• PC World
• » Security

Redundant Warnings?

Did the FBI and CIAC drag their feet, ignoring a warning that could have stopped the Code Red worm sooner?

Marc Maiffret, "chief hacking officer" at eEye Digital, says the National Infrastructure Protection Center's slow response allowed the worm to affect more systems.

The NIPC, an arm of the FBI, received reports of the .htr worm in April 2001. But its staff decided not to release an advisory about it because the Computer Emergency Response Team at Carnegie Mellon University had posted an advisory for the .htr vulnerability when it was first discovered back in June 1999, says Bob Gerber, chief of analysis and warning at NIPC.

"If it's important enough and credible enough to consider an investigation, then we take the appropriate investigative avenues," Gerber says. "We look at whether some sort of advisory is necessary. Given that the .htr vulnerability had already been 'advised' by CERT on three separate occasions before April, [we] decided that the NIPC would not do another warning."

Additional CERT advisories described the exploit for the .htr vulnerability in July 2000, October 2000, and January 2001, says Gerber. "We wondered what additional value to the public there was in adding our voice to [that]," he says.

Setting Priorities

Gerber notes that the NIPC receives hundreds of reports each week and can't respond to each one or predict which reports will escalate into larger problems. Some six to twelve new viruses and worms appear daily, many of them variants of earlier viruses, and many of them unsuccessful at propagating.

"Hindsight is always an easier prospect than warning. I would not do anything different than was done in April," Gerber says. The NIPC issued its first Code Red warning on July 19, after version 2 came out. A second NIPC advisory appeared on July 29.

"The .htr worm never reached the level of infection that we saw with the .ida Code Red," says Gerber. He says that the NIPC had no way of knowing that so many IIS 5 systems were vulnerable. It assumed that most systems would be secure against the attack because Microsoft had issued a patch for the vulnerability on June 18. When the NIPC saw the worm's infection rate rise, it released a warning on July 19 urging network administrators to fix their systems.

"It's a daily judgment on our part as to when we increase the shrillness of our warnings to serve the public interest," sys Gerber.

Code Red and the .htr worm that Sandia found clearly have some similarities, he says.

"They are certainly related in terms of the vulnerability that they exploit and the way they exploit them," Gerber says. But, pending an FBI investigation, he's reluctant to speculate that they were written by the same person.

EEye Digital Security's Maiffret has no such doubts. Had the FBI been more vigilant, Code Red warnings would have spread sooner and faster, Maiffret says.

"If we'd known about the first instance of Code Red back in April, then people would have recognized that Code Red was a worm and would have had a better understanding of it sooner," he says.

Watch for the Next Worm

"The technique in [the .htr worm that Sandia identified] was actually the technique that was used for Code Red," he says. "There was a span of about five or six days from when people first noticed the [activity of] Code Red and were trying to figure out what it was doing."

Had the NIPC identified the .htr worm as a test worm, or an epidemic waiting to spread, the organization could have responded sooner with its Code Red warnings, Maiffret says.

"I'm sure it's the case that if there had been some national announcement that came out as soon as we observed [the worm] again, the number of machines getting hit might have been reduced," says Sandia's Toole. But prior to Code Red, he notes, the .htr worm "wasn't hitting a whole lot of machines. Looking back, it's an easy call to say that if that information was out, [NIPC] might have moved faster."

Now, Toole is more worried about the next worm.

Code Red was probably designed to attack the White House site because its originator wanted to get attention. But that wasn't its greatest significance, Toole says. He believes it's more important that Code Red could give a cracker total access to an infected network.

He also notes that a month passed between discovery of the .ida vulnerability and the appearance of the Code Red worm that exploits it. Code Red got significant media attention, and writers of malicious code often crave such anonymous notoriety. When the next vulnerability is discovered, it may take only days for a virus exploiting it to appear, Toole says. System administrators will have to patch their systems more quickly, he adds. And the NIPC may need to sound a warning sooner.

"Code Red means there's a framework for a worm out there right now that has proven its effectiveness to spread," Toole says. "All [virus writers] need is a new vulnerability."

• See more like this:
• code red,
• worm,
• virus,
• exploit,
• eEye Digital,
• Sandia,
• IIS,
• .htr,
• .ida,
• Toole,
• FBI,
• CIAC,
• National Infrastructure Protection Center,
• (NIPC),
• Computer Emergency Response Team,
• (CERT),
• Gerber,
• SecurityMaiffret