Feeds

Code Red Tribulation is nigh, Steve Gibson warns

Run for your lives -- the Internet's crashing

  • alert
  • submit to reddit

The Essential Guide to IT Transformation

The first Angel blew his trumpet,
And there followed hail and fire mixed with blood,
Which fell upon the Earth....
   --Revelation 8:7

Techno-hypemeister and headline glutton Steve Gibson has joined the Electronic Pearl Harbor dog and pony show alongside numerous clueless mainstream press columnists, bellowing and trumpeting about lakes of fire to be ignited by the Code Red IIS worm which is due to return from dormancy this week.

The worm went silent on the 28th, though a few machines with incorrectly set clocks will undoubtedly continue to scan, perpetuating the infection somewhat.

However, according to Gibson's hysterical reasoning, this represents nothing short of a catastrophe. Referring to a report by CAIDA (the Cooperative Association for Internet Data Analysis), he borrows a few charts and graphs and technical-sounding phrases and runs us through the grease:

"Be sure to notice that the vertical axis of Figure 3 is LOGARITHMIC, so that nice straight and linear 'growth line' is actually exponential!" he warns us frantically.

He's saying that a handful of machines will manage to re-infect the entire Internet in short order.

So to break it down: during this current period of dormancy, remnants of the first worm, along with a second strain possessed of a more random IP generator, have been scanning for and infecting vulnerable machines, and will continue doing so until all the infected machines begin packeting the former IP of whitehouse.gov on 20 August.

This they will do mercilessly through the 27th; and during this electronic Tribulation the worm will devour enough bandwidth to bring all of Christendom to its knees.

Now get this: the real burn here, Gibson reckons, comes from the presumption of a single IIS machine, or a small handful of them, with incorrectly set clocks, which will re-ignite the whole thing after 31 August, keeping us at the mercy of badly-set clocks for all eternity.

"Note that at the start of NEXT MONTH it will only take ONE SINGLE MACHINE -- with an out-of-sync date whose infection threads have remained active in a mistaken belief that the date is < 20 -- to re-initiate an exponential growth starting at midnight of August 31st," Gibson writes. [hyperventilation original]

The rational observation that this dependence on out-of-date clocks will greatly reduce the seed population has somehow passed through that scientifically-tuned and reputedly immense brain of his without effect. The rational observation that the media have been banging out Code Red headlines for all they're worth, and will continue (and so inspire a considerable patching of systems) has, similarly, failed to make an impression on the Digital Messiah's rarified gray matter.

No, he's been far too busy to use his head: "This weekend I have been in dialog with eEye's Marc Maiffret, law enforcement agencies of the US government, NAI, cert.org, and others," Gibson informs us, bolstering that phony authority on which he trades so slickly.

"After finally making time to examine the Code Red worm code, I have been trying to assemble a picture of the next 23 days," he claims.

One wonders if he's even seen the Code Red worm code, much less 'examined' it. We wonder because he keeps telling us what others imagine it will and won't do next month.

Damned sockets

Naturally Gibson can't resist trying to persuade us that Code Red beefs up his absurd paranoia regarding Win-XP raw sockets. "Imagine if this powerful autonomous replication capability -- enhanced with Windows XP full raw sockets -- had gone out to the Windows XP audience -- as it almost did," he frets.

"Oh well, everyone knows I tried hard to prevent it," the Prophet finally sighs.

In fact, raw sockets have no relevance to this particular worm. I actually have examined it, and while I'm impressed by its compactness and power, and the speed with which it was hacked out, it's clear that the author wanted to know which machines it had infected. Packet spoofing would have frustrated that ambition perfectly. (Oh, and because the .IDA hole which the worm exploits yields system-level access, knowing which among thousands of boxes are infected is a whole lot nastier than any spoofed-packet flood could hope to be.)

I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself, has debunked Gibson at length before an ungrateful army of GRC patsies, agrees.

"[Gibson] contends Code Red would've been more effective if it used raw sockets. I contend it would've been less effective. The router/spoofing RFCs would've negated some of the zombies by refusing to let them push," Rosenberger says.

"Gibson is so overly paranoid about raw sockets that he can no longer see the obvious," he added.

It's interesting to note that Rosenberger's latest column exposes Gibson's utter fraudulence in the area of virus research -- in particular his prediction nine years ago that the "Dark Avenger Mutation Engine" was going to make all anti-virus software permanently ineffective.

It was, Stevarino assured us, going to spawn the Mother of all polymorphic viruses, because it involved "a sophisticated reversible encryption algorithm generator."

And that's why we all depend on Steve Gibson's genius. He, unique among mortal creatures, can understand such techno-superstitious gobbledygook. ®

Related Stories

Internet survives Code Red
IIS worm made to packet Whitehouse.gov
Steve Gibson really is off his rocker
Security geek developing WinXP raw socket exploit
MS security chief talks raw sockets with the Reg

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.