Code Red raises fears for the future

At The Internet Security Conference held at the beginning of June in Los Angeles, Stefan Savage, chief scientist at Asta Networks Inc. and a researcher at the University of California at San Diego, gave a presentation on Distributed Denial of Service (DDoS) attacks saying he had spoken to a person who controlled a network of 10,000 computers that could be used in a DDoS attack.

At the time, the audience was skeptical, he said. Perhaps, in the wake of the Code Red worm which has essentially created a DDoS network of nearly 350,000 computers, that audience is now more credulous.

The Code Red worm, which attacks Microsoft Corp. Internet Information Server (IIS) systems with a particular security vulnerability, has infected 343,345 computers since Aug. 1, according to data posted on the Internet security Web site Incidents.org. Though the bulk of the attention directed at Code Red has been a result of its bandwidth-clogging activities and its potential to damage the Internet, part of its purpose was also to launch a DDoS attack against the White House Web site. Though the DDoS portion of the worm was not written well and was easily defeated by the White House, the fact remains that nearly 350,000 servers have been unwillingly implicated in an attempt to launch Web attacks.

The attention leading up to Code Red's reactivation on Aug. 1, which included a first-ever joint security warning from the U.S. Federal Bureau of Investigation's National Infrastructure Protection Center, the Computer Emergency Response Team/Coordination Center (CERT/CC), Microsoft, the SANS Institute and others, has caused a backlash with some users and companies. One such company, antivirus vendor Kaspersky Labs Ltd., issued a press release Friday charging that media attention paid to Code Red had resulted in users vulnerable to other worms, such as Sircam, being neglected.

Code Red, despite not being the catastrophe some had predicted, scared many people in the Internet security community, and rightly so, Stefan Savage said Thursday.

"The potential for damage -- even though it didn't really do it -- is enormous," he said, noting that the worm could easily have been written to do something more destructive.

"It seems like a relatively minor bit of work for someone to go and attach the worm to something really nasty" like a good DDoS tool or a program which would delete files on infected systems, he said.

"(Had the worm been written differently) it would have had no trouble taking over 1,000 systems and deleting all the files," said Alan Paller, director of security research at the SANS Institute.

Though the rate of Code Red infection is slowing and machines are being patched, eliminating the vulnerability, and thus the potential for a future attack, will not be an easy or quick process, Savage said.

"It's very unlikely that we'll get 200,000 machines patched any time soon," he said. "With anything of this magnitude, it's going to be really hard to eradicate all of it."

Paller agreed, saying that even if the efforts currently underway by SANS and others are successful in notifying the majority of infected users about their status, there will still likely be 20,000 to 50,000 infected machines that the groups will not be able to track down.

Such a state of affairs could lead to further, more destructive attacks, being built on the back of this one, Savage said.

"I would not be surprised if it happens," he said, though he expects that such an attack will be held back by people's fears of not being able to control the worm or deny that the worm is just research or fun.

To avert such a threat, vendors, especially Microsoft, will have to focus more squarely on security and perhaps change their vulnerability-patching practices, SANS' Paller said.

"It's got to be the people who supply the tools who take responsibility," he said. "The security community did a phenomenal job (with Code Red) but we can't do it without the vendors."

Changing security practices and philosophies will be key to protecting systems in the future, Savage said.

"We need to move to a model where we assume our machines have been subverted," he said. "This was kind of a lesson."

Join the newsletter!

Or
Error: Please check your email address.

More about AstaAvertCERT AustraliaComputer Emergency Response TeamFederal Bureau of InvestigationMicrosoftSANS InstituteThe SANS Institute

Show Comments