Return-Path: <sentto-279987-1555-997024911-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 05 Aug 2001 08:25:15 -0700 (PDT) Received: (qmail 15459 invoked by uid 510); 5 Aug 2001 14:24:06 -0000 Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 5 Aug 2001 14:24:06 -0000 X-eGroups-Return: sentto-279987-1555-997024911-fc=all.net@returns.onelist.com Received: from [10.1.4.54] by fk.egroups.com with NNFMP; 05 Aug 2001 15:21:51 -0000 X-Sender: fc@big.all.net X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-7_2_0); 5 Aug 2001 15:21:50 -0000 Received: (qmail 21856 invoked from network); 5 Aug 2001 15:21:48 -0000 Received: from unknown (10.1.10.27) by l8.egroups.com with QMQP; 5 Aug 2001 15:21:48 -0000 Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 5 Aug 2001 15:21:47 -0000 Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id IAA06186 for iwar@yahoogroups.com; Sun, 5 Aug 2001 08:21:47 -0700 Message-Id: <200108051521.IAA06186@big.all.net> To: iwar@yahoogroups.com In-Reply-To: <20010805071242.16067.qmail@web14504.mail.yahoo.com> from "e.r." at Aug 05, 2001 12:12:42 AM Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 5 Aug 2001 08:21:47 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] Attribution of code red Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Per the message sent by e.r.: > It sure is nowhere near dead. Is this a notice from the Party > Congress that, "America,we have your number(IP).? I feel like a math > teacher. You have concluded China, but no one has shown me their > "work". Is this a break away faction in Taiwan throwing out > disinformation. If I can use a computer with a .cn in its name, so can > lots of folks. > > Russia has a serious interest in disrupting China's good > relationship with N. Korea. All I have heard is it must be China. WHY? > And why would they demonstrate no sense of OPSEC and not hit themselves > on part of their infrasx they can afford loose for a bit? You are, of course, correct. We cannot definitively pin down its origin, largely because access to the necessary information is not available. We cannot, for example, assure that it's not a US plant intended to cause the friction between China and the US to get worse. It could just be a PR person from a computer security firms who did it to garner publicity. It could be a PR thing against Microsoft. IT could be a lot of things. You have three questions that I think are worth answering: 1) Why does it look like China? a) The recent variations are not attributed in this way - only the original. b) The first published detected redcode packet came from an IP address in China. This is not a real strong indicator on its own, however, this cannot be as easily forged as simply calling yourself from China. You need to be in the data stream between the target and China and sniff all of the back packets and respond to them properly. While the technology to do this now exists, it would mean access to an ISP en route. c) It differentiates Chinese from not Chinese via character usage and it uses Chinese properly - something that significantly reduces the population of folks who could do it - but of course this does not eliminate any high grade threat or lucky low grade threat. d) The code is similar in 'hand' to code written and executed during the week of Chinese attacks against US sites several months ago. This is far harder to fake, but then the judgement of 'hand' in this case is not all that precise. e) The techniques being used are the same ones used in the previous attacks - including one of the same overrun mechanisms. This is not a real strong indicator, but having seen the attacks from a defender's standpoint and then seeing the code that generates the same behavior, this would seem to be a pretty good indicator. f) China has not vehemently denied it. They don't really have to. After all, if they did not do it, they could use it to 'send a message' even if they hadn't created it - but this does not seem like the historical bent of the Chinese. g) It says it came from China - obviously not definitive - but who else would want to do this, and if China was being slandared, wouldn't you hear then saying so? Historically, they have ben quite vocal about such things. They are a proud people in this way and I find it hard to swallow that they would not deny its creation strongly if they had not created it. (At this point it would be too late to start seeing the denials). 2) Is it just a rebel faction? a) Not likely - China keeps a fairly tight reign over their part of the Internet. They recently raided a significant portion of their ISPs and shut down lots of Internet cafe's - but not the sites with the folks who launched the attacks against the US in the week of Internet attacks - as far as I can tell. b) China would likely seek retribution against such a faction. It is their way. And we have not seen this sort of action on the ground so far. c) The Chinese unauthorized attack community (if there is one) did not claim any ownership and neither did any others - which is very common for folks who are doing this for fun or pleasure. 3) Do they have the technical capability? No question this is within the capability they have displayed in the past. It uses some of the same code and same tricks they have previously used, they have a history of writing viruses of this sort, and so forth. No doubt at all that they could do it. 4) Why does China not try to hide it? a) You cannot hide the fact of it's infecting Chinese systems differently than US systems because the differentiator must be sent with the worm or it cannot do the differentiation. It is a fact that it does this differentiation. c) They are trying to send a message. 5) What are the realistic possibilities? a) It's China. Sending a message -or- practicing in the open -or- doing what they declared they would do several years ago, bringing down the west by using our technology against us ... Sugar in a million gas tanks instead of Pearl Harbor. b) It's someone trying to lay it off on China. If so, you would think that China would come forth with strong denials - unless; (i) they want us to believe it even if they didn't really do it or (ii) some other policy issue prevents them from denying it. 6) If it's a message, what is the message? It's always hard to read such messages clearly except in hindsight. I'll try a few: a) Don't push us too far. You want to be our friend, don't you? b) Remember this when we move into Taiwan. c) You imperialist fools don't know what you have done to yourselves. d) Use Linux - not microsoft? (I felt compelled to say it somewhere). FC --This communication is confidential to the parties it is intended to serve-- Fred Cohen Fred Cohen & Associates.........tel/fax:925-454-0171 fc@all.net The University of New Haven.....http://www.unhca.com/ http://all.net/ Sandia National Laboratories....tel:925-294-2087 ------------------------ Yahoo! Groups Sponsor ---------------------~--> Small business owners... Tell us what you think! http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT