Code Red Worm Exposes Security Flaws

In the wake of the massive infection of Web servers by the Code Red worm, systems administrators and security experts are doing a lot of finger-pointing over who is to blame for one of the Internet's most far-reaching security events.

In the wake of the massive infection of Web servers by the Code Red worm, systems administrators and security experts are doing a lot of finger-pointing over who is to blame for one of the Internets most far-reaching security events.

Many feel that the responsibility belongs to the administrators who failed to heed repeated warnings to patch their systems. Others believe the real culprits are software vendors that release unsecure products and government agencies that are slow to react to major security threats.

"Any admin who says they dont have the time to properly patch their servers either doesnt understand the problem or doesnt care about their job," said Paul Schmehl, supervisor of support services at the University of Texas at Dallas.

In fact, everyone is to blame. More than 300,000 servers were infected by Code Red this month. But the one thing that nearly everyone concerned agrees on is that the industrys early-warning system is woefully inadequate.

To that end, a group of security experts known as the Honeynet Project is considering using some of the data it gathers in its research on threats and attacks to provide administrators with early information.

The project maintains a network of systems, known as a honeynet, that monitors and captures attack data to learn more about the tactics of hackers.

In a white paper released last week, the Honeynet Project analyzed 11 months worth of data from an eight-IP address honeynet set up with default installations of several popular operating systems, including Microsoft Corp.s Windows NT and Red Hat Inc.s Linux. Using the Snort intrusion detection system, the members of the project identified several behaviors that indicate an attack.

The groups data showed that, of eight successful attacks between April 9 and Dec. 31 last year, seven had prior warning indicators that could have been used to predict the attack as many as three days in advance. The Honeynet Project has sent its findings to the CERT Coordination Center and the FBIs National Infrastructure Protection Center and is hopeful that someone will find a method for using the data.

"This just demonstrates how bad the black hats are, how fast they are and the fact that we can predict their behavior," said Lance Spitzner, a senior security architect at Sun Microsystems Inc., in Palo Alto, Calif., and a member of the Honeynet Project. "We want to help the security community predict this stuff, but we dont have the resources to do it."

Both CERT and NIPC have the resources but have yet to take advantage of them, experts said.

"This event is clearly showing the need for an early-warning system," said Chris Wysopal, director of research and development at security consultant @stake Inc., in Cambridge, Mass. The warnings issued by CERT and NIPC "came out after the bulk of the problem had occurred," Wysopal added. "It was clear on July 17 that something was going to happen."

Code Red took advantage of the so-called .ida flaw in Microsoft IIS (Internet Information Services) software. The vulnerability has been known since mid-June, when Microsoft issued a bulletin on the subject and issued a patch. The company warned customers that the flaw was serious and could lead to an attacker gaining server control.

But the warning clearly didnt take, as hundreds of thousands of IIS servers were infected by Code Red, most between July 17 and 18. Neither CERT, which is run by Carnegie Mellon University in Pittsburgh, nor NIPC issued a warning until late July 19, by which time much of the damage had been done. The worm then launched a failed distributed denial-of-service attack on the White Houses Web site July 20.