Code Red: Guard Your Apps

Attackers are worming their way around the network

As the Internet community scrambled to prepare for the re-emergence of the Code Red worm last week, security experts said the worm presages more widespread and damaging attacks of this kind. More importantly, it illustrates how the point of attack is moving from the network to the application.

While most administrators and security specialists have spent the last few years building strong network defenses with firewalls, intrusion- detection systems and anti-virus software, crackers have been discovering vulnerabilities in software applications.

As a result, theyve been crafting with increasing frequency sophisticated attack tools to help automate the process of exploiting those holes.

"This was an application-level attack aimed at a Web server, and thats the path of least resistance," said Yaron Galant, senior director of services at Sanctum Inc., a Santa Clara, Calif., vendor of application-security products.

Sanctum and others such as Ubizen Inc., of Leuven, Belgium, are part of a growing number of developers that are providing software to address application-level attacks and vulnerabilities. Sanctum and Ubizen are working on new releases of their products, both of which are due this fall.

Sanctum is overhauling its AppScan software, an update of its Expert Application Security System that includes the latest data on application vulnerabilities and attacks.

Ubizen is reworking its MultiSecure platform to further integrate its updated vulnerability information.

"A lot of networks have firewalls, but theyre totally ineffective against things like this," Galant said. "These vulnerabilities are painfully easy to exploit, and the only reasonable assumption is that were going to have our hands full for a while with them."

"This is just the tip of the iceberg for application-level hacking," said Jason Painter, corporate Webmaster at Coherent Inc., a laser manufacturer as well as a Sanctum customer, also in Santa Clara. Coherents server logged more than 260 attempted attacks by the Code Red worm in one 24-hour period last week. "Were primarily concerned about people being able to gather our confidential corporate data, and that could have been the case with a better-written worm," Painter said.

IT managers say these application-level attacks are changing the way they do their jobs and forcing them to refocus energy and resources that were previously devoted almost exclusively to network security.

"This is just the beginning. Every day, there are new hacker initiatives like this, and its too ambitious to think you can do it yourself," said Peter Marchand, IT manager at KBC Securities NV in Brussels, Belgium, which uses Ubizens MultiSecure product.

"This kind of tool takes things to a different playing field than todays scripts that usually run discreet processes," said Ted Julian, chief strategist and co-founder of Arbor Networks Inc., a Waltham, Mass., provider of software to combat DDoS (distributed-denial-of-service) attacks.

Julian said Code Red represents the first widespread use of an automated tool to deposit DDoS clients on remote machines. "Now, you can wrap it all up in a nice, neat little package. Things are going to get scarier as people morph these tools and refine their attacks. Administrators should worry."

Many of them spent the beginning of last week doing just that, concerned that Code Red, which had infected nearly 300,000 servers in mid-July, would come back even stronger on its second pass.

The worm, which attacks a vulnerability in Microsoft Corp.s IIS (Internet Information Services) Web server (see "Code Red worm exposes security flaw," July 30, Page 1) and plants a piece of code for use in a DDoS attack, had infected 293,000-plus more machines by Friday morning.

However, Code Red is not a malicious worm, and security experts say that tools such as the password-stealing Lion worm or the SubSeven backdoor could cause much more damage if used broadly.

"There are dozens of these tools and tool kits available out there for download, and they are making it easier for punk kids," said David Perry, director of education at Trend Micro Inc., an anti-virus vendor in Cupertino, Calif. "But this stuff has all been prankish. What happens if someone comes at this with truly malicious intent?"

If the recent uptick in sophisticated attacks is any yardstick, the answer to that question will likely come sooner rather than later.