Code Red: As Bad As It Gets?

If you haven’t heard about Code Red by now you must have been in hibernation! This most recent worm has fueled the old debate on “Full Disclosure”. Many security experts and corporate users believe that publicizing software flaws will improve security by forcing software vendors to improve the quality of their products and to quickly fix potentially damaging bugs. But reality seems to paint a different picture.

Reality has shown for every new exploit or vulnerability that is found there is an army of “script kiddies” and malcontents ready to take advantage of it. The reality is, if Full Disclosure worked, then Code Red would never have succeeded!

How can I make this claim?

It’s very simple. The .ida vulnerability (on which the Code Red worm is based) was first discovered by eEye and later announced by Microsoft on June 18, 2001. CERT announced the Code Red worm July 19, 2001. That means 30 days after the full disclosure of the .ida vulnerability Code Red was overwhelming network administrators and security personnel around the world!

Is this the Calm after the storm, or calm before the storm?

So, what can we expect now? Is this as bad as it’s going to get? I’m afraid not. Let’s look at a little bit of history. Does anyone remember hearing about the “Morris Worm”, or the “Cornell Internet Worm”? Perhaps that’s a little to ancient for some of you. I’m referring to one of the most infamous examples; a password-collection program which spread to between 3,000 and 4,000 servers, or about 5 percent of the Internet, in November 1988. It was created by then-graduate student Robert T. Morris. The worm exploited flaws in two well-known Internet services and attempted to masquerade as a legitimate user by trying passwords stolen from other systems. This was probably the first worm in the history of the Internet.

How about something a little more recent?

Four hours! That’s how long it took for a beautiful tennis star to become the talk of the Internet, and for the AnnaKournikova virus to force countless companies to shut down their e-mail gateways. Now, the latest worm has made the scene, and it’s been the most costly to date. So what’s next? Unfortunately, there are those among us who feel the need to point the way. I’m referring to two recent articles from industry professionals who think it’s necessary to outline exactly where the perpetrators of Code Red went wrong. Furthermore, they have provided scenarios that could speed the rate of infection from a few hours, to minutes or even seconds! So, armed with this new information, and taking into account the volume of hacking and defacement already being seen everywhere, how long will it be before we see the next massive attack? New viruses similar to “Anna” are being discovered daily. New exploits and vulnerabilities are also discovered daily. It only took 30 days for someone to build Code Red around the .ida exploit. My personal opinion is that we could be seeing the next round of heavy duty activity like Code Red in as little as 60 days, and I’m afraid this time they’ll follow the good advice of the industry professionals that are supposed to be fighting them.

How do we prepare ourselves?

With the increasing speed, agility and intelligence of the viruses and propagating around the Internet, what can we do to be prepared for the next strike? Several organizations have shown their worth during the Code Red debacle. First and foremost in my estimation is incidents.org who led the charge on monitoring the effects and spread of Code Red and it’s variants. They also acted as a central point of information dissemination. Unfortunately, NIPC was behind the power curve (again). It seems that the security community as a whole will have to work together, independently from any Government agencies. Government simply works too slowly to be effective in this sort of event. “incidents” (courtesy of SANS) has the attention of the security community as a whole, and will likely continue to be an effective force in the future. This sort of cooperative effort is what we need to go forward.

I think the future is going to be pretty ugly. We can all sit back quietly and hope I’m wrong. We can hope the “bad guys” don’t learn to build a better worm. Or we can act together in a coordinated effort to monitor our networks for the “on-coming wave” and coordinate our response efforts. Incidents.org has proven themselves to be a valuable ally in this battle, so let’s all synchronize watches! 60 days and counting…