Microsoft update en Code Red worm

Op zaterdag 21 juli 2001 18:44 schreef MORA het volgende:

[..]

Nogmaals: ik had die topic over de gehackte MSN site niet gelezen. Maar hier gaat het niet om zomaar een geïnvecteerde site, maar om de Microsoft Update site; de bron voor de systeempatches die nodig waren om dit gat te dichten. Dat lijkt me toch wel een klein nuanceverschil!

compleet juist ! mijn excuses.

(Het is ook relevant in bredere zin, want Microsoft schreeuwt al maanden van de daken dat Windows XP het meest veilige OS ooit gaat worden. Toch was ook Windows XP (in beta-versie) niet immuun voor deze worm! Dat Microsoft's eigen servers nu het slachtoffer van deze aanval zijn geworden is wat dat betreft niet echt hoopgevend. Zeer ironisch, als je het mij vraagt.)

ja , maar daarom heb ik dus ook niets tegen h*****n ( zie sig ) zo zie je dat er dus weer grote fouten kunnen ontstaan zelfs onder de meest toonaangevenden onder ons .
wees blij dat het op deze manier gebeurt en niet verder wordt uitgebuit .


_[edit]
Het is trouwens niet alleen ironisch, maar ook zorgwekkend. Hoeveel gegevens durf jij straks op te slaan op een Microsoft server, in het kader van .NET?
^[/edit]

ik sla sowiezo nix op een micr#$&@ server op daar gebruik ik een andere os voor .

Explanation

As stated earlier the .ida "Code Red" worm is spreading throughout IIS Web servers on the Internet via the .ida buffer-overflow attack that was published last month.

The following are the steps that the worm takes once it has infected a vulnerable Web server:

1.Setup initial worm environment on infected system.
2.Setup 100 threads of the worm.
3.Use the first 99 threads to spread the worm (infect other Web servers).
The worm spreads itself by creating a sequence of random IP addresses. However, the worm's list of IP addresses to attack is not all together random. In
fact, there seems to be a static seed (a beginning IP address that is always the same) that the worm uses when generating new IP addresses. Therefore
every computer infected by this worm is going to go through the same list of "random" IP addresses.
Because of this feature, the worm will end up re-infecting the same systems multiple times, and traffic will cross traffic back and forth between hosts
ultimately creating a denial-of-service type effect. The denial-of-service will be due to the amount of data being transferred between all of the IP addresses
in the sequence of random IP addresses.
The worm could have done truly random IP generation and that would have allowed it to infect many more systems much faster. We are not sure why this
was not done, but a friend of ours did pose an interesting idea: If the person who wrote this worm owned an IP address that was one of the first hundred or
thousand to be scanned, then they could setup a "sniffer" and anytime and IP address tried to connect to port 80 on their server they would get
confirmation that the IP address that connected to them was infected with the worm.
With this knowledge, they would be able to create a list of the majority of systems that were infected by this worm.
4.The 100th thread checks to see if it is running on an English (US) Windows NT/2000 system.
If the infected system is found to be a English (US) system, the worm will proceed to deface the infected system's website. The local Web server's Web
page will be changed to a message that says: "Welcome to http://www.worm.com!, Hacked By Chinese!". This hacked Web page message will stay
"live" on the Web server for 10 hours and then disappear. The message will not appear again unless the system is re-infected by another computer.
If the system is not an English (US) Windows NT/2000 system, the 100th worm thread is also used to infect other systems.
5.Each worm thread checks for c:\notworm.
If the file c:\notworm is found, the worm goes dormant.
If the file is not found, each thread will continue to attempt to infect more systems.
6.Each worm thread checks the infected computer's system time.
If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov. The
attack consists of the infected system sending 100k bytes of data (1 byte at a time + 40 bytes overheard for the actually TCP/IP packet) to port 80 of
www.whitehouse.gov.
This flood of data (410 megabytes of data every 4 and a half hours per instance of the worm) would potentially amount to a denial-of- service attack against
www.whitehouse.gov.
If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect
new Web servers.