Return-Path: <sentto-279987-1491-996455133-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 29 Jul 2001 18:06:07 -0700 (PDT) Received: (qmail 28302 invoked by uid 510); 30 Jul 2001 00:08:00 -0000 Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 30 Jul 2001 00:08:00 -0000 X-eGroups-Return: sentto-279987-1491-996455133-fc=all.net@returns.onelist.com Received: from [10.1.4.54] by hm.egroups.com with NNFMP; 30 Jul 2001 01:05:33 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_2_0); 30 Jul 2001 01:05:32 -0000 Received: (qmail 86118 invoked from network); 30 Jul 2001 01:05:31 -0000 Received: from unknown (10.1.10.26) by l8.egroups.com with QMQP; 30 Jul 2001 01:05:31 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 30 Jul 2001 01:05:31 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA27557 for iwar@onelist.com; Sun, 29 Jul 2001 18:05:31 -0700 Message-Id: <200107300105.SAA27557@big.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 29 Jul 2001 18:05:31 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] news Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit JUL 29, 2001 Officials Fight 'Code Red' Attack By THE ASSOCIATED PRESS WASHINGTON (AP) -- In an unprecedented show of force against an extremely virulent Internet attack, government and private officials on Monday will implore worldwide organizations to protect themselves from the ``Code Red'' worm. Representatives from the White House, FBI, Microsoft (news/quote) and others have decided to take the step in the face of one of the largest ever dangers to the Internet. The worm, similar to a virus, could cause widespread slowdowns and sporadic outages. ``The Internet has become indispensible to our national security and economic well-being,'' said Ron Dick, head of the National Infrastructure Protection Center, an arm of the FBI. ``Worms like Code Red pose a distinct threat to the Internet.'' Along with posting various warnings on their Web sites, government officials and representatives from Microsoft were holding a news conference Monday afternoon to publicize their efforts. The government routinely works with private companies to issue warnings about new hack attacks and viruses, but never before have they made such a high-profile stand. While the actual infection rate is unknown, it is believed to be in the hundreds of thousands of Internet-connected computers. In just the first nine hours of its July 19 outbreak, it infected more than 250,000 systems. The officials are frustrated that even though a software inoculation was made available over a month before the worm's first attack, many computers are still defenseless. The patch, which will protect computers, can be found on Microsoft's Web site. The worm defaces Web sites with the words ``Hacked by Chinese.'' While it doesn't destroy data, it could be modified to do so. At least two mutations have already been found. Code Red exploits a flaw discovered in June in Microsoft's Internet Information Services software used on Internet servers. It is found in Windows' NT and 2000 operating systems. Only computers set to use the English language will have their Web pages defaced. From the first through the 19th of every month, the worm spreads. From the 20th on, it attacks the White House Web site, trying to knock it offline. The White House took precautions against it, changing its numerical Internet address to dodge the attack. Even though the target has moved, the infected computers will still launch their attack. This, officials said, could slow down the Internet causing sporadic but widespread outages. Last week, the Pentagon was forced to shut down public access to all of its Web sites temporarily to purge and protect them from the Code Red worm. Because Code Red spread so quickly, security companies have not been able to figure out who wrote and released it. Code Red also can damage smaller networks by affecting a certain type of Internet routers, made by Cisco Systems (news/quote), used for data traffic control. Steve Lipner, head of Microsoft's security response center, said the company is looking for new ways to distributing patches more efficiently. The government relies on Microsoft and other technology companies to secure everything from defense networks to financial systems. ``The protection of the Internet requires a partnership with the government, private companies and the public as a whole,'' NIPC's Dick said. ^------ On the Net: National Infrastructure Protection Center: http://www.nipc.gov Microsoft Security Patch: http://www.microsoft.com/technet/security/bulletin/MS01-033.asp Code Red technical data: http://www.digitalisland.net/coderedalert ================================================================================== And some chronology from CNET: July 12: The first Net address from which attacks emanate is later determined to apparently be from Foshan University in China. July 13: Senior security engineer Ken Eichman notices strange traffic coming in on a port normally used by Web servers. July 14: Eichman reports the traffic to incident-handling community DShield.org and immediately gets sarcastic responses. "You never heard about Web browsers?" said one. July 15: DShield.org's Johannes Ullrich gets confirmation that some computers are indeed infected by a worm. July 16: eEye Digital Security obtains a copy of the worm and begins decoding. July 17: After spending all night reverse-engineering the binary code and staying awake with "Code Red"-labeled Mountain Dew, eEye releases a partial analysis of the worm it dubbed Code Red. Growth of the worm slows. July 18: eEye discovers that at 5 p.m. PDT July 19, the worm will direct infected servers to flood the White House Web site with data. July 18: The virus spread reaches about 12,000. July 19: Between 1 a.m. and 7 a.m. PDT, someone modifies the worm, fixing a problem with its random-number generator. The new worm spreads faster, leaping from 15,000 infections that morning to almost 350,000 infections by 5 p.m. PDT. July 19: System administrators for the White House place their Web site on a different IP address: from 198.137.240.91 to 198.137.240.92. July 19: At 5 p.m. PDT, servers infected by the worm direct their attacks at the original IP address used by Whitehouse.gov. However, the White House's preparations enable its site to dodge the worm. A design flaw causes the worm to send a much-reduced amount of data. July 19: The worm continues its unsuccessful attack, but it stops infecting other machines, as designed. However, a few infected servers continue to scan the Net, apparently because the administrators had set the time wrong. July 22: Eichman still detects some active Code Red worms, but their numbers continue to decline ------------------------ Yahoo! Groups Sponsor ---------------------~--> Small business owners... Tell us what you think! http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:38 PDT