"It could even have been the U.S. government," cautions Larry Leibrock, a leading American researcher in computer forensics and a professor at the University of Texas at Austin. "Perhaps they wanted to show how precarious our situation is."
Distributed Hacker Attack
Worms are the nightmare of the Internet. The first one, the 1988 Morris worm, crashed the infant Net. Since then, however, no worm has managed to take down a major portion of the Internet, including (so far) Code Red. So why do many researchers say Code Red is an omen of troubles far worse than those caused by Melissa, or the worm du jour, SirCam? (These prior invaders took over Windows computers and sent out enough junk messages to crash e-mail servers around the world. SirCam also sends out attached files chosen at random from the victim computer.)
For one thing, Code Red, unlike many earlier worms, did not require user interaction. But that is hardly its most worrying feature. The greater danger was the bandwidth (data transmission capacity) Code Red consumed during its July peak. "In cyberwarfare, bandwidth is a weapon," says Greggory Peck, a senior security engineer for FC Business Systems in Springfield, Va., which works to defend U.S. government clients against computer crime.
In a bandwidth attack, a control computer will command many zombies to throw garbage traffic at a victim in an attempt to use up all available bandwidth. As noted, this approach is known as a distributed denial of service attack. This sort of assault first made the news last year when DDOS attacks laid Yahoo, Ebay and other top dot-coms low. More recently, during the recent cyberwar between the U.S. and China some 1,400 American sites were shut down when they were overwhelmed in this manner.
As previously mentioned, these DDOS incidents mustered only hundreds to, at most, thousands of zombies because attackers had to break into each prospective zombie by hand. Code Red, being a worm, spreads automatically¿and exponentially. This fact provides it with hundreds of times more zombies and hence hundreds of times the ability to saturate all available Internet bandwidth rapidly.
The nasty thing about a bandwidth attack is that there is no easy solution. A fiber-optic cable can carry only so much signal. Saturate it and the only solution is to cut off the incoming signal flow. Until the zombies can be located and disarmed, normal Internet traffic must be discarded along with the junk.
The Code Red assault was just a taste of what a concerted cyberwar could become, writes Stuart Staniford, president of Silicon Defense of Eureka, Calif. If zombie computers "had a long target list, and a control mechanism to allow dynamic retargeting, [they] could have DDOSed ones used to map addresses to contact information, the ones used to distribute patches, the ones belonging to companies that analyze worms or distribute incident response information.... Code Red illustrates that it¿s not much harder for a worm to get *all* the vulnerable systems than it is to get some of them. It just has to spread fast enough."
Code Red already offers a deadly leverage for nefarious operators, according to Marc Maiffret, who bills himself as "chief hacking officer" of eEye. "The way the worm is written, it could allow online vandals to build a list of infected systems and later take control of them."
Get enough zombies attacking enough targets, and the entire Internet could become unusable. Even the normal mechanisms for repairing it¿downloads of instructions and programs to fix zombies and the power to shut off rogue network elements¿could become infeasible. In addition, hackers constantly publicize new ways to break into computers that could be used by new worms. A determined attacker could throw one devastating worm after another into the Internet every time it struggles back, overpowering it.
What would be the consequences of such an onslaught? Well, we¿re looking at something far worse than not being able to shop on Ebay.