Computer Commentary Page

code red

4 august, 2001
by johnmichael patrick monty monteith

I have been monitoring the traffic being generated by Code Red and some of the problems it has been generating, and it is quite likely that this little worm has touched the majority of Internet users, whether they realize it or not.

If you have been locked away in Davey Jones Locker for the past few weeks, Code Red is a new worm that takes advantage of a security hole in Windows 2000 and Windows NT running Microsoft's HTTP (web) services. Essentially it sends a port 80 packet to every IP address it can, and those servers that are Windows 2000 / NT running the HTTP services without the Microsoft patch will then become infected and start broadcasting the worm.

Sounds pretty harmless, right? On the surface it is, but also a major annoyance. Let me give you some examples:

1. Lost email: Due to the amount of IP traffic this sucker is causing and the servers that are being interrupted due to the traffic, many emails are being bounced. When I say "many" I mean that probably about five times what would normally be lost. While not devastating, it can be frustrating if you are one of the few that has a bounced email.
2. Less Reliable Web Traffic: Due to the same issues hurting email traffic, also DNS and HTTP services are affected. The result is more 404 errors and otherwise.
3. VPN Service Problems: For whatever reason VPN traffic seems more affected by code red traffic problems than anything else. Remote users often are complaining of lost VPN connections and slow service.
4. Less Responsive Servers: It is scary to think how many I.T. people out there are completely unaware that so many of their servers are spreading this worm. They may think their servers are simply having a bad day, but instead are infected.

All of these features have a funny thing in common: They are common problems on the Web that are amplified. So, while the press was predicting the end of the world due to Code Red, reality was nothing more than an annoyance. In some cases, a major annoyance.

Unfortunately when an annoyance like this hits the street there has to be fault set somewhere, and that firmly falls on the folks in Redmond. But, for fun, lets compare car ownership to home ownership:

Lets say that in your neighborhood there are hackers looking to break into homes everywhere. They are hitting places left and right. Finally, one of them robbed a string of houses on your block because you are living in a ritzy neighborhood. They even got yours. All they did was walk up and use a credit card to open your door, and your neighbors. They then drew some ugly stuff on your walls with crayons that took a few hours to clean up.

A reasonable comparison to Code Red. An annoyance that has affected quite a few servers on the net.

Who is at fault for breaking in and writing on your walls? The manufacturer of your door, of course. They should have made a door that was credit card resistant. Right? Is it still the door manufacturers fault for not originally making a door that was credit card resistant? What if someone uses a sledgehammer to break in? Is that the door manufacturers fault? At what point do we stop blaming the manufacturer and start getting the criminals breaking into servers?

Of course, for a better comparison to Microsoft, lets say the manufacturer offered you a free upgrade to your door to make it credit card resistant. For nothing more than a few minutes of your time you could be protected. Is the manufacturer still to blame?

Half of the blame for Code Red falls on the shoulders of the author. It seems to me that the other half falls on those that do not protect themselves from the worm. I am not talking about the first outbreak when no one knew about it, but I am talking about the further outbreaks that have happened weeks later. Who are these people that are not protecting themselves? It is not the average Joe down the street. It is major corporations like Verizon, AT&T and Qwest.

I did some tracking of the Code Red packets hitting the firewall at my place of employment, and nearly 90% of them could be traced back to major corporations with Windows 2000 systems or NT systems that they just have not gotten around to protecting. This is absolutely unforgivable. These companies had weeks to protect themselves and tons of press to warn them, yet still their systems remain infected.

Yes, I hear some folks now saying, "it is still Microsoft's fault since this is just one of many security flaws they have given us." Fair enough. Except, I cannot help but think this is an unreasonable perspective. Software is extremely complicated, and there is not a single modern operating system that does not have security issues. The reason Microsoft has the lion share is because no one likes the company, so that is the bad guy we all go after.

That being said, I have run Linux web servers along side Windows 2000 web servers and have found the Windows 2000 ones to be LESS vulnerable to hacker attack. In fact, I have found Red Hat Linux to be far easier to break into and cause trouble with than a Windows 2000 server.

So, while I fully believe there is plenty of material out there to bash Microsoft about, the Code Red worm seems like the wrong one. If we need to find someone to blame, lets put our energy on getting the person or people who wrote the worm. If we need more than that, then lets blame those major corporations that still to this day are spreading the worm because they do not have the time to update their servers. But, lets save our Microsoft bashing moments for more important issues.