Home page logo

isn logo Information Security News mailing list archives

Code Red Tribulation is nigh, Steve Gibson warns
From: InfoSec News <isn () c4i org>
Date: Tue, 31 Jul 2001 02:33:43 -0500 (CDT)


By Thomas C Greene in Washington
Posted: 30/07/2001 at 08:17 GMT

The first Angel blew his trumpet, 
And there followed hail and fire mixed with blood, 
Which fell upon the Earth.... 
   --Revelation 8:7 

Techno-hypemeister and headline glutton Steve Gibson has joined the
Electronic Pearl Harbor dog and pony show alongside Ron Dick's NIPC,
bellowing and trumpeting about lakes of fire to be ignited by the Code
Red IIS worm which is due to return from dormancy this week.

The worm went silent on the 28th, though a few machines with
incorrectly set clocks will undoubtedly continue to scan, perpetuating
the infection somewhat.

However, according to Gibson's hysterical reasoning, this represents
nothing short of a catastrophe. Referring to a report by CAIDA (the
Cooperative Association for Internet Data Analysis), he borrows a few
charts and graphs and technical-sounding phrases and runs us through
the grease:

"Be sure to notice that the vertical axis of Figure 3 is LOGARITHMIC,
so that nice straight and linear 'growth line' is actually
exponential!" he warns us frantically.

He's saying that a handful of machines will manage to re-infect the
entire Internet in short order.

So to break it down: during this current period of dormancy, remnants
of the first worm, along with a second strain possessed of a more
random IP generator, have been scanning for and infecting vulnerable
machines, and will continue doing so until all the infected machines
begin packeting the former IP of whitehouse.gov on 20 August.

This they will do mercilessly through the 27th; and during this
electronic Tribulation the worm will devour enough bandwidth to bring
all of Christendom to its knees.

Now get this: the real burn here, Gibson reckons, comes from the
presumption of a single IIS machine, or a small handful of them, with
incorrectly set clocks, which will re-ignite the whole thing after 31
August, keeping us at the mercy of badly-set clocks for all eternity.

"Note that at the start of NEXT MONTH it will only take ONE SINGLE
MACHINE -- with an out-of-sync date whose infection threads have
remained active in a mistaken belief that the date is < 20 -- to
re-initiate an exponential growth starting at midnight of August
31st," Gibson writes. [hyperventilation original]

The rational observation that this dependence on out-of-date clocks
will greatly reduce the seed population has somehow passed through
that scientifically-tuned and reputedly immense brain of his without
effect. The rational observation that the media have been banging out
Code Red headlines for all they're worth, and will continue (and so
inspire a considerable patching of systems) has, similarly, failed to
make an impression on the Digital Messiah's rarified gray matter.

No, he's been far too busy to use his head: "This weekend I have been
in dialog with eEye's Marc Maiffret, law enforcement agencies of the
US government, NAI, cert.org, and others," Gibson informs us,
bolstering that phony authority on which he trades so slickly.

"After finally making time to examine the Code Red worm code, I have
been trying to assemble a picture of the next 23 days," he claims.

One wonders if he's even seen the Code Red worm code, much less
'examined' it. We wonder because he keeps telling us what others
imagine it will and won't do next month.

Damned sockets

Naturally Gibson can't resist trying to persuade us that Code Red
beefs up his absurd paranoia regarding Win-XP raw sockets. "Imagine if
this powerful autonomous replication capability -- enhanced with
Windows XP full raw sockets -- had gone out to the Windows XP audience
-- as it almost did," he frets.

"Oh well, everyone knows I tried hard to prevent it," the Prophet
finally sighs.

In fact, raw sockets have no relevance to this particular worm. I
actually have examined it, and while I'm impressed by its compactness
and power, and the speed with which it was hacked out, it's clear that
the author wanted to know which machines it had infected. Packet
spoofing would have frustrated that ambition perfectly. (Oh, and
because the .IDA hole which the worm exploits yields system-level
access, knowing which among thousands of boxes are infected is a whole
lot nastier than any spoofed-packet flood could hope to be.)

I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself,
has debunked Gibson at length before an ungrateful army of GRC
patsies, agrees.

"[Gibson] contends Code Red would've been more effective if it used
raw sockets. I contend it would've been less effective. The
router/spoofing RFCs would've negated some of the zombies by refusing
to let them push," Rosenberger says.

"Gibson is so overly paranoid about raw sockets that he can no longer
see the obvious," he added.

It's interesting to note that Rosenberger's latest column exposes
Gibson's utter fraudulence in the area of virus research -- in
particular his prediction nine years ago that the "Dark Avenger
Mutation Engine" was going to make all anti-virus software permanently

It was, Stevarino assured us, going to spawn the Mother of all
polymorphic viruses, because it involved "a sophisticated reversible
encryption algorithm generator."

And that's why we all depend on Steve Gibson's genius. He, unique
among mortal creatures, can understand such techno-superstitious

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • Code Red Tribulation is nigh, Steve Gibson warns InfoSec News (Jul 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]