Information Security News
mailing list archives
Virulent worm calls into doubt our ability to protect the Net
From: InfoSec News <isn () c4i org>
Date: Sun, 29 Jul 2001 04:50:24 -0500 (CDT)
By Rob Lemos
Special to CNET News.com
July 27, 2001, 4:00 a.m. PT
For one moment last week, the Internet stood still.
At midnight Thursday, July 19 GMT, more than 350,000 servers infected
with the so-called Code Red worm stopped hammering the Internet with
scans searching for vulnerable computers. Instead, the servers
targeted an Internet address used as the hub for the White House's
public Web site with a denial-of-service attack of such proportions
that some feared parts of the Internet would shut down, unable to cope
with the unprecedented flood of data.
"If this goes along what it's looking like, parts of the Net will go
down," predicted Marc Maiffret, chief hacking officer at
network-protection company eEye Digital Security. A month earlier, the
Aliso Viejo, Calif., company discovered the flaw exploited by the worm
in Microsoft's Web servers and was the first to decode the malicious
In the end, a design flaw in the worm's programming stymied the
attack, but the potential threat of hundreds of thousands of servers
flooding the wires with garbage data has resurrected concerns about
security among those who consider themselves the guardians of the
The Internet was lucky this time, as this particular Code Red program
squandered its advantage and left itself vulnerable to security
measures. That will not always be the case, said Vern Paxson, staff
computer scientist at the Lawrence Berkeley National Laboratory, who
analyzed Code Red's quick spread.
"This could have been so much worse," he said.
Worms have become the tool of choice among malicious vandals on the
Internet, but the Code Red strain has proven particularly fast and
effective in commandeering a significant portion of the Internet.
Unlike other worms that hide in e-mail attachments, such as LoveLetter
and SirCam, Code Red does not require fooling an unwitting recipient
into opening a document.
Paxson said a better author could have clogged the entire Net with
garbage data or hit critical parts of the global network with a more
effective denial-of-service attack--things that the inevitable
variants of this version could still do.
"We are in for bumpy times," he said. "I don't see any way out of
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Virulent worm calls into doubt our ability to protect the Net InfoSec News (Jul 29)