Code Red 'was never a threat'

[InfoSec News <isn () c4i org>]

http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm

2 August, 2001

By BBC News Online technology correspondent Mark Ward 

The Code Red virus was never a danger to the internet, despite
predictions to the contrary by the FBI and security experts.

The disruption of the net initially blamed on the worm was actually
caused by a Baltimore tunnel fire, which melted key net cables and
left many web companies struggling to swap data.

Net monitoring firm Keynote said analysis showed that even when Code
Red was at its most rampant last month it had almost no effect on net
traffic.

Now, anti-virus companies are worrying that the hype could mean people
become complacent and do nothing about the continuing security
problems plaguing the net.

By 1500 GMT on Thursday, the worm had infected 244,727 computers,
though it had caused no noticeable disruption to the internet. Any
potential threat appears to be tailing off as the rate of infection
has slowed down.

Train crash not net crash

A coincidence is to blame for all the hype and horror associated with
the Code Red worm.

On 18 July, just as Code Red was starting to scan for vulnerable web
servers, a CSX train carrying hazardous materials was derailed in the
Howard Street tunnel in Baltimore, US.

The derailment and subsequent fire severed cables running through the
tunnel used by seven of the biggest net service providers to swap
data.

These companies started reporting disruption to the usual running of
the net just as Code Red was hitting its stride, leading many people
to assume that the worm was doing the damage.

Analysis by Keynote has shown that even at its height, Code Red posed
no threat to the running of the net.

Train spike

"The 19 July Internet Slowdown was not due to the worm," it said
bluntly in a statement.

"There was no exponential ramp-up of performance degradation during
the day or preceding days that would have coincided with the
proliferation of the worm," it added, "but a sudden spike in
performance that coincided with the time of the train wreck."

Similarly, when the worm started scanning again on Wednesday, it did
not disrupt the working of the internet.

"We see no significant performance changes on either high or low
bandwidth connections, or internationally," said Keynote.

Now that the dust is settling some anti-virus and security companies
are worrying that the unfulfilled predictions of doom will harm
efforts to make the net harder to compromise.

Hype not havoc

"There's been more hype than havoc," said Graham Cluley, of anti-virus
company Sophos.

"There will be some people that did not patch themselves earlier and
say now they do not have to bother."

The blame for the hype has been laid squarely at the door of the US
National Infrastructure Protection Centre which, said Mr Cluley, had a
history of making predictions that had not come true.

In the past, the NIPC has wrongly predicted that the Y2K bug would be
followed by a wave of destructive viruses.

In May, it said that Chinese hackers were about to wreak havoc on US
websites - again, a prediction that did not come true.

'Ineffective' agency

In May, the US General Accounting Office issued a report that
concluded the NIPC was "ineffective" when it came to protecting the US
against virus and hacking outbreaks and did a poor job of prosecuting
hackers.

David L Smith, the self-confessed author of the Melissa virus, was
caught with the help of the NIPC in December 1999. He has pleaded
guilty but has yet to be sentenced.

Last month, a US Senate panel criticised the NIPC and said it had not
got any better at its job since the GAO report was issued.

But, said Mr Cluley, just because the Code Red worm had not wrought
havoc people should not assume that there was no danger and they
should not do more to protect web servers and their home computers.

"There is still a big problem to be solved," he said.

Figures collected by the Computer Emergency Response Team (Cert),
which monitors threats to the internet, show how attacks on the web
are escalating.

In the whole of 2000, Cert issued warnings about 1,090
vulnerabilities, yet in the first six months of 2001 it has already
seen evidence for 1, 151 vulnerabilities.


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.