There has been a lot written about Code Red and its variants in the past month. There are lessons in both the specifics of the original infection, and the general threats these worms exemplify. So, first the trees and then the forest.
On 19 July 2001, the White House narrowly averted a terrorist attack when security personnel were able to exploit a flaw in a bomb's trigger mechanism and evacuate key personnel to a remote location, causing the bomb to fizzle. The attack was a denial-of-service attack, the target was the White House website, and the flaw was in malicious code, but other than that the sensationalist story is basically correct. And this tale of attack and defence in cyberspace contains security lessons for us all.
In June, eEye Digital Security discovered a serious vulnerability in Microsoft's Information Internet Server (IIS) that would allow a hacker to take control of the victim's computer. Microsoft hastily patched the software to eliminate the vulnerability, as they are generally good about doing these days.
By now, everyone realises that it is impossible for system administrators to keep their patches up to date, so it came as no surprise that hacker tools developed to exploit the vulnerability were able to break into unpatched systems. The Code Red worm exploited this vulnerability. This worm, estimated to have affected over 300 000 computers in the first week, spread automatically without any user intervention (no attachments to open).
Even during the first week there were several variants of the original worm, and most early articles underestimated its virulence - both in terms of what it does and how well it succeeded. When the original Code Red infected a computer, it defaced any website on the server with the words: "Welcome to http://www.worm.com! Hacked by Chinese!" (One variant only defaced the site for 10 hours.) Simultaneously, the worm attacked 99 hosts at a time, as quickly as possible. The original variant spread slowly, both because the website defacement called attention to itself, and because it had a buggy random number generator. (It is important to use a different seed each time.) A corrected variant, with a correct random number generator and no defacement, spread at a much faster rate. Peak infection rates were estimated at 6000 hosts a minute.
So far, this is a normal, if virulent, worm. But there was an additional feature. The Code Red worm was programmed to flood www.whitehouse.gov in a massively coordinated distributed denial-of-service attack at 8 pm on 19 July. The attack failed because of some programming errors in the worm. One, the attack was against a specific IP address, and not a URL. So whitehouse.gov moved from one IP address to another to avoid the attack. And two, the worm was programmed to check for a valid connection before flooding its target. With whitehouse.gov at a different IP address, there was no valid connection. No connection, no flooding.
The worm was programmed to continue to spread until 20 July, and try to attack the former IP address of whitehouse.gov until 28 July. Then, on 1 August, it was to go back to spreading. At least some variants are still spreading today, albeit at a much slower rate than many of the Internet doomsayers predicted.
At first glance, this looked to be a politically motivated attack: hactivism, as it has come to be called. The worm's defacement message implied that it was Chinese, and it was programmed to attack only English-language versions of Windows NT or 2000. If it encountered a foreign version, it went into hibernation, neither spreading nor attacking the White House. But it is hard to know for sure; many random hackers take on mantles of political activism because it gives them a cool cover story. Honestly, I do not believe the political connection.
The White House got lucky
The next worm writer will not make the same programming mistakes. The White House could have alerted their ISP and the upstream network nodes to block the offending packets, but only because they knew what the attack looked like and had enough warning. We cannot count on that next time, either.
Since the original Code Red attack, there have been several new (and nastier) variants of the worm discovered, predictions of the entire Internet clogging, admonitions for system administrators to patch their IIS systems to prevent the worm's spreading, and reams of columnists trying to make sense of it all. The result, predictably, is apathy. A CNN on-line poll showed that 84% of Americans were no longer worried about Code Red. Cry wolf too often, and the public just stops listening.
Now, the forest
The truth is that we all got lucky. Code Red could have been much worse. It had full control of every machine it took over; it could have been programmed to do anything the author imagined, including dropping the entire Internet. It could have spread faster and smarter. It could have exploited several vulnerabilities, and not just one. It could have been stealthier. It could have been polymorphic. Code Red II installs a back door in infected computers. Code Red III is further improved. What will Code Red IV do? What will Code Red XXVII do?
I have said for a long time that the Internet is too complex to secure. One of the reasons is that it is too complex to understand. The swath of erroneous predictions about Code Red's effects illustrates this: we do not know how the Internet really works. We know how it should work, but we are constantly surprised. It is no wonder we cannot adequately secure the Internet.
The hundreds of thousands of infected networks could have had better security, but I have long argued that expecting users to keep their patches current is blaming the victim. Even so, I would have expected most people to install *this* patch. But as late as 1 August, after Code Red had been in the headlines for weeks, the best estimates show that only 50% of IIS systems had been patched. Even Microsoft, the company that continually admonishes us all to install patches quickly, was infected by Code Red in unpatched systems.
The Internet moves too fast for static defences
You cannot install every possible patch, and you do not know beforehand which ones are going to be important. New viruses and worms appear all the time, and you do not know beforehand which ones are the ones to worry about. If we are going to make security work on the Internet, we need to think differently. I have put my effort into detection and response, instead of protection, because detection and response can be resilient. I have put my effort into people instead of software because people can be resilient.
But even if you can secure your particular network, what about the millions of other networks out there that are not secure? One of the great security lessons of the past few years is that we are all connected. The security of your network depends on the security of others, and you have no control over their security.
We should not lose sight of who is really to blame for this problem. It is not the system administrators who did not install the patch in time, or the firewall and IDS vendors whose products did not catch the problem. It is the authors of the worm and its variants, eEye for publicising the vulnerability, and especially Microsoft for selling a product with this security problem. You can argue that eEye did the right thing by publicising this vulnerability, but personally am getting a little tired of them adding weapons to hackers' arsenals. I support full disclosure and believe that it has done a lot to improve security, but eEye is going too far. As for Microsoft, you can argue that the marketplace will not pay for secure and reliable software, but the fact remains that this is a software problem. If software companies were held liable for systematic problems in its products, just like other industries (remember Firestone tyres), we would see a whole lot less of this kind of thing.
Lessons of Code Red
There are two other lessons of Code Red that I have not seen talked about.
* One: Code Red's infection mechanism causes insecure computers to identify themselves to the Internet, and this feature can be profitably exploited. My network is regularly probed by Code Red-infected computers, trying to infect me. I can easily generate a list of those computers and their IP addresses. This is a list of computers vulnerable to the particular IIS exploit that Code Red uses. If I wanted to, I could attack every computer on that list and install whatever Trojan or back door I wanted. I do not have to scan the network; vulnerable computers are continuously coming to me and identifying themselves. How many hackers are piggybacking on Code Red in this manner?
* Two: Code Red's collateral damage illustrates the dangers of relying on HTTP as the Internet's communications medium. Cisco has admitted that DSL routers with older firmware were susceptible to a denial-of-service attack when attacked by Code Red. HP print servers and 3Com LANmodems also seem to have been similarly affected, and it is likely that other network infrastructure hardware fell over as well. These devices were not specifically targeted by Code Red. Instead, their Web interface couldn't handle the Code Red attack. There has been an enormous proliferation of random devices with a web interface: listening on Port 80. This is a large single-point-of-failure that Code Red has illustrated, and no one seems to be talking about.
Hacking is a way of life on the Internet
Remember a few years ago, when defacing a website made the newspaper? Remember two years ago, when distributed denial-of-service attacks and credit card thefts made the newspaper? Or last year, when fast-spreading worms and viruses made the newspaper? Now these all go unreported because they are so common. Code Red ushers in a new form of attack: a preprogrammed worm that unleashes a distributed attack against a predetermined target. After a couple of dozen Code Red variants and other worms designed along similar lines, we'll think of them too as business as usual on the Internet.
And oddly enough, the Internet will survive.
Code Red Worm (the news story as it unfolded):
Code Red hype:
Even Microsoft cannot keep its patches up to date:
Excellent mathematical analyses of the worm:
Original flaw in IIS:
Editorial on the wisdom of disclosing this vulnerability:
Editorial on the dangers of Port 80:
How others can piggyback on Code Red to attack computers: