TUE AND WED CODE RED VIRUS PLEASE READ

[Guest guest]

Calm Before the Storm

Tuesday Night the Code Red Worm Comes Back to Life and There is Not Much We Can Do to Stop It

By X. Cringely

Normally my columns appear on Thursday, but this is a special week and deserves a special column because of the very interesting events that could soon take place on the Internet as the Code Red worm comes back to life.

Two weeks ago I wrote about the likelihood of a worm or virus being spawned that would essentially live forever on the Net. I didn't think then that such vermin was already in action, but it apparently was in Code Red. This worm infects computers running Microsoft's Internet Information Server web server software. It starts with a 19-day infection cycle during which it seeks out new machines to infect, then goes through an eight-day attack cycle during which all infected servers attack the same IP address or host name. Each server devotes 99 threads to attacking the target with a massive Distributed Denial of Service attack, delivering something on the order of 20 gigabits-per-second straight at a single target.

In July the target was an IP address assigned back then to www.whitehouse.gov. Then, on the 28th day, Code Red shut down forever. Or did it? There is good reason to believe, based on disassembly of the worm and analysis by Steve Gibson of Gibson Research that the worm is only resting until the start of the following month. That's midnight, Greenwich Mean Time, on August 1st when it all starts over again. For those readers in the United States, that is 7:00 PM Eastern and 4:00 PM Pacific time on Tuesday, July 31.

If the virus speads as expected, we won't notice much at first on Tuesday night, just an increase in overall traffic on the Internet backbones as uninfected servers are contacted and infected. There is a way to avoid infection by installing a software patch available from Microsoft, but hundreds of thousands — perhaps millions — of IIS servers remain unpatched. There are just under five million IIS servers presently in operation.

Last month the infection rate was much greater and faster than anyone expected or was reported in the news. According to a study conducted by the ative Association for Internet Data Analysis (CAIDA) at the UC San Diego Supercomputer Center, more than 359,000 servers were infected during a 14-hour period on July 19th alone as the worm grew geometrically. Had it grown for even another day, all of the IIS servers on Earth would probably have been infected.

When the witching hour strikes on Tuesday, what happens could be very different than last month. Some experts believe nothing will happen at all but I believe that's just plain wrong. The information I will use to support this assertion was acquired either from those, like Steve Gibson, who have disassembled and examined the Code Red worm or from the officials charged with fighting it, including sources at the CERT data security coordination center at Carnegie-Mellon University, eEye Digital Security, in law enforcement, and at several very large corporations. The FBI knows what you and I know, they just have no idea what to do about it.

Point One. The White House thinks it is safe from attack because it has transferred the whitehouse.gov website to the widely distributed servers of Akamai, where it can be shuffled around the Web at will. This is just in case the worm has gotten smarter and shifted from attacking a static IP address to going after the whitehouse.gov host name, itself, using DNS lookups to follow the IP address as it changes.

Point Two. Whether Code Red turned itself off forever or not on July 28th, there are approximately 2,000 infected IIS servers that don't know they are supposed to be turned off and are running right now, trying to infect other servers. These 2,000 IIS servers are ones with broken clocks. They have no idea what the date is, so they are still in infection mode. The only good news here is that these machines never know to turn from infection to attack, either.

As long as even one of these clockless machines remains up and running, Code Red will start over on the first of every month. Forever.

Point Three. There are around 200,000 IIS servers that are still both unpatched and infected. If the worm didn't turn itself off for good on the 28th, every one of these machines is going to move into infection mode on Tuesday. So there will definitely be a reinfection, but the only question is whether the seed starts with 2,000 clockless machines or 200,000 infected machines. Either way, 19 days will be plenty to reach any unpatched servers.

An interesting sidelight here should show how little the authorities can do about an attack of this nature. It's not that they don't have the technology, they don't have a consensus about how to use that technology. For example, one proposal that was floated was essentially an anti-worm — sending a second infection that would turn off the first. This was rejected as acting too much like the bad guys. A second proposal was to simply send an e-mail to the registered administrator of every infected IP address saying "Hey, your server is infected, patch it!" This, too, was rejected, because the authorities didn't want to scare poor sysadmins by asking them to do their jobs. That they didn't at least try the e-mail route astounds me. They have a list of all the IP addresses. It would have taken an hour, but it didn't happen, according to sources who were present at the meeting.

Even if they had tried the e-mail route, though, the chances are very slim of getting 100 percent of the servers shut down and patched. Many of the infected servers aren't really being used at all. They are still showing their default Microsoft homepages and are simply running as a service under Windows NT. In those cases, the people on whose computers IIS is running probably don't even know they have a web server.

So the authorities, including Microsoft, have decided to hold a big press conference Monday to announce at least some of what you are reading in this column. It probably won't work, of course, since it is hard to warn people who don't even know they are running a web server at all.

Point four. The Code Red worm can be changed from turning itself off on the 28th to never turning itself off at all by twiddling a single program bit. It can be retargetted from whitehouse.gov to amazon.com, to cringely.com in an instant. Someone wrote this thing and that someone can change it. Even worse, there are plenty of people who wouldn't be capable of writing such a program who still know enough to make the simple sort of changes I just mentioned.

This thing, or something very much like it, is going to be with us for a very, very long time.

And what happens on the 20th, when the attack cycle begins? It depends on the number of infected machines and the nature of the chosen target, but the worst case says the Internet simply comes to a standstill and we go back to watching TV and talking on the phone until the 28th day of the month and potentially until every 28th day of the month thereafter.

This is very, very bad news, but there is a solution that will shortly be presented that will be claimed to save the day. This miracle solution will be the subject of my regular column this week, which will appear, as usual, on Thursday. Please come back then. Because while there is a solution, I believe that many people will see the cure as being nearly as bad as the disease.