[iwar] news

From: Fred Cohen (fc@all.net)
Date: 2001-07-29 18:05:31


Return-Path: <sentto-279987-1491-996455133-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 29 Jul 2001 18:06:07 -0700 (PDT)
Received: (qmail 28302 invoked by uid 510); 30 Jul 2001 00:08:00 -0000
Received: from n6.groups.yahoo.com (216.115.96.56) by 204.181.12.215 with SMTP; 30 Jul 2001 00:08:00 -0000
X-eGroups-Return: sentto-279987-1491-996455133-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by hm.egroups.com with NNFMP; 30 Jul 2001 01:05:33 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_2_0); 30 Jul 2001 01:05:32 -0000
Received: (qmail 86118 invoked from network); 30 Jul 2001 01:05:31 -0000
Received: from unknown (10.1.10.26) by l8.egroups.com with QMQP; 30 Jul 2001 01:05:31 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta1 with SMTP; 30 Jul 2001 01:05:31 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id SAA27557 for iwar@onelist.com; Sun, 29 Jul 2001 18:05:31 -0700
Message-Id: <200107300105.SAA27557@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sun, 29 Jul 2001 18:05:31 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] news
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

JUL 29, 2001
Officials Fight 'Code Red' Attack
By THE ASSOCIATED PRESS


WASHINGTON (AP) -- In an unprecedented show of force against an extremely 
virulent Internet attack, government and private officials on Monday will 
implore worldwide organizations to protect themselves from the ``Code Red'' 
worm.

Representatives from the White House, FBI, Microsoft (news/quote) and others 
have decided to take the step in the face of one of the largest ever dangers 
to the Internet. The worm, similar to a virus, could cause widespread 
slowdowns and sporadic outages.

``The Internet has become indispensible to our national security and economic 
well-being,'' said Ron Dick, head of the National Infrastructure Protection 
Center, an arm of the FBI. ``Worms like Code Red pose a distinct threat to 
the Internet.''

Along with posting various warnings on their Web sites, government officials 
and representatives from Microsoft were holding a news conference Monday 
afternoon to publicize their efforts.

The government routinely works with private companies to issue warnings about 
new hack attacks and viruses, but never before have they made such a 
high-profile stand.
While the actual infection rate is unknown, it is believed to be in the 
hundreds of thousands of Internet-connected computers. In just the first nine 
hours of its July 19 outbreak, it infected more than 250,000 systems.

The officials are frustrated that even though a software inoculation was made 
available over a month before the worm's first attack, many computers are 
still defenseless. The patch, which will protect computers, can be found on 
Microsoft's Web site.

The worm defaces Web sites with the words ``Hacked by Chinese.'' While it 
doesn't destroy data, it could be modified to do so. At least two mutations 
have already been found.

Code Red exploits a flaw discovered in June in Microsoft's Internet 
Information Services software used on Internet servers. It is found in 
Windows' NT and 2000 operating systems.

Only computers set to use the English language will have their Web pages 
defaced. From the first through the 19th of every month, the worm spreads. 
From the 20th on, it attacks the White House Web site, trying to knock it 
offline.

The White House took precautions against it, changing its numerical Internet 
address to dodge the attack.

Even though the target has moved, the infected computers will still launch 
their attack. This, officials said, could slow down the Internet causing 
sporadic but widespread outages.

Last week, the Pentagon was forced to shut down public access to all of its 
Web sites temporarily to purge and protect them from the Code Red worm.

Because Code Red spread so quickly, security companies have not been able to 
figure out who wrote and released it.

Code Red also can damage smaller networks by affecting a certain type of 
Internet routers, made by Cisco Systems (news/quote), used for data traffic 
control.

Steve Lipner, head of Microsoft's security response center, said the company 
is looking for new ways to distributing patches more efficiently.

The government relies on Microsoft and other technology companies to secure 
everything from defense networks to financial systems.

``The protection of the Internet requires a partnership with the government, 
private companies and the public as a whole,'' NIPC's Dick said.
^------
On the Net:
National Infrastructure Protection Center: http://www.nipc.gov
Microsoft Security Patch: 
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
Code Red technical data: http://www.digitalisland.net/coderedalert

==================================================================================

And some chronology from CNET:

July 12: The first Net address from which attacks emanate is later
determined to apparently be from Foshan University in China. 

July 13: Senior security engineer Ken Eichman notices strange traffic
coming in on a port normally used by Web servers. 

July 14: Eichman reports the traffic to incident-handling community
DShield.org and immediately gets sarcastic responses.  "You never heard
about Web browsers?" said one. 

July 15: DShield.org's Johannes Ullrich gets confirmation that some
computers are indeed infected by a worm. 

July 16: eEye Digital Security obtains a copy of the worm and begins
decoding. 

July 17: After spending all night reverse-engineering the binary code
and staying awake with "Code Red"-labeled Mountain Dew, eEye releases a
partial analysis of the worm it dubbed Code Red.  Growth of the worm
slows. 

July 18: eEye discovers that at 5 p.m.  PDT July 19, the worm will
direct infected servers to flood the White House Web site with data. 

July 18: The virus spread reaches about 12,000. 

July 19: Between 1 a.m.  and 7 a.m.  PDT, someone modifies the worm,
fixing a problem with its random-number generator.  The new worm spreads
faster, leaping from 15,000 infections that morning to almost 350,000
infections by 5 p.m.  PDT. 

July 19: System administrators for the White House place their Web site
on a different IP address: from 198.137.240.91 to 198.137.240.92. 

July 19: At 5 p.m.  PDT, servers infected by the worm direct their
attacks at the original IP address used by Whitehouse.gov.  However, the
White House's preparations enable its site to dodge the worm.  A design
flaw causes the worm to send a much-reduced amount of data. 

July 19: The worm continues its unsuccessful attack, but it stops
infecting other machines, as designed.  However, a few infected servers
continue to scan the Net, apparently because the administrators had set
the time wrong. 

July 22: Eichman still detects some active Code Red worms, but their
numbers continue to decline

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:38 PDT