Worm attacks on the Internet: not all hype

In the wake of the recent attacks of the "Code Red" Internet worm, several journalists wrote articles claiming that the worm had not destroyed the Internet, and that consequently the many warnings about the worm were all a matter of hype.

See below for links to some examples: http://www.time.com/time/columnist/taylor/article/0,9565,169678,00.html http://news.cnet.com/news/0-1276-210-6764934-1.html http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm

I strongly disagree, and the rise of a new worm, "Code Red II", which is completely different from "Code Red" but takes advantage of the same hole in Microsoft's server software, helps bring the issue into perspective. Technical reports on the new worm are also available below. http://www.dslreports.com/forum/remark,1226089;root=security,1;mode=flat http://aris.securityfocus.com/alerts/codered2/ http://www.securityfocus.com/archive/75/201877 http://www.securityfocus.com/archive/75/201878

The most accessible explanation of the problem behind both worms is: http://braddock.com/cr2.html

Here, though, I want to vent about the journalists who have been clucking about the Code Red hype. Yes, there was some hype, in the form of reports that made it sound like regular users who aren't running servers needed to download the IIS patch. But that hype was perfectly understandable given the very real need to distribute an alert combined with the extremely technical nature of the problem. And yes, the worm was "never dangerous" in the sense that, by pure luck, it had a bug that prevented it from carrying out its planned destruction. But these "it's all hype" types of reports are grossly irresponsible nonetheless, for several reasons.

First of all, anything that invades a quarter-million servers is a serious matter. Do we need any more reason to be raising alarms about the state of our information infrastructure? One particularly thoughtless columnist even said, who cares if some eBay bids don't go through? I don't have words strong enough to denounce this.

What is more, the fact that the worm had a bug was not remotely obvious at first. It didn't become clear until some very smart people worked a lot of hard hours to capture a copy of it, disassemble it, study it, and run experiments on it. And even then the security people couldn't really be sure how the worm would interact with the full range of real systems out there in the world, with a quarter-million copies of the thing all probing machines at random to see what they could find.

Furthermore, the worm could have been extremely destructive through simple changes to its code. A distributed denial-of-service attack from a quarter-million servers -- that is, an attack in which a quarter-million of the most powerful, highest-bandwidth computers on the whole Internet send complete junk onto the network at their maximum capacity at the same time -- would bring large parts of the Internet to a halt. These attacks are nearly impossible to defend against, and the sites to which the junk is directed would be off-line for the duration. Nobody knows for certain how the network itself would react to that kind of load, but we do know that traffic was badly disrupted by the train fire in Baltimore last month that cut a single link.

The most destructive features of the worm were actually backward by the standards of current worm engineering. The worm was programmed to attack a single site, but other worms are programmed to lie dormant until they receive orders from headquarters. Much more sophisticated schemes are easy to imagine.

Nor has the danger passed. The vulnerability that the first Code Red worm exploited is still out there. A new worm could come along and infect the exact same quarter-million servers within about twelve hours at any time. That is what appears to be happening now. The worm-writers read the trade press and the online security sites, and they know very well what went wrong with the first worm and how to fix it.

Both the first and second waves of that worm infected something in the general order of a quarter-million servers, even though between the two waves the vendors, government agencies, and media flooded the airwaves with publicity urging IIS server administrators to download the patch. Yes, I realized that some machines did get patched, and that the second wave of the worm may have been able to attack machines that the first version could not. Nonetheless, we are talking about the general order of a quarter of a million servers. Short of tracking all quarter-million of them down individually and yelling at them, nobody has any other way of compelling these server administrators to download the necessary patches.

These difficulties have deep roots in the law and economics of software as they exist now. Server administrators do not have enough incentives to load the necessary patches. These so-called zombie worms do not inflict their main damage on the servers they invade, but on the third-party sites that they attack. This is what economists call an externality. If server administrators had effective liability for the damage that their machines are used to create then they'd have the necessary incentives, or something closer to them.

On a technical level, The Code Red worm was not (i.e., is not, because it's still alive) a fluke. It exploits a type of security vulnerability -- a buffer overflow -- that results from grossly shoddy engineering, but that has nonetheless been seen many times, in many products from many vendors. The worm is, in other words, evidence of a systemic problem, and one that is getting steadily worse as black hats get more and more bored with not destroying the information infrastructure of the whole world.

The most basic problem is that markets for many of the most security-sensitive categories of software are highly concentrated. In the present case the vendor, Microsoft, has been found to be a monopolist by a federal appeals court. Because of its market power, it experiences little market pressure to reform its shoddy engineering practices. Instead, it invests in dime-a-dozen propagandists who fashion misleading sound bites that dissociate responsibility from their own firm, either denying that the security vulnerabilities in their products are actually vulnerabilities, or that the users are at fault, or that it's about computers in general and not their own products in particular, or that the threat from worms is all hype.

Am I predicting that the Internet will collapse? No, what I am doing is denouncing the simplistic dichotomy of "it's the end of the world" versus "it's all hype". The new "Code Red II" worm has already mobilized the security community who are hard at work preparing alerts, remedies, patches, counterattacks, and everything else they can think of. They will probably succeed in preventing the Internet from shutting down, and more power to them. When they do, let's not talk about what hype it all was. Instead, let's talk about what heroes the white-hat security people are, what long hours they put in, and what a criminal shame it is that such heroic efforts were necessary to prevent critical infrastructure from collapsing.