* subscribe at http://techPolice.com

'Code Red' worm rearing to attack Net

By Robert Lemos, ZDNN
July 19, 2001 2:26 PM PT
URL: http://www.zdnet.com/zdnn/stories/news/0,4586,5094428,00.html

An analysis of the fast-spreading Code Red computer worm has discovered that infected 
computers are programmed to attack the White House Web site with a denial-of-service 
attack Thursday evening, potentially slowing parts of the Internet to a crawl.

The worm, which is thought to have compromised more than 15,000 English-language 
servers running Microsoft's Web server software, will cause every infected computer to 
flood the Whitehouse.gov address with data starting at 5 p.m. PDT, according to an 
analysis by network-protection company eEye Digital Security.

While the direct target of the worm's denial-of-service attack is Whitehouse.gov, the 
indirect effect is that an avalanche of data will hit the Net. Each infection--a 
server can be infected at least three times--will send 400MB of data every four hours 
or so, possibly leading to a massive packet storm.

"That's what I mean when I say, 'Boom!'" said Marc Maiffret, chief hacking officer of 
eEye. "If this goes along what it's looking like, parts of the Net will go down." He 
noted, though, that the code could have an error that causes the worm "to screw up and 
not work right."

Already, there are are reports that the worm's propagation is causing performance 
problems for some companies connected to the Internet. According to data from Internet 
performance company Matrix.net, the root domain servers--the central databases 
connecting numerical Net addresses to Web names--are showing 20 percent packet loss. 
That indicates a substantial increase in data flowing across the Net.

Even if the flood of data continues to increase as expected, it may go unnoticed by 
most Web users, said Fred Cohen, a security expert in residence at the University of 
New Haven and the author of the first paper on computer worms in 1984.

"If it is handled properly, it sounds like it's easily defeated," he said. "All those 
people (whose servers have been infected) can be notified. The Internet won't 
collapse; society won't end.

"Back 15 years ago, that (was) more bandwidth than the whole Internet had, but today 
the Internet can handle it."

Government officials on Thursday afternoon were reviewing the eEye analysis, according 
to sources. Calls to the White House were not immediately returned.

In June, eEye found the security vulnerability in Microsoft's Internet Information 
Server that is being used by the worm. Known as the index-server flaw, the security 
hole was detailed and patched by Microsoft more than a month ago.

Although system administrators have had more than a month to plug the hole, a large 
number have not.

The security hole, combined with the low priority normally given to patching systems, 
may cause history to repeat itself.

In November 1988, the Cornell Internet Worm overloaded an estimated 3,000 to 4,000 
servers, or about 5 percent of those connected to the early Internet. The worm, which 
exploited flaws in Unix systems, was written and released by Robert T. Morris, a 
Cornell University graduate student. The effects on the early Internet are still 
debated, but some estimate that traffic slowed by 15 percent to 20 percent on average.

That may happen again.

The Code Red worm spreads by selecting 100 IP addresses, scanning the computers 
associated with them for the hole and spreading to the vulnerable machines. The worm 
then defaces any Web site hosted by the server with the text: "Welcome to 
http://www.worm.com! Hacked by Chinese!"

Code Red seems to deface only English-language servers, going into hibernation on 
non-English versions of Microsoft's IIS software. However, many companies in other 
countries use the English version of Microsoft's software, said eEye's Maiffret.

"The majority of foreign companies run the English system, because updates come out 
first in the English," he said.

According to the eEye analysis, when the coordinated universal time hits midnight on 
Friday morning--5 p.m. Thursday--every worm infection will start sending nearly 400MB 
of data every four hours.

An apparent side effect of the worm seems to crash several varieties of DSL routers 
and higher-end network routers that direct data around the Internet, according to 
posts on the Bugtraq mailing list maintained by SecurityFocus. While apparently not an 
intended consequence of the worm, the problems could exacerbate the bandwidth problems 
once the data flood starts.

Half.com is the Smartest Place to Buy & Sell your CDs, DVDs
Books, & Games! Get killer deals on over 10 million items
priced up to 50-90% off.  Plus get $5 off your 1st purchase.

--via http://techPolice.com
archive: http://theMezz.com/cybercrime/archive
subscribe: [EMAIL PROTECTED]
--via http://theMezz.com

EASY UNSUBSCRIBE click here: http://topica.com/u/?b1dhr0.b2EDp2
Or send an email To: [EMAIL PROTECTED]
This email was sent to: archive@jab.org

T O P I C A -- Register now to manage your mail!

Reply via email to