 |
|
Virulent worm calls into doubt our ability to protect the Net
By Rob Lemos
For one moment last week, the Internet stood still.
At midnight Thursday, July 19 GMT, more than 350,000 servers infected with
"If this goes along what it's looking like, parts of the Net will go down," predicted Marc Maiffret, chief hacking officer at network-protection company eEye Digital Security. A month earlier, the Aliso Viejo, Calif., company discovered the flaw exploited by the worm in Microsoft's Web servers and was the first to decode the malicious program.
In the end, a design flaw in the worm's programming stymied the attack, but the potential threat of hundreds of thousands of servers flooding the wires with garbage data has resurrected concerns about security among those who consider themselves the guardians of the Internet.
The Internet was lucky this time, as this particular Code Red program squandered its advantage and left itself vulnerable to security measures. That will not always be the case, said Vern Paxson, staff computer scientist at the Lawrence Berkeley National Laboratory, who analyzed Code Red's quick spread.
"This could have been so much worse," he said.
Worms have become the tool of choice among malicious vandals on the Internet, but the Code Red strain has proven particularly fast and effective in commandeering a significant portion of the Internet. Unlike other worms that hide in e-mail attachments, such as LoveLetter and SirCam, Code Red does not require fooling an unwitting recipient into opening a document.
Paxson said a better author could have clogged the entire Net with garbage data or hit critical parts of the global network with a more effective denial-of-service attack--things that the inevitable variants of this version could still do.
"We are in for bumpy times," he said. "I don't see any way out of that."
On Thursday, July 12, things were going smoothly at the Black Hat Security Briefings in Las Vegas, where several hundred consultants in the computer-security industry hobnobbed with one another. The day before, one researcher had predicted that worms would continue to threaten the Internet.
Most considered it an obvious conclusion.
Unknown to the attendees, however, that day a program had started infecting computers running Microsoft's Internet Information Server. The servers had a security hole that had been discovered the month before, leaving them open to attack if not repaired with Microsoft's specific software patch.
The security hole, known officially as the Index Server ISAPI vulnerability, allowed
Each hole in the vast number of vulnerable IIS servers on the Web represented a chink in the armor of the Internet that allowed the worm to spread.
That Thursday, the intrusion-detection system at publishing company Chemical Abstract Services recorded three illegal Web access attempts from a single Internet address. The original attacker's address apparently belongs to a server at the University of Foshan in China, though Ken Eichman, senior security engineer for CAS, stressed that an online vandal could have infected the server from practically anywhere.
Eichman didn't notice the scans until the next day, July 13, when 611 attacks from 27 sources appeared in the company's logs. "It wasn't really intense, and it really didn't bother me," he said.
By the end of the day, however, the scans started getting worse. At one point, Eichman thought that hostile hackers were targeting his company's network. On Saturday, when the number of servers attacking his system jumped from 27 the day before to more than 1,000, he knew it was no minor mischief.
"By Saturday night, it was getting more intense," Eichman said. "By Sunday morning, I got up and hoped it would be gone, but it wasn't."
That Sunday, Eichman sent his findings to a security mailing list hosted by intrusion-detection project DShield.org. He described the attacks affecting servers that used the most common service on the Internet: the Web. He expected help; what he got in return was derision and sarcasm.
"You never heard about Web browsers?" wrote one person on the list. "Please
But Eichman was a frequent contributor to DShield, which used his logs to correlate disparate incidents on the Net in an effort to identify some sort of patterns. Because he seemed knowledgeable, he was taken seriously by Johannes Ullrich, editor of DShield and the chief technology officer of the Internet Storm Center for the System Administration Networking and Security Institute (SANS).
"The first suspicion was that there was something wrong with his firewall," Ullrich said. "But he was a longtime submitter, so we kept notifying the people" who were attacking CAS' network, he added.
On Monday, July 16, researchers got the first confirmation that Eichman was right. The immediate conclusion: It was a worm.
One of the most infamous examples caused a password-collection
Lured by the efficiency of self-propagating worms' ability to spread code widely, online vandals have begun using such worms to deface and hack servers. Starting with the Linux Ramen worm in January, a steady stream of such programs has leveraged widespread flaws in computer systems to spread across the Internet.
When Microsoft announced June 18 that a flaw had been found in the company's IIS Web server software--the software basis of nearly 6 million Web sites--it seemed only a matter of time before virus writers and vandals created a worm to attack it.
So for eEye's Maiffret, it came as no surprise when Internet hosting service Left Coast Systems reported the discovery of just such a worm a month later.
The British Columbia-based company discovered that one of its servers had been infected Friday, July 13, by a new worm exploiting the vulnerability. The company decided to directly contact eEye, the company that had found the flaw.
Maiffret immediately asked for a copy of the program to analyze, but his investigation was delayed by the weekend. The worm kept working overtime, though, infecting almost 3,600 hosts by Sunday night.
By Tuesday morning, the bleary eEye crew had discovered how the worm worked.
The company also discovered two important properties of the worm: Code Red defaces Web pages, and the part of the program used to generate a list of random addresses to attack had an error. Each instance of the worm, once it had infected a server, would not randomly attack the Internet but instead follow the same path as all its brethren.
Any computer attacked by the first Code Red worm would, in the end, be attacked by each of its offspring.
The error had an interesting side effect. The owner of any computer attacked by the worm could make a definitive list of compromised machines, because every infected server would eventually attack the computer. This allowed eEye and others to track the growth of the worm, though it could also allow a person with malicious intent to build a list of known vulnerable systems.
Throughout the day, eEye continued to decode the worm. By Tuesday evening, worm infections had topped 10,000.
|  |
Microsoft reveals Web server hole "Code Red" worm claims 12,000 servers Code Red worm set to flood Internet
Microsoft career site hacked
Code Red worm set to return
Vigilantes strike back at worm
Hackers try to shut down White House Web site
Editors: Mike Yamamoto, Lara Wright, Scott Martin Design: Jeff Quan Production: Mike Markovich |
the so-called 
DOJ cracks down on cybercrime
program to become the Cornell Internet Worm, which spread to between 3,000 and 4,000 servers, or about 5 percent of the Internet, in November 1988. Created by then-graduate student Robert T. Morris, the worm exploited flaws in two well-known Internet services and attempted to masquerade as a legitimate user by trying passwords stolen from other systems.
Join the conversation