Virulent worm calls into doubt our ability to protect the Net

(continued)

For eEye's Maiffret, the virulent spread of the worm drove home a point that the security community had been making for at least two decades: System software must be patched regularly. And when flaws are found in software as widely used as Microsoft's in Web servers, fixing the problem is even more critical.

"We were telling people how bad it was, and Microsoft was telling people how bad it was, but they still didn't install the patch," Maiffret said July 18.

Scott Culp, program manager for Microsoft's security response center, also put out a dire warning to customers: Patch now, or else.

"We are going back out to customers and telling them that if they didn't put the patch on before, this is all the reason they need to put the patch on now," he said.

However, many security researchers are questioning that common wisdom. If the spread of the Internet worm shows anything, it's that publicizing vulnerabilities and trying to persuade system administrators to plug the holes doesn't work, said LBNL's Paxson.

"I would not at all be surprised if 30 percent or 50 percent (of system administrators) have no clue," he said.

Even the most diligent administrators have trouble keeping abreast of security holes and patches. "Just watching a single site like LBNL--where part of the mission is cybersecurity--they take it seriously," Paxson said. "It's really so hard."

Yet, with new attacks that spread quickly, system administrators have taken on the mantle of responsibility--however reluctantly--not only for their systems, but also for what their systems do to the Internet.

The Code Red worm proved that individual, insecure systems can quickly become a global problem.

On Wednesday, July 18, after completely dissecting the worm, eEye's team discovered it had a new mission: The next day, at midnight GMT, every worm would stop attempting to infect other computers on the Net and instead level a denial-of-service attack at an IP address used by the White House Web site.

Still worse, each copy of the worm--which totaled almost 14,000 by Wednesday evening--would send 400MB of garbage data every 4.5 hours.

Many thought the massive influx of data could slow parts of the Internet to a crawl. Others thought the Web could handle the load.

Then, on Thursday morning, the worm soared from slow growth to an epidemic. To experts, it was obvious what had happened: Someone had created a variant of Code Red and fixed the random-number generator, enabling the worm to spread much faster.

Within three hours, the worm had topped 100,000 infections, and by the midnight GMT deadline--5 p.m. PDT--the worm had hit more than 359,000 computers, according to an analysis by David Moore, staff researcher at the Cooperative Association for Internet Data Analysis.

"Had the worm not been programmed to stop spreading at midnight, additional hosts would have been compromised," Moore said in the analysis.

Of those machines, almost 44 percent were in the United States, 11 percent in South Korea, 5 percent in China and the rest scattered around the globe. At its peak, around 9 a.m. PDT, the worm had infected more than 2,000 servers every minute.

The worm's growth slowed as midnight GMT approached, indicating it had saturated the Net, LBNL's Paxson said. Otherwise, every unpatched server would eventually have been infected.

"If you were vulnerable, you were nailed," he said.

While there are almost 6 million Web sites hosted on Microsoft's IIS software, according to Internet survey firm Netcraft, it's uncertain how many servers that equates to, because a single server can host several sites.

Although system administrators should take responsibility for the security of their systems, software makers need to start taking more responsibility for their software as a whole, according to the Computer Emergency Response Team (CERT) Coordination Center, the group responsible for passing information between corporate security managers.

System administrators should not have to deal with the unending task of patching the holes in such software, CERT Coordination Center manager Jeffrey Carpenter said in a statement.

"As we've seen with the 'Code Red' worm and other distributed attacks, even sites that do everything correctly can be severely impacted when new vulnerabilities are discovered," he said.

Microsoft and the IIS flaw were not mentioned by name, but the criticism was clearly aimed at the software giant and the 40 bugs the company has acknowledged in the first seven months of this year.

"The kinds of problems caused by Code Red will continue until vendors substantially reduce the number of vulnerabilities in their products in the first place," Carpenter said.

Microsoft agreed with CERT that software quality needs to improve, but stressed that perfection is an impossible goal.

"As long as software is built by human hands, there will always be software bugs, and some of those bugs will result in security vulnerabilities," said Microsoft's Culp.

Microsoft was not even immune to its own software's flaws. Several of the giant's own sites--including some servers related to the company's update and support Web site--fell prey to the worm.

Whether the White House Web site ran on Microsoft's IIS Web server didn't matter, however.

On Thursday at 5 p.m. PDT, servers infected with Code Red were scheduled to overwhelm the Whitehouse.gov site, and potentially parts of the Internet, with a flood of data, according to the analysis by eEye.

As reports came in that the worm's phenomenal growth had started affecting various companies' network performance, White House system administrators worked to defend against the attack.

In the end, a simple flaw in the makeup of the worm saved the White House from the deluge of data that could have taken it down for days.

By design, the worm would try to connect to the original address and unleash its deluge of data only if the server responded. Since the worm targeted the specific IP address for the White House's Web site--198.137.240.91--administrators for the site dodged the onslaught by apparently moving the site to a neighboring IP address, 198.137.240.92.

By playing a shell game with the site's IP address, and junking any data sent to the original address, the White House's system administrators dodged the attack. White House spokesman Jimmy Orr acknowledged that the site's technicians took precautions but would not discuss the address switch.

The attack goes on, however. Though it was unsuccessful, the worm's programming will keep attempting to access the Whitehouse.gov site until Friday at 5 p.m. PDT, when the worm will go into hibernation until the end of the month, according to eEye.

Although the White House sidestepped the deluge of data, an old debate resurfaced, and eEye found itself under attack by critics of its "tell-all" policy regarding security holes.

The company says it didn't reveal the recipe of how to turn the security hole into a worm, but details in its original June 18 advisory were indirectly responsible for causing the rewrite of the Code Red worm, said Russ Cooper, self-proclaimed "Surgeon General for the Internet" and the editor of NTBugtraq mailing list for security service provider TruSecure.

"Their original analysis contained everything required to place code in an executable position within IIS, as well as necessary information about how to make that code properly execute," Cooper said in a post to the NTBugtraq mailing list.

eEye may not have given a blueprint to worm writers, but they certainly provided pointers on how to exploit the code. In a section of the June 18 advisory titled "The Exploit, as taught by Ryan 'Overflow Ninja' Permeh," the company outlined several issues that hamper programs that may seek to exploit the hole.

But Maiffret says such details are necessary to outline the danger the vulnerability could cause.

"You're damned if you do and damned if you don't," eEye's chief hacking officer said. "If you have a program that tells people there is a hole and a tool that leaves a file on their hard drive, it's the file that will convince them to patch their server."

CAS security guru Eichman agreed that responsible disclosure of information is a hard balance to maintain. "It's a fine line," he said. "It's tough to stay on that line without pissing someone off in one direction or another."

Though Microsoft questioned the necessity of the details of eEye's advisory, the software giant did praise the company for alerting it first and giving its developers a month to create a fix before going public.

Yet, like the problems for Internet security, the worm won't go away.

On Monday, July 31, at 5 p.m. PDT, the worm will awake and again attempt to infect servers. Worse, malicious programmers will likely be modifying the worm's code with an even more devastating payload.

Have system administrators, software makers and security professionals taken to heart the lesson of the Code Red attack? LBNL's Paxson fears that the lesson may not have been driven home.

"If it had attacked Whitehouse.gov successfully, that might have been more effective in the long run," he said, pointing out that the failure of the worm to shut down the site may actually hurt security because the resurgence could be worse.

"There is some sort of tension between an ugly public-security event that teaches and one that hurts people," he said. "This one probably wasn't visible enough to really change our mind-set, so really, we haven't learned anything."