[iwar] Attribution of code red

From: Fred Cohen (fc@all.net)
Date: 2001-08-05 08:21:47


Return-Path: <sentto-279987-1555-997024911-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 05 Aug 2001 08:25:15 -0700 (PDT)
Received: (qmail 15459 invoked by uid 510); 5 Aug 2001 14:24:06 -0000
Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 5 Aug 2001 14:24:06 -0000
X-eGroups-Return: sentto-279987-1555-997024911-fc=all.net@returns.onelist.com
Received: from [10.1.4.54] by fk.egroups.com with NNFMP; 05 Aug 2001 15:21:51 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@yahoogroups.com
Received: (EGP: mail-7_2_0); 5 Aug 2001 15:21:50 -0000
Received: (qmail 21856 invoked from network); 5 Aug 2001 15:21:48 -0000
Received: from unknown (10.1.10.27) by l8.egroups.com with QMQP; 5 Aug 2001 15:21:48 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta2 with SMTP; 5 Aug 2001 15:21:47 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id IAA06186 for iwar@yahoogroups.com; Sun, 5 Aug 2001 08:21:47 -0700
Message-Id: <200108051521.IAA06186@big.all.net>
To: iwar@yahoogroups.com
In-Reply-To: <20010805071242.16067.qmail@web14504.mail.yahoo.com> from "e.r." at Aug 05, 2001 12:12:42 AM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Sun, 5 Aug 2001 08:21:47 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Attribution of code red
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by e.r.:

> It sure is nowhere near dead.  Is this a notice from the Party
> Congress that, "America,we have your number(IP).? I feel like a math
> teacher.  You have concluded China, but no one has shown me their
> "work".  Is this a break away faction in Taiwan throwing out
> disinformation.  If I can use a computer with a .cn in its name, so can
> lots of folks.
>
> Russia has a serious interest in disrupting China's good
> relationship with N. Korea.  All I have heard is it must be China. WHY?
> And why would they demonstrate no sense of OPSEC and not hit themselves
> on part of their infrasx they can afford loose for a bit?

You are, of course, correct.  We cannot definitively pin down its
origin, largely because access to the necessary information is not
available.  We cannot, for example, assure that it's not a US plant
intended to cause the friction between China and the US to get worse. 
It could just be a PR person from a computer security firms who did it
to garner publicity.  It could be a PR thing against Microsoft.  IT
could be a lot of things.

You have three questions that I think are worth answering:

1) Why does it look like China?

	a) The recent variations are not attributed in this way - only the original.

	b) The first published detected redcode packet came from an IP address in China.
		This is not a real strong indicator on its own, however, this cannot be
		as easily forged as simply calling yourself from China.  You need to be
		in the data stream between the target and China and sniff all of the
		back packets and respond to them properly.  While the technology to do
		this now exists, it would mean access to an ISP en route.

	c) It differentiates Chinese from not Chinese via character usage and it uses Chinese
		properly - something that significantly reduces the population of folks
		who could do it - but of course this does not eliminate any high grade
		threat or lucky low grade threat.

	d) The code is similar in 'hand' to code written and executed during the week of
		Chinese attacks against US sites several months ago.  This is far harder to
		fake, but then the judgement of 'hand' in this case is not all that precise.

	e) The techniques being used are the same ones used in the previous attacks - including
		one of the same overrun mechanisms.  This is not a real strong indicator, but
		having seen the attacks from a defender's standpoint and then seeing the code that
		generates the same behavior, this would seem to be a pretty good indicator.

	f) China has not vehemently denied it.  They don't really have to.  After all, if they
		did not do it, they could use it to 'send a message' even if they hadn't
		created it - but this does not seem like the historical bent of the Chinese.

	g) It says it came from China - obviously not definitive - but who else would want to
		do this, and if China was being slandared, wouldn't you hear then saying so?
		Historically, they have ben quite vocal about such things.  They are a proud
		people in this way and I find it hard to swallow that they would not deny its
		creation strongly if they had not created it. (At this point it would be too late
		to start seeing the denials).

2) Is it just a rebel faction?

	a) Not likely - China keeps a fairly tight reign over their part of the Internet.  They
		recently raided a significant portion of their ISPs and shut down lots of Internet
		cafe's - but not the sites with the folks who launched the attacks against the US
		in the week of Internet attacks - as far as I can tell.

	b) China would likely seek retribution against such a faction.  It is their way.  And we have
		not seen this sort of action on the ground so far.

	c) The Chinese unauthorized attack community (if there is one) did not claim any ownership
		and neither did any others - which is very common for folks who are doing this for
		fun or pleasure.


3) Do they have the technical capability?

	No question this is within the capability they have displayed in the past.  It uses
		some of the same code and same tricks they have previously used, they have a
		history of writing viruses of this sort, and so forth.  No doubt at all that
		they could do it.

4) Why does China not try to hide it?

	a) You cannot hide the fact of it's infecting Chinese systems differently than US systems
		because the differentiator must be sent with the worm or it cannot do the
		differentiation.  It is a fact that it does this differentiation.

	c) They are trying to send a message.

5) What are the realistic possibilities?

	a) It's China. Sending a message -or- practicing in the open -or- doing what they
		declared they would do several years ago, bringing down the west by using
		our technology against us ... Sugar in a million gas tanks instead of Pearl
		Harbor.

	b) It's someone trying to lay it off on China.  If so, you would think that China would
		come forth with strong denials - unless; (i) they want us to believe it even
		if they didn't really do it or (ii) some other policy issue prevents them from
		denying it.

6) If it's a message, what is the message?

	It's always hard to read such messages clearly except in hindsight.  I'll try a few:

	a) Don't push us too far.  You want to be our friend, don't you?

	b) Remember this when we move into Taiwan.

	c) You imperialist fools don't know what you have done to yourselves.

	d) Use Linux - not microsoft? (I felt compelled to say it somewhere).

FC
--This communication is confidential to the parties it is intended to serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Small business owners...
Tell us what you think!
http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT