The Weakest Link

Week of July 24, 2001

Watching the Asteroid Approach

It was amusing, terrifying, interesting, and irritating, all at once.

Last Thursday afternoon I sat here and watched the cable modem go wild, as if thousands of machines were trying to do port scans all at once. That's because thousands of machines were trying to do port scans all at once.

It seemed to come in waves - first the blinking 'incoming' light would flash, then it would flash frequently, then it would be solidly on, semi-flashing like a little orange neon bulb, with only an occasional, sub-second break. Twice, the load was such that the cable modem just shut itself down; once it was nearly an hour before it came back.

I think I keep my machines here buttoned up pretty tightly, safe behind their firewall and running, really, no services. But just as the diver in his cage must as the sharks approach, I had the tiniest bit of doubt. I knew the system was as tight as I could make it, but I didn't entirely believe it.

Last Thursday, in case you didn't follow the industry press closely (there having been unforgivably little coverage in the mainstream media), was when the chief effects of what is known as the Code Red worm were felt.

Code Red is a worm that exploits a known security flaw in Microsoft's web hosting software. The flaws in Microsoft's web hosting software have been so legendary that a couple months ago a well-known industry web site retracted a report of one, thinking it was repeating a story many months old. An easy mistake to make, but it was the retraction that was wrong: Microsoft had discovered that its earlier fix hadn't secured the product. Now, said Microsoft, here was the patch that would cover the hole. Everyone, said Microsoft, should apply it. Not everyone did; there are nearly a quarter-million known infected servers. (Among those who didn't apply the patch was Microsoft Corp., as many who rushed to windowsupdate.com for the patch last week discovered. A lot of those disappointed visitors made screenshots of what they found.)

What they found was a defaced web page with the URL of a site that had nothing to do with the attack and a claim that the Chinese were responsible, something that has not, best I can tell, been either confirmed or disproved.

If that had been all that Code Red did, it would certainly have been criminal but there would at least have been the knowledge that the only people affected were those who should have known better. (Here there might be disagreement as to what knowing better would have comprised. Certainly it would at least have involved applying the patch. But there's a good argument to be made that knowing better requires not running any Microsoft Internet-related software on any machine that is connected to any other machine or group thereof, and that is the argument that I shall champion as our story unfolds.)

This worm had more on its squirmy little mind, though, than screwing up a bunch of web pages. It also spun off a hundred threads, each looking for other machines to infect. These, in turn, sent their own hundred feelers. And so on.

The idea, based on dissection of the thing, was to propagate as widely as it could until Friday. At that point it would begin sending 4.1-meg globs of data to the IP address that had been occupied by www.whitehouse.gov, every four hours or so, for a week. Then it would start sending itself all over creation again.

(I oversimplify here a little - for instance, it defaced the web pages only where it found English language versions of the web server; elsewhere, it would infect but leave the pages intact. There are some additional fine points - duration and frequency of the attack on the IP address, for instance - that I have approximated.)

What I was watching Thursday was the frenzied attempt of this monster to propagate, as a hundred discrete threads from each of at least a quarter of a million machines - 25,000,000 would-be worm infections - were going just as fast as they could, trying to find a machine to infect. We're talking, in effect, an impressive denial-of-service attack here. If the worm's construction is to be taken as a statement of intent - something of which we cannot be sure - then the DOS was merely a side-effect, an overture before the real show began. The White House runs Linux for portions of its web operations, but when you have 25,000,000 attempts by Windows machines to send you 4.1-meg packages, it doesn't much matter what you're running.

We cannot know what the worm's authors had in mind because of a couple of seemingly stupid things that were done. One was to hard code the IP address of whitehouse.gov. This meant that all that was necessary for the White House to do was to change the IP address of its site, which the White House did. The other was to require a connection before any data were sent. The White House black holed the hard-coded IP address, so beyond the initial feelers, the worm did nothing. (Imagine 4.1 megabytes times 25,000,000 threads, every four hours, if the coders had done DNS lookup instead of hard coding the address. That's a pretty decent bandwidth suck, don't you think? And those are just the machines we know about.) But the worm was otherwise fairly sophisticated, I'm told by people who know a lot more than I do about such things. Hard to imagine its programmers would make such simple and obvious mistakes.

It has since been learned that there was apparently a variation of Code Red that appeared on Thursday morning, after which the rate of propagation greatly increased. There is a body of evidence suggesting that the code in Code Red can be changed remotely - the reason, perhaps, for the variant? Worse, a harbinger of things to come? For, you see, it appears that after it is done not attacking the White House's website, it will start spreading itself around again, perhaps with modifications made on the fly.

Do you suppose everyone who uses Microsoft's web hosting software will have applied the patch by then?

(The thing also was capable of shutting down certain unpatched Cisco routers and - I don't know why I think this is funny, but I do - Hewlett-Packard network printers that aren't hidden away behind a serious firewall.)

There is also the possibility that this was some kind of proof of concept. That the whitehouse.gov business was a red herring, coming as it did during the G-8 meeting, and the evil bastards who cooked up this thing have something entirely different in mind. Imagine, a friend mentioned to me this week, if the target had been root nameservers. Add the denial-of-service implications on the Internet in general, and this could be the general mess that people have been predicting for years.

And if that happens, it doesn't really much matter what operating system you are using, if the Internet plays a part in what you do. It would be an order of magnitude increase in what I watched here last Thursday, when my poor little cable modem struggled just to stay alive, let alone actually transfer any data.

We can smugly say that we're not running Microsoftware, but that scarcely means we're immune to the effects of its being used by others who are connected to the Internet.

Just as I was getting set to write this, I checked my mail. In it were two 'messages,' each of more than 900k, claiming to contain a file that ended in .zip.bat. They were from no one I'd ever heard of, and they had a little message up front suggesting that I would welcome the attached. A little poking around in the usual places produced the news that there was yet another Outlook Express macro virus on the loose. This one performs a variety of tasks, from filling your hard drive to sending your documents to people in your addressbook. I'd apparently acquired one of the latter, because the macro itself was a little over 300k. It got spread far and wide - if sysadmins at Microsoft shops can't rub their two brain cells together and download patches for known exploits, how can mere users be expected to know about, let alone do anything about, the obscenely corrupt behavior of the userspace mail program? (Hell, you get an argument on Linux lists when you point out that HTML mail is not secure.)

Point is, nothing here is unfamiliar or unexpected. How long does it take before there's general recognition that Microsoft software has no business on the Internet?

Attitude

There has been a lot written recently, much of it very perceptive and entirely correct, about the bad attitude exhibited by Linux users, usually young and enthusiastic ones but occasionally old and embittered ones. If you are among those, go do something else - what follows is for the grownups. Write a talkback about how I'm an astroturfer in the employ of Microsoft or something.

Okay.

As Linux users, we've grown accustomed to enduring things that Windows users do not have to endure. We must shop more carefully for hardware, we can pretty much forget off-the-shelf software, and issues like hardware technical support are extra-special ordeals, as my colleague Michael Hall detailed in his memorable column last week.

We put up with it, mostly and with varying degrees of grumbling.

Time has come to draw a line - a subtle line, but a line nonetheless. It is this: Anyone using Microsoft software in connection with the Internet simply cannot be taken seriously. This doesn't mean we should be impolite in dealing with these persons, anymore than we should be impolite to someone who is eager to show you his new computer and it turns out to be a Play Station. But the fact is that Microsoft has proved to be utterly unconcerned about security. Its own sites have been cracked, over and over. The National Security Agency has joined Linux development after having concluded that Microsoft's code is so corrupt that it cannot even be audited. Outlook macro viruses are commonplace. The web server has been so full of holes that Microsoft had had to keep trying to plug them, to no real effect. And based on this tarnished and pitted record they propose .Net and XP. Do you suppose there will be sudden fastidiousness where security is concerned? This is a real hoot, except that it is the Internet that we all use that their clumsy code will be screwing up. But the appropriate attitude toward Microsoft's willing victims has to be pity. That isn't to say that when someone you know fills your mailbox with Outlook macro virus crap, you don't have a right to be irritated and say so - but at the same time point out that the person wouldn't look anywhere near as foolish if they were using software not vulnerable to such foolishness. As an example, this, which I just sent:

Subject: the outlook express macro virus you just sent me
Date: Tue, 24 Jul 2001 01:15:37 -0400
From: dep <dep@drippingwithirony.com>
To: [name i'm withholding]

i just received a windows macro virus from you, with the subject 'stikbikeboy.'
it probably has one of your private files attached to it; i do not know and do not plan to
dissect it to find out. but you have probably also sent it to others in your windows
addressbook as well, or others whose email addresses somehow appear somewhere on your
computer.

please either change operating systems to something secure, undertake to secure your
windows machine, or disconnect your machine from the internet.

thank you.
-- 
dep

This isn't to say that bringing Windows users to Linux solves the problem. Microsoft has led them to believe - incorrectly, as things like Code Red and Outlook macros have demonstrated - that you need to know and do nothing to use a computer. These are complicated machines, and it takes knowledge to use them properly. That knowledge becomes a responsibility if the computer is attached to any other computer. There are Linux security patches that appear and must be applied, and now we hear of a kernel exploit that can ride in on any corrupted RPM, so we need to be a little more careful in picking the sources of our RPMs. Explaining this to a fed-up Windows user is not easy. A powerful tool is the fact that even if one got rooted by a bad RPM, it's not something that is going to propagate.

Microsoft software spews forth corruption at the slightest invitation. As long as they kept it among themselves, it was their business. But now we're seeing it begin to hinder us all. That is not acceptable. We need to say so, politely but uncompromisingly.

And in the meantime, we can await the next visit from Code Red or a variation thereof. Wonder if Microsoft will have patched its own servers by then.

By Dennis E. Powell. Originally published at Linux Planet. Used by permission.