FYI: Red Code

Richard Clayton richard at highwayman.com
Tue, 31 Jul 2001 12:16:53 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <k0bYlnJIyZZ7EwLR@crecon.demon.co.uk>, Bruce Tober <tbt@star-
dot-star.co.uk> writes

>Code Red Worm: Frequently Asked Questions:

[assorted bits of FUD]

> Unfortunately, the infestation continues, mutations of 
>the
>worm have already begun to appear, and the worm is timed to begin
>hyper-growth late on July 31. The initial worm had a seven-day 
>incubation
>period; the new version may incubate in an even shorter period. This
>malicious code, a clear and present threat, needs to be stopped before 
>it
>does real harm to electronic commerce and other uses of the Internet.

For some rather more factually based information (the worms in machines
that were infected in July are now in a permanent sleep mode; it was
probably variants that caused the major growth on the 19th; and the worm
doesn't have an incubation period as such)
see:
        http://xforce.iss.net/alerts/advise89.php

>Question: Can "Code Red" be turned off?
>Answer: Yes, but it will require the concerted action of everyone who
>operates a Microsoft IIS Web server to follow the procedures we have
>outlined and to do it expeditiously. 

some other products are affected as well, it's not just IIS per se:

http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

>There is no MASTER SWITCH to turn 
>off
>the Code Red worm. History shows that such exploits are not single 
>events
>but harbingers of trends. The only real solution is for users to fix the
>vulnerability.

I think these last two sentences are the only useful contribution of
this particular FAQ...

I am also of the opinion that we're going to see many more such worms
(and this is far from being the first anyway); and we're going to get
far more interested in scalable ways of safely distributing security
patches to the masses.


ObUKCrypto: Rather perversely, I hope that there is some real damage
done in the next few days. There's been so much hype on this topic
(making it onto the main news bulletins) that if very little actually
happens then it will be much harder to convince the journalists to run
Internet stories in the future....

After all, the time to get people excited wasn't today but all last week
when patching the systems could be properly scheduled and not done in a
panic! but of course it wasn't a story last week if people took action
to stop the "disaster" happening.

- -- 
richard @ highwayman . com                       "Nothing seems the same
                          Still you never see the change from day to day
                                And no-one notices the customs slip away"

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBO2aTpRfnRQV/feRLEQL2PQCfdNvUZMdv1wByJIYA6Ty+Gj1FNWIAnRiF
Maxabr1aqZwOmwsS1jCH0Cb4
=5Sgy
-----END PGP SIGNATURE-----