IP: Did download failures increase Code Red's success?: [risks] Risks Digest 21.54

[David Farber <dave@farber.net>]

>Date: Sun, 22 Jul 2001 18:43:09 -0700
>From: Scott Renfro <scott@renfro.org>
>Subject: Did download failures increase Code Red's success?
>
>   [For those of you who slept through it, the Code Red worm was intended to
>   attack the whitehouse.gov Web site at 5pm EDT on 19 Jul 2001.  With
>   just-in-time reverse engineering, the code was discovered to contain the
>   target IP address, thus enabling the White House staff to reconfigure to
>   avoid the attack.  (The attack clearly could have been more subtle.)  It
>   is of course ironic that current efforts to outlaw reverse engineering
>   (DMCA, UCITA, etc.) could ban efforts to stave off this and other attacks!
>   The relevant CERT advisory is at
>   http://www.cert.org/advisories/CA-2001-19.html pointing out that Code Red
>   exploited a vulnerability noted earlier in CA-2001-13.  YABO: Yet Another
>   Buffer Overflow, aimed at Microsoft IIS servers.  PGN]
>
>On the morning of 19 Jul 2001, I notified a small company (whom I sometimes
>advise since they have no dedicated IT staff) of the then-latest Microsoft
>advisory.  An hour later, they proudly replied, reporting success and noting
>that this hot fix was much easier to apply than most -- especially since
>this one didn't force a reboot.
>
>Suspicious that they hadn't really applied the hot fix, I downloaded a
>separate copy of the hot fix using Internet Explorer and sent it to them
>via e-mail.  This time they replied that the attachment I sent resulted
>in an error message: ''not a valid Windows NT application.''
>
>I soon realized that the connections were terminating prior to
>completion and Internet Explorer was not reporting the failures.  In the
>user's mind, silence was equivalent to success.
>
>We were able to successfully download the hot fix using wget on FreeBSD,
>which restarted the transfer four times due to reset connections -- each
>time picking up where it had previously left off.  The company's server
>was soon patched, and they have had no problems with the Code Red worm.
>
>I've confirmed that Internet Explorer 5.0 on Win2k reports no failures
>in (at least) the following situations:
>
>  - When the user has selected 'Run this program from its current
>    location' and the connection is prematurely reset, the download
>    dialog silently disappears.  This is the same visual behavior as a
>    program that was successfully transfered and completed execution
>    without pausing for user input.
>
>  - When the user has selected 'Save this program to disk' and the
>    connection is closed normally but prematurely (i.e., before the
>    number of bytes specified in the Content-Length header were
>    received), the total file size is silently changed.  For example,
>    during the download, the dialog displays:
>      Estimated time left: 2 sec (87.2 KB of 236 KB copied)
>    but once the connection has closed, the dialog changes to:
>      Downloaded: 180 KB in 1 sec
>
>An error does result in the inverse of these situations (i.e., when running
>a program where the connection is closed normally but prematurely or when
>saving a program where the connection is reset).
>
>One wonders how many naive admins thought they *had* installed the hot fix,
>but ended up with a truncated download and a Code Red worm infestation
>instead.
>
>P.S.  As of 22 Jul 2001, transfers from mssjus.www.conxion.com (to which
>download.microsoft.com at least sometimes redirects) still result in
>frequent resets from some networks.



For archives see: http://www.interesting-people.org/