FBI under fire for Code Red response

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,5096693,00.html?chkpt=zdnn_nbs_hl

By Wendy McAuliffe
ZDNet (UK) 
September 6, 2001 12:05 PM PT
 
LONDON--The security company that discovered the software hole
exploited by the Code Red worm has launched an attack on the FBI for
its reluctance to publicize the flaw.

The self-propagating worm infected an estimated 975,000 servers in
July and August 2001. But representatives of eEye Digital Security,
which discovered the flaw in Microsoft's Internet Information Server
(IIS) exploited by the worm, say the FBI should have been more
proactive in warning people about a "test" version of the worm to
which it was alerted in April.

"Had the FBI been more vigilant in its warnings, Code Red would have
had less of an impact than it did," said Mark Jones, U.K. manager of
eEye Digital.

FBI representatives could not immediately be reached for comment.

The FBI's National Infrastructure Protection Center (NIPC) had
received earlier reports of a Code Red-like worm that affected a
buffer overflow vulnerability in Microsoft IIS 4. It is now thought
that this was a test version, as the more virulent Code Red was
adapted to target a similar hole in the more widely used IIS 5
servers.

In a buffer overflow, an attacker floods a field, typically an address
bar, with more characters than it can accommodate. The excess
characters in some cases can be run as "executable" code, effectively
giving the attacker control of the computer without being constrained
by security measures.

The earlier worm also propagated in a manner similar to Code Red, by
infecting a random list of Internet addresses and then resetting
itself to attack the same machines again.

"The mechanism that the initial worm used to spread was exactly the
same mechanism that was used by Code Red," Jones said. "If we had had
access to the methodology used in the previous worm, we would have
been able to decode Code Red sooner."

According to eEye, six days were lost investigating Code Red as a
result of the delay.

Sandia National Laboratories spotted the initial worm on its systems
in February, March and May 2001. It handed over complete logs of the
worm's activity as well as a copy of the malicious code to the NIPC in
April, but the FBI ignored the warnings. It said it decided against
publicizing the worm on the basis that the Computer Emergency Response
Team at Carnegie Mellon University had posted a report of the
vulnerability when it was first detected in June 1999.

"It is key that the NIPC didn't publicize how the worm's methods were
proliferating across machines," Jones said.

It is suspected that the two worms were written by the same person,
but eEye would not confirm this without a full investigation into the
matter.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.