Print

Print


On Tue, 31 Jul 2001, by way of Roger Lawson wrote:

> At 8:00 PM on Tuesday, July 31 (EDT), the Code Red worm will begin a new
> infestation and this one appears set to damage far more ISPs and slow the
> Internet far more than the June 19th infestation.

Amazingly, the media appears to have it wrong again. This seems to be
false information being spread by an incorrect analysis of the worm.
More information below ...

I also want to point to that none of UVM's central web servers are
vulnerable to this worm since we don't use Microsoft web servers, so
www.uvm.edu is unaffected by this worm.

Below is a good message about the worm's current status with more details:

>From [log in to unmask] Tue Jul 31 22:00:34 2001
Date: Mon, 30 Jul 2001 23:39:38 -0400
From: Chris Brenton <[log in to unmask]>
Subject: Re: Fwd: NIPC Alert  01-016 (Read this one!)

Be warned, I'm climbing up on my soap box... ;)

> > National Infrastructure Protection Center
> > Code Red Worm
> > Alert 01-016
> > 29 July 2001

> > Code Red is likely to start spreading again
> > on July 31st, 2001 8:00 PM EDT

This is *completely* wrong. All these posts are based on the original
ISS work which has found to be _incorrect_. In their original lab
testing ISS _thought_ that 2 of the 10 processes woke back up on the
1st. No one could reproduce this and when ISS re-ran the tests they
could not reproduce it either. I think most people just did a code
review and _assumed_ this beast would wake back up on the 1st. This is
based on the three known variants that have been found in the wild
(CRv1, CRv2a and CRv2b). So the current strain is simply dormant and
will not wake back up. ISS has since retracted their findings. Russ C.
of NTBugtraq is back peddling on his original comments as well.

> > and has mutated so that it may be even more dangerous.

This is also FUD. There is nothing in the code that I've seen which
allows this thing to "mutate". Remember the parrot scene in the pet shop
from Monty Python?

"'E's not pinin'!  'E's passed on!  This parrot is no more!  He has
ceased to be! 'E's expired and gone to meet 'is maker! 'E's a stiff!
Bereft of life, 'e rests in peace! If you hadn't nailed 'im to the perch
'e'd be pushing up the daisies! 'Is metabolic processes are now 'istory!
'E's off the twig! 'E's kicked the bucket, 'e's shuffled off 'is mortal
coil, run down the curtain and joined the bleedin' choir invisibile!!
THIS IS AN EX-PARROT!!"

Like the Parrot, Code Red is dead. We need to stop nailing it to the
"perch"...

Now, with that said there is always the possibility that someone could
write up a new variation that does not go into a permanent sleep and
could come back to haunt us on the first of each month. This would be a
new virus/trojan however, not a mutation. So long as people don't keep
up with security patches we will continue to see this type of problem.

Sorry for the rant, but this everyone running on second hand info just
so they can claim the sky is falling really has to stop. Yes there are
some serious security concerns out there that need to be addressed but
facts should really be checked before releasing this type of advisory.
If the world does not fall apart on the 1st, its quite possible the
public at large will ignore us the next time a valid security concern
comes up.

The problems I mention above really need to be addressed before these
advisories are released.

I just don't want to see anyone chasing their tail.

</soapbox>
C