Re: [cobalt-users] Code Red variations

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Carrie Bartkowiak" <ravencarrie@xxxxxxxx>

> This really is the best one I've ever seen, I think. Not in the fact
> that it's hard to patch (which it isn't), but in how crafty it is in
> creating a replicating army to effectively send a DoS all over the
> world - and the responses from it just adding to that DoS.

I don't think this worm is particularly more crafty than any others that
I've seen. I do know that the guy who wrote it made a serious blunder - s/he
used one IP for www.whitehouse.gov instead of targeting the domain name
itself. In so doing, s/he neglected the other IP that the white house web
site uses. The web site admins simply deactivated the targeted IP and
www.whitehouse.gov continued to function normally through the length of the
DoS storm.

The reason that this particular worm is so effective is that Bill Gates has
made it so stinking easy to install a web server that every tom dick and
harry on cable thinks that they can do it all themselves. Because most of
these newbies haven't the foggiest idea about security, they are easy
targets. Case in point - the patch for this vulnerability has been out since
may, and yet there were over 300,000 systems infected with this worm.
Frankly, it might not be a bad idea to start blacklisting these hosts, as
they are obviously insecure, are run by poor administrators, and are
therefore a potential security threat (hmm... ORBS mentality?).

Because unix systems are harder to learn, the people running them are
usually more technically savvy than the people running windows servers.
Thus, while unix systems suffer from just as many, if not more, of these
types of vulnerabilities, you don't often see widespread outbreaks like code
red infecting unix systems.

All that to say... It's not the designer's cleverness that has made this
worm so effective. Rather, it's the ineptitude of web site administrators
that have created this mess.

Kevin