsy, opting for terms like "Melissa," "Back Orifice," and
> "Michaelangelo" How many original code names ever came out of NSA? 
"Echelon,"
> for example. Boring! Now Code Red, that's something that could have been
> conjured up by the Faulkners of the Fort!

Conspiracy theories aside, the name "Code Red" was coined by the geeks
who did the initial analysis, not by any governmental or regulatory agency.
See http://www.eeye.com/html/Research/Advisories/AL20010717.html

Its origins are pretty original; from the page:

--
We've designated this the .ida "Code Red" worm, first because part of the
worm is designed to deface Web pages with the text "Hacked by Chinese" and
second because "Code Red" Mountain Dew was the only thing that kept us awake
while we disassembled this exploit.

..

Greetings:
The guy at Del Taco that sold us food at 3am to allow us to perform this
research. The guy who left the warm "Code Red" Mountain Dew in the eEye lab.
--


Cheers,

Troy

**********

Date: Wed, 01 Aug 2001 23:03:48 -0500
From: Josh Archambault <josh () snowplow org>
To: declan () well com
Cc: politech () politechbot com
Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen

This is a joke right?

Just because there is a couple of different organizations cooperated to
head off a large potential problem there is a conspiracy afoot?  Check
out some of the excellent analysis and discussion that has come down
reputable security mailing lists like Bugtraq.  For example:

http://www.securityfocus.com/templates/archive.pike?list=1&mid=197828

There is little question that the code red worm:

1) Presented a significant risk to a number of pieces of Internet
infrastructure (including not just individual websites, but also
routers, and other key pieces of equipment).

2) Was not named after any anything scandalous (it was named after a
soft drink!).

3) Was not responsible for its own poor media coverage.

4) Was nipped in the bud and made a none-issue largely as a result of
the wide-spread media coverage.

In any case, this was clearly not a hoax.  Please don't try and take
media outlets to task for doing (though possibly over-doing) a good
thing.

-J

**********

From: "L Gallegos" <jandl () jandl com>
To: Declan McCullagh <declan () well com>
Date: Thu, 2 Aug 2001 03:15:02 -0400
Reply-to: jandl () jandl com

Whoever unleashed this thing, it's doing damage.  I know a couple
of sysadmins who are traveling all over the place for clients to
eradicate this worm as it hits.  It has mutated, it seems, and is
hitting quite fiercely again.  Calls are coming in consistently.  The
guys I know are estimating it will be weeks before the effects are
minimized and that is if they can find the mutations.

If it is our dear government, someone should expose it and soon.
It has hurt many businesses and most importantly ISPs - even
those who have applied the patch.  Btw, many sysadmins hesitate
to apply patches immediately because they many times break as
much as they "fix."  M$ doesn't do regression testing to make sure
the patches won't break the system they are supposed to protect.
Which is worse, a worm that wrecks a system or a patch that
does the same thing?

This is also one good example why having choice in OS's is a
good thing, not a bad one.  Having a "standard" that everyone uses
is a single point of failure.  All the crackers need is knowledge of
the exploits in the one most used and down go the networks.

Thanks M$ for the lousy security.

LDG

**********

Date: Thu, 2 Aug 2001 18:28:59 +1000
To: WMadsen777 () aol com (Wayne Madsen)
From: Roger Clarke <Roger.Clarke () xamax com au>
Subject: Re: Code Red = Red Herring Update
Cc: Ari Schwartz <ari () CDT ORG>, Declan McCullagh <declan () well com>,
        gtaylor () gil com au (Greg Taylor)

G'day Wayne (hi Ari, Declan, Greg)

> CODE RED - A RED HERRING
> Wayne Madsen
> 30 July 2001
> Washington, DC
>
> Here we go again folks.  ...

Cheez, and people call *me* cynical!!

Seriously, I've not taken on the [Australian] national security and law 
enforcement agencies before, but I got stroppy a couple of weeks back and 
let a broadside go at them.  See:
Certainty of Identity: A Fundamental Misconception, and a Fundamental 
Threat to Security
http://www.anu.edu.au/people/Roger.Clarke/DV/IdCertainty.html

Keep it up!  And make sure it's publicly known that plenty of friends are 
aware of your wherabouts at any given time, so that the boys-not-in-blue 
don't get the idea they can afford to dampen your enthusiasm!

And start working on your proposal for a session at CFP'02 right now!!

Regards  ...  Roger

--
Roger Clarke              http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke () xamax com au         http://www.xamax.com.au/

Visiting Fellow                       Department of Computer Science
The Australian National University     Canberra  ACT  0200 AUSTRALIA
Information Sciences Building Room 211       Tel:  +61  2  6125 3666

**********

From: Robert Fleck <rfleck () cigital com>
To: "'declan () well com'" <declan () well com>
Subject: RE: Why the "Code Red" worm is a red herring, by Wayne Madsen
Date: Thu, 2 Aug 2001 10:55:55 -0400

> From: WMadsen777 () aol com
> Date: Wed, 1 Aug 2001 15:01:06 EDT
> Subject: Code Red = Red Herring Update
> To: [...]
>
> [..]
> POSTSCRIPT:
>
> Not getting the media bounce from the 8:00 PM EST Code Red
> meltdown hour on July 31 (nothing happened!), the FBI began
> spinning the story the very next morning that 22,000 computers
> had been hit with Code Red.  Considering that viruses and worms
> probably strike many more computers than that on any given
> day, 22,000 is a relatively low number.

The reason nothing happened at 8PM is very simple...
-  A few copies of the worm were still active on various
   systems around the world that had skewed dates, and
   hence never stopped trying to spread themselves.
-  At the mythical 8PM EST, computers in UTC+1h would begin
   trying to spread, if they had been infected by these
   stragglers.
-  Over the few hours following that, machines in the US would
   start to pick up too.

So, this kind of attack doesn't immediately jump through the
roof infecting everything connected, it has to spread, like
a real virus.  In fact, it didn't even hit it's stride
until after the FBI had made it's statement.

Early statistics that I've seen from some of the IDS analysts
with a good view on large portions of the internet would seem
to indicate that the growth curve this time around is very
similar to last month.

Differences:
-  The growth curve has a slower doubling rate.  Most likely
   because of systems that have been patched.
-  The effect of straggling infected computers was to put the
   start of this curve at a comparable place to about 10 hours
   into the infection curve last month.  (A 10 hour head start.)

My point: July 31 8PM was too early to make a statement,
Aug1 AM was too early to make a statement, it's still too early
now.  But, as of this writing (Aug2, 10:30am) it looks like
possibly up to 240,000 have been infected so far, and it's
continuing to spread at 5,000 hosts per hour.  This rate is
much lower than the peak rate which was nearly 22,000 hosts
per hour.

This is only slightly smaller than the last round of infections,
which most analysts place somewhere between 300k and 400k hosts,
and peaked out at nearly 2000 hosts per _minute_.

As a side note, one of the reasons this attack was such a pain
was that it generated tremendous amounts of traffic looking
for new hosts to infect.  The script kiddies also have been
trying to use it as cover for other web server based attacks.

Bob Fleck

**********

Date: Thu, 2 Aug 2001 11:11:18 -0400
From: Nat <nathaniel.echols () yale edu>
To: Declan McCullagh <declan () well com>
cc: politech () politechbot com
Subject: Re: FC: Why the "Code Red" worm is a red herring, by Wayne Madsen
In-Reply-To: <5.0.2.1.0.20010802002227.0210d890 () mail well com>

> But would the United States take advantage of such a situation in 
cyber-space
> to advance a secret agenda? They've probably already done so. Back in 1988,
> the Internet was treated to its first worm. Programmed and launched by 
Robert
> Morris, Jr., the worm crippled hundreds of thousands of computers connected
> to the Internet. It just so happened that young Mr. Morris's dad was the
> Chief Scientist at NSA ­ during a period when the agency was feverishly
> trying to test the vulnerabilities of various operating systems and
> application programs.

Oooh, someone's watched "Enemy of the State" a few too many times.  It's
been a couple of years since I read "The Cuckoo's Egg", but I'm pretty
sure Morris Jr. was just a young 'hacker' who didn't quite realize what a
mess he'd created.  I'd imagine if my dad was a top government researcher
in the tech security field, I'd be interested in that kind of stuff too.
If there's any evidence that Morris Jr. was working in collusion with the
NSA, could Mr. Madsen please pass it along?

And I'm sure I'm not the only one who finds the Goebbels references
tiring.  I didn't vote for Bush either, but I'm a firm believer in "Never
attribute to malice that which can be explained by incompetence."  It's
obvious the administration has no coherent policies for dealing with the
Information Age- why do so many people seem shocked by this?

-Nat

**********




-------------------------------------------------------------------------
POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------