Madinat al-Muslimeen Islamic Message Board
|Worst ever virus !! Internet put on Code Red alert !!|
|07/31/01 at 04:44:02|
Internet put on Code Red alert !!
The US Government has warned computer users worldwide to protect themselves against a malicious program known as the Code Red worm.
Ronald Dick, head of the FBI's National Infrastructure Protection Centre (NIPC), said worms such as Code Red posed a distinct threat to the internet.
The worm, which first surfaced in mid-July, has been mainly dormant since then, although it has already infected hundreds of thousands of systems.
Experts believe it is set to spread again on Tuesday night, just as the calendar enters August at 0000 GMT.
Investigators do not yet know who wrote Code Red or where it started, though the words "Hacked by Chinese" which appear for a few hours on infected machines raise a suspicion that this is another development in an ongoing Chinese-American war of hackers.
The FBI says it is working with experts in the United Kingdom, Australia and Canada to try and contain the worm's spread.
The Code Red program is technically not a virus, because it can spread across networks and infect new machines without computer users having to do anything at all.
Search for source
At a press conference in Washington on Monday evening, officials said the FBI was working with Canada, the United Kingdom and Australia to fight the worm's spread.
Law enforcement officials have asked for the public's help in finding those responsible for the worm.
"If individuals have information about the people that have committed this crime, we ask them to come forward," said Mr Dick.
Mr Dick also expressed concern that too many computer users thought of their systems as mere appliances, not recognizing that a computer needs "to be constantly monitored and maintained. It functions like a living organism."
He stressed the need for firms running Microsoft Windows NT and 2000 operating systems, along with the Internet Information Services software (IIS), to download Microsoft's security update.
"We should consider it a civic duty to ensure that if you are running IIS software, you have patched it," Mr Dick said.
Home users running Windows 95, 98 or Me are not vulnerable and machines running non-Microsoft operating systems will also be unaffected.
However, even if your own computer is unaffected, Code Red could seriously disrupt your access to the internet.
It is "enough to cause the meltdown of the Internet," said Russ Cooper of security services company TruSecure Corp.
White House web attack
Earlier this month, the White House changed the net address of its public facing websites following warnings that Code Red had infected many thousands of machines and was about to flood it with bogus data requests.
In Code Red's first search and infect wave that ended on 19 July, the Code Red program is thought to have installed itself on more than 250,000 machines.
Now, the Code Red program is about to launch a search for more machines to infect.
Experts fear the wave of scanning this will unleash could cause problems for net users.
Last week, the threat of infection by Code Red forced the US Defence Department to pull the plug on its public facing sites for four days while it disinfected servers and closed loopholes that could let the programme through.
Many anti-virus companies have now issued software that helps system administrators work out if they are vulnerable, and search for and purge the Code Red worm from their machines.
Already two variants of the Code Red worm have been found.
|Re: Worst ever virus !! Internet put on Code Red alert !!|
|07/31/01 at 11:50:31|
Peace and SAFE e-Greetings be upon you all...
Calm Before the Storm
Tuesday Night the Code Red Worm Comes Back to Life and There is Not Much We Can Do to Stop It
By Robert X. Cringely
Normally my columns appear on Thursday, but this is a special week and deserves a special column because of the very interesting events that could soon take place on the Internet as the Code Red worm comes back to life.
Two weeks ago I wrote about the likelihood of a worm or virus being spawned that would essentially live forever on the Net. I didn't think then that such vermin was already in action, but it apparently was in Code Red. This worm infects computers running Microsoft's Internet Information Server web server software. It starts with a 19-day infection cycle during which it seeks out new machines to infect, then goes through an eight-day attack cycle during which all infected servers attack the same IP address or host name. Each server devotes 99 threads to attacking the target with a massive Distributed Denial of Service attack, delivering something on the order of 20 gigabits-per-second straight at a single target.
In July the target was an IP address assigned back then to www.whitehouse.gov. Then, on the 28th day, Code Red shut down forever. Or did it? There is good reason to believe, based on disassembly of the worm and analysis by Steve Gibson of Gibson Research that the worm is only resting until the start of the following month. That's midnight, Greenwich Mean Time, on August 1st when it all starts over again. For those readers in the United States, that is 7:00 PM Eastern and 4:00 PM Pacific time on Tuesday, July 31.
If the virus speads as expected, we won't notice much at first on Tuesday night, just an increase in overall traffic on the Internet backbones as uninfected servers are contacted and infected. There is a way to avoid infection by installing a software patch available from Microsoft, but hundreds of thousands — perhaps millions — of IIS servers remain unpatched. There are just under five million IIS servers presently in operation.
Last month the infection rate was much greater and faster than anyone expected or was reported in the news. According to a study conducted by the Cooperative Association for Internet Data Analysis (CAIDA) at the UC San Diego Supercomputer Center, more than 359,000 servers were infected during a 14-hour period on July 19th alone as the worm grew geometrically. Had it grown for even another day, all of the IIS servers on Earth would probably have been infected.
When the witching hour strikes on Tuesday, what happens could be very different than last month. Some experts believe nothing will happen at all but I believe that's just plain wrong. The information I will use to support this assertion was acquired either from those, like Steve Gibson, who have disassembled and examined the Code Red worm or from the officials charged with fighting it, including sources at the CERT data security coordination center at Carnegie-Mellon University, eEye Digital Security, in law enforcement, and at several very large corporations. The FBI knows what you and I know, they just have no idea what to do about it.
Point One. The White House thinks it is safe from attack because it has transferred the whitehouse.gov website to the widely distributed servers of Akamai, where it can be shuffled around the Web at will. This is just in case the worm has gotten smarter and shifted from attacking a static IP address to going after the whitehouse.gov host name, itself, using DNS lookups to follow the IP address as it changes.
Point Two. Whether Code Red turned itself off forever or not on July 28th, there are approximately 2,000 infected IIS servers that don't know they are supposed to be turned off and are running right now, trying to infect other servers. These 2,000 IIS servers are ones with broken clocks. They have no idea what the date is, so they are still in infection mode. The only good news here is that these machines never know to turn from infection to attack, either.
As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.
Point Three. There are around 200,000 IIS servers that are still both unpatched and infected. If the worm didn't turn itself off for good on the 28th, every one of these machines is going to move into infection mode on Tuesday. So there will definitely be a reinfection, but the only question is whether the seed starts with 2,000 clockless machines or 200,000 infected machines. Either way, 19 days will be plenty to reach any unpatched servers.
An interesting sidelight here should show how little the authorities can do about an attack of this nature. It's not that they don't have the technology, they don't have a consensus about how to use that technology. For example, one proposal that was floated was essentially an anti-worm — sending a second infection that would turn off the first. This was rejected as acting too much like the bad guys. A second proposal was to simply send an e-mail to the registered administrator of every infected IP address saying "Hey, your server is infected, patch it!" This, too, was rejected, because the authorities didn't want to scare poor sysadmins by asking them to do their jobs. That they didn't at least try the e-mail route astounds me. They have a list of all the IP addresses. It would have taken an hour, but it didn't happen, according to sources who were present at the meeting.
Even if they had tried the e-mail route, though, the chances are very slim of getting 100 percent of the servers shut down and patched. Many of the infected servers aren't really being used at all. They are still showing their default Microsoft homepages and are simply running as a service under Windows NT. In those cases, the people on whose computers IIS is running probably don't even know they have a web server.
So the authorities, including Microsoft, have decided to hold a big press conference Monday to announce at least some of what you are reading in this column. It probably won't work, of course, since it is hard to warn people who don't even know they are running a web server at all.
Point four. The Code Red worm can be changed from turning itself off on the 28th to never turning itself off at all by twiddling a single program bit. It can be retargetted from whitehouse.gov to amazon.com, to cringely.com in an instant. Someone wrote this thing and that someone can change it. Even worse, there are plenty of people who wouldn't be capable of writing such a program who still know enough to make the simple sort of changes I just mentioned.
This thing, or something very much like it, is going to be with us for a very, very long time.
And what happens on the 20th, when the attack cycle begins? It depends on the number of infected machines and the nature of the chosen target, but the worst case says the Internet simply comes to a standstill and we go back to watching TV and talking on the phone until the 28th day of the month and potentially until every 28th day of the month thereafter.
This is very, very bad news, but there is a solution that will shortly be presented that will be claimed to save the day. This miracle solution will be the subject of my regular column this week, which will appear, as usual, on Thursday. Please come back then. Because while there is a solution, I believe that many people will see the cure as being nearly as bad as the disease.
Individual posts do not necessarily reflect the views of Jannah.org, Islam, or all Muslims. All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the poster and may not be used without consent of the author.The rest © Jannah.Org