Information Warfare: July 29, 2001

Archives

Bringing the Info War Back Home- Information Warfare struck home on July 18th when StrategyPage got hit with the Code Red virus. You didn't notice it because our server was equipped to deal with it. The damage (minor) was cleaned up by the end of the day. Except for the sever being rebooted (putting us offline for a few minutes), there was no effect on our users. No one knows where Code Red came from, although when it hits a vulnerable web server (a PC running a web site), it changes the web site page to a page that says "Hacked by Chinese." No matter where it came from, Code Red provided an example of how information war would be fought. 

First, Code Red only worked because of a flaw in Microsoft's web server software. On June 18th, Microsoft issued a security bulletin about a vulnerability in that software, and provided a patch. But by announcing this problem, Microsoft also let the bad guys know there was a way to sneak into servers and do damage. On July 13, the first reports of Code Red were received. The virus was quickly taken apart and it was discovered that it had a number of interesting features. First, it operated completely in memory, not putting anything on the hard drive. This made it harder to find, even though it defaced the servers web page. Second, it immediately began randomly calling other servers, looking for vulnerable ones to infect. There are about 3.5 million servers out there that were potentially vulnerable (the 21 percent of the world's 17 million active servers running Microsoft software.) It was estimated that Code Red could infect half a million servers in 24 hours. As it was, only about 300,000 were infected. This was because the random search was not completely random, a feature could have provided the authors of Code Red with a list of vulnerable servers. But a week after the first Code Red appeared, a modified version appeared that went after every server it could reach. It's not known if every vulnerable server was hit, or what percentage of the Microsoft servers were patched to keep Code Red out. If a server administrator just fixed the defaced web pages and did not reboot their server PC, Code Red went dormant and then became active again on certain days of the month to either try and spread or execute a denial of service attack on the U.S. White House server. This was avoided by changing the IP address of the White House server and simply dumped the junk data that went to the old address.

If our sysadmin had installed the Microsoft June 18th patch on time (it was on the "todo list"), we would have never seen Code Red. Apparently the U.S. military felt vulnerable, as they closed many of their web sites for several days to make sure the servers were patched to keep Code Red out.

What's special about Code Red is that it wasn't anything special. Worm type programs like Code Red are known to be fast. Code Red was dangerous because of the easy access Microsoft server software provided. The "Index Server ISAPI vulnerability" that Code Red exploited was one of many in this particular software. Microsoft server software is notoriously buggy, with about one new vulnerability being found each month (and 40 bugs of all sorts in the last seven months). Attempts to get Microsoft to be more serious about system security have had limited success. Meanwhile, the original Code Red is hibernating on servers where it was not detected. These Code Red sites will reactivate at 8 PM EDT, July 31st, 2001. Meanwhile, mutant versions of Code Red are being released. There may be a million servers out there that are still vulnerable, and capable of being turned into net choking spamming machines.

The U.S. government has been a major customer of Microsoft products, mainly because the stuff is easy to use. This is important, because the government cannot compete with the commercial sector when it comes to hiring the best computer talent. Any future wartime use of information war will use programs like Code Red, because all servers using the Microsoft software will not be patched. Well, at least not until a new version of the software is released and all servers upgrade. Put another way, hostile nations will have access to some U.S. servers for years to come. Wartime versions of Code Red will not deface web pages or let it's presence be known. No, the combat version of Code Red will hide out until instructed to launch a denial of service attack, or some other mischief, on American servers. 

One wonders if Microsoft will ever be tried for treason?

 

X

ad

Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close