Feeds

Code Red Tribulation is nigh, Steve Gibson warns

Run for your lives -- the Internet's crashing

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

The first Angel blew his trumpet,
And there followed hail and fire mixed with blood,
Which fell upon the Earth....
   --Revelation 8:7

Techno-hypemeister and headline glutton Steve Gibson has joined the Electronic Pearl Harbor dog and pony show alongside numerous clueless mainstream press columnists, bellowing and trumpeting about lakes of fire to be ignited by the Code Red IIS worm which is due to return from dormancy this week.

The worm went silent on the 28th, though a few machines with incorrectly set clocks will undoubtedly continue to scan, perpetuating the infection somewhat.

However, according to Gibson's hysterical reasoning, this represents nothing short of a catastrophe. Referring to a report by CAIDA (the Cooperative Association for Internet Data Analysis), he borrows a few charts and graphs and technical-sounding phrases and runs us through the grease:

"Be sure to notice that the vertical axis of Figure 3 is LOGARITHMIC, so that nice straight and linear 'growth line' is actually exponential!" he warns us frantically.

He's saying that a handful of machines will manage to re-infect the entire Internet in short order.

So to break it down: during this current period of dormancy, remnants of the first worm, along with a second strain possessed of a more random IP generator, have been scanning for and infecting vulnerable machines, and will continue doing so until all the infected machines begin packeting the former IP of whitehouse.gov on 20 August.

This they will do mercilessly through the 27th; and during this electronic Tribulation the worm will devour enough bandwidth to bring all of Christendom to its knees.

Now get this: the real burn here, Gibson reckons, comes from the presumption of a single IIS machine, or a small handful of them, with incorrectly set clocks, which will re-ignite the whole thing after 31 August, keeping us at the mercy of badly-set clocks for all eternity.

"Note that at the start of NEXT MONTH it will only take ONE SINGLE MACHINE -- with an out-of-sync date whose infection threads have remained active in a mistaken belief that the date is < 20 -- to re-initiate an exponential growth starting at midnight of August 31st," Gibson writes. [hyperventilation original]

The rational observation that this dependence on out-of-date clocks will greatly reduce the seed population has somehow passed through that scientifically-tuned and reputedly immense brain of his without effect. The rational observation that the media have been banging out Code Red headlines for all they're worth, and will continue (and so inspire a considerable patching of systems) has, similarly, failed to make an impression on the Digital Messiah's rarified gray matter.

No, he's been far too busy to use his head: "This weekend I have been in dialog with eEye's Marc Maiffret, law enforcement agencies of the US government, NAI, cert.org, and others," Gibson informs us, bolstering that phony authority on which he trades so slickly.

"After finally making time to examine the Code Red worm code, I have been trying to assemble a picture of the next 23 days," he claims.

One wonders if he's even seen the Code Red worm code, much less 'examined' it. We wonder because he keeps telling us what others imagine it will and won't do next month.

Damned sockets

Naturally Gibson can't resist trying to persuade us that Code Red beefs up his absurd paranoia regarding Win-XP raw sockets. "Imagine if this powerful autonomous replication capability -- enhanced with Windows XP full raw sockets -- had gone out to the Windows XP audience -- as it almost did," he frets.

"Oh well, everyone knows I tried hard to prevent it," the Prophet finally sighs.

In fact, raw sockets have no relevance to this particular worm. I actually have examined it, and while I'm impressed by its compactness and power, and the speed with which it was hacked out, it's clear that the author wanted to know which machines it had infected. Packet spoofing would have frustrated that ambition perfectly. (Oh, and because the .IDA hole which the worm exploits yields system-level access, knowing which among thousands of boxes are infected is a whole lot nastier than any spoofed-packet flood could hope to be.)

I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself, has debunked Gibson at length before an ungrateful army of GRC patsies, agrees.

"[Gibson] contends Code Red would've been more effective if it used raw sockets. I contend it would've been less effective. The router/spoofing RFCs would've negated some of the zombies by refusing to let them push," Rosenberger says.

"Gibson is so overly paranoid about raw sockets that he can no longer see the obvious," he added.

It's interesting to note that Rosenberger's latest column exposes Gibson's utter fraudulence in the area of virus research -- in particular his prediction nine years ago that the "Dark Avenger Mutation Engine" was going to make all anti-virus software permanently ineffective.

It was, Stevarino assured us, going to spawn the Mother of all polymorphic viruses, because it involved "a sophisticated reversible encryption algorithm generator."

And that's why we all depend on Steve Gibson's genius. He, unique among mortal creatures, can understand such techno-superstitious gobbledygook. ®

Related Stories

Internet survives Code Red
IIS worm made to packet Whitehouse.gov
Steve Gibson really is off his rocker
Security geek developing WinXP raw socket exploit
MS security chief talks raw sockets with the Reg

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.