Back to article
.comment: The Weakest Link
Watching the Asteroid Approach
July 25, 2001
It was amusing, terrifying, interesting, and irritating, all at once.
Last Thursday afternoon I sat here and watched the cable modem go wild, as if thousands of machines were trying to do port scans all at once. That's because thousands of machines were trying to do port scans all at once.
It seemed to come in waves -- first the blinking "incoming" light would flash, then it would flash frequently, then it would be solidly on, semi-flashing like a little orange neon bulb, with only an occasional, sub-second break. Twice, the load was such that the cable modem just shut itself down; once it was nearly an hour before it came back.
I think I keep my machines here buttoned up pretty tightly, safe behind their firewall and running, really, no services. But just as the diver in his cage must as the sharks approach, I had the tiniest bit of doubt. I knew the system was as tight as I could make it, but I didn't entirely believe it.
Last Thursday, in case you didn't follow the industry press closely (there having been unforgivably little coverage in the mainstream media), was when the chief effects of what is known as the Code Red worm were felt.
Code Red is a worm that exploits a known security flaw in Microsoft's web hosting software. The flaws in Microsoft's web hosting software have been so legendary that a couple months ago a well-known industry web site retracted a report of one, thinking it was repeating a story many months old. An easy mistake to make, but it was the retraction that was wrong: Microsoft had discovered that its earlier fix hadn't secured the product. Now, said Microsoft, here was the patch that would cover the hole. Everyone, said Microsoft, should apply it. Not everyone did; there are nearly a quarter-million known infected servers. (Among those who didn't apply the patch was Microsoft Corp., as many who rushed to windowsupdate.com for the patch last week discovered. A lot of those disappointed visitors made screenshots of what they found.)
What they found was a defaced web page with the URL of a site that had nothing to do with the attack and a claim that the Chinese were responsible, something that has not, best I can tell, been either confirmed or disproved.
If that had been all that Code Red did, it would certainly have been criminal but there would at least have been the knowledge that the only people affected were those who should have known better. (Here there might be disagreement as to what knowing better would have comprised. Certainly it would at least have involved applying the patch. But there's a good argument to be made that knowing better requires not running any Microsoft Internet-related software on any machine that is connected to any other machine or group thereof, and that is the argument that I shall champion as our story unfolds.)
This worm had more on its squirmy little mind, though, than screwing up a bunch of web pages. It also spun off a hundred threads, each looking for other machines to infect. These, in turn, sent their own hundred feelers. And so on.
The idea, based on dissection of the thing, was to propagate as widely as it could until Friday. At that point it would begin sending 4.1-meg globs of data to the IP address that had been occupied by www.whitehouse.gov, every four hours or so, for a week. Then it would start sending itself all over creation again.
(I oversimplify here a little -- for instance, it defaced the web pages only where it found English language versions of the web server; elsewhere, it would infect but leave the pages intact. There are some additional fine points -- duration and frequency of the attack on the IP address, for instance -- that I have approximated.)
What I was watching Thursday was the frenzied attempt of this monster to propagate, as a hundred discrete threads from each of at least a quarter of a million machines -- 25,000,000 would-be worm infections -- were going just as fast as they could, trying to find a machine to infect. We're talking, in effect, an impressive denial-of-service attack here. If the worm's construction is to be taken as a statement of intent -- something of which we cannot be sure -- then the DOS was merely a side-effect, an overture before the real show began. The White House runs Linux for portions of its web operations, but when you have 25,000,000 attempts by Windows machines to send you 4.1-meg packages, it doesn't much matter what you're running.
We cannot know what the worm's authors had in mind because of a couple of seemingly stupid things that were done. One was to hard code the IP address of whitehouse.gov. This meant that all that was necessary for the White House to do was to change the IP address of its site, which the White House did. The other was to require a connection before any data were sent. The White House black holed the hard-coded IP address, so beyond the initial feelers, the worm did nothing. (Imagine 4.1 megabytes times 25,000,000 threads, every four hours, if the coders had done DNS lookup instead of hard coding the address. That's a pretty decent bandwidth suck, don't you think? And those are just the machines we know about.) But the worm was otherwise fairly sophisticated, I'm told by people who know a lot more than I do about such things. Hard to imagine its programmers would make such simple and obvious mistakes.
It has since been learned that there was apparently a variation of Code Red that appeared on Thursday morning, after which the rate of propagation greatly increased. There is a body of evidence suggesting that the code in Code Red can be changed remotely -- the reason, perhaps, for the variant? Worse, a harbinger of things to come? For, you see, it appears that after it is done not attacking the White House's website, it will start spreading itself around again, perhaps with modifications made on the fly.
Do you suppose everyone who uses Microsoft's web hosting software will have applied the patch by then?
(The thing also was capable of shutting down certain unpatched Cisco routers and -- I don't know why I think this is funny, but I do -- Hewlett-Packard network printers that aren't hidden away behind a serious firewall.)
There is also the possibility that this was some kind of proof of concept. That the whitehouse.gov business was a red herring, coming as it did during the G-8 meeting, and the evil bastards who cooked up this thing have something entirely different in mind. Imagine, a friend mentioned to me this week, if the target had been root nameservers. Add the denial-of-service implications on the Internet in general, and this could be the general mess that people have been predicting for years.
And if that happens, it doesn't really much matter what operating system you are using, if the Internet plays a part in what you do. It would be an order of magnitude increase in what I watched here last Thursday, when my poor little cable modem struggled just to stay alive, let alone actually transfer any data.
We can smugly say that we're not running Microsoftware, but that scarcely means we're immune to the effects of its being used by others who are connected to the Internet.
Just as I was getting set to write this, I checked my mail. In it were two "messages," each of more than 900k, claiming to contain a file that ended in .zip.bat. They were from no one I'd ever heard of, and they had a little message up front suggesting that I would welcome the attached. A little poking around in the usual places produced the news that there was yet another Outlook Express macro virus on the loose. This one performs a variety of tasks, from filling your hard drive to sending your documents to people in your addressbook. I'd apparently acquired one of the latter, because the macro itself was a little over 300k. It got spread far and wide -- if sysadmins at Microsoft shops can't rub their two brain cells together and download patches for known exploits, how can mere users be expected to know about, let alone do anything about, the obscenely corrupt behavior of the userspace mail program? (Hell, you get an argument on Linux lists when you point out that HTML mail is not secure.)
Point is, nothing here is unfamiliar or unexpected. How long does it take before there's general recognition that Microsoft software has no business on the Internet?