Had the attack lasted for more than an hour and affected more machines, the hackers may well have crashed the DNS serversand the Internet with them. By several accounts, it was one of the most sophisticated cyber-attacks yet. What is certain is that this assaultnow under investigation by the FBI and the White Houseprobably wont be the last. Hackers aside, DNS servers make attractive targets for terrorists, warns President Bushs cyber-security advisor Richard Clarke.
Little more than a year ago, the Code Red worm tried to bring down the Net in a similar DDoS attack. Hacker Carolyn Meinel dissected the worms ways for Scientific American and explained how a more successful DDoS attack in the future might possibly bring manufacturing to a halt, wipe out bank records, interrupt telephone service and much worse. That story follows. the Editors
"Imagine a cold that kills. It spreads rapidly and indiscriminately through droplets in the air, and you think you're absolutely healthy until you begin to sneeze. Your only protection is complete, impossible isolation," says Jane Jorgensen, principal scientist at Information Extraction & Transport, Inc., of Arlington, Va. Jorgensen researches Internet epidemiology for the Defense Advanced Research Projects Agency (DARPA).
A Web version of this disease scenario has arisen over the past two weeks that has computer security researchers more frightened than ever before. Theyre worried about Code Red, a new Internet worm that infects the Microsoft Internet Information Server (IIS). Many of the most popular Web sites run on IIS. Code Red conducts a "distributed denial of service" (DDOS) attack, in which the invading agent overwhelms a Web site by directing computers to deluge it with spurious connections.
Chillingly, the recent Code Red attack may be a forewarning of similar but much more virulent Internet infections in days to come, researchers say. And future covert assaults on your own PC could force it to become an unknown hackers unwitting pawnin the lingo, a "zombie"in the next round of computerized carnage.
Although previous Internet plagues brought about by the Melissa and I Love You bugs infected millions of computers, they caused only rather minor damage to each host. And whereas previous DDOS attacks infected hundreds or perhaps a few thousand computers, the current Code Red version 2 (CRv2) worm successfully invaded hundreds of thousands of machines in just a few hours. Had the Code Red vector been a bit more sophisticated, it could have caused real trouble for businesses and nations in the developed world, say the experts. Further, if an attack like this occurs a few years hence, when public, commercial and governmental reliance on the Internet will have grown exponentially, the results could be truly disastrous.
Though popularly called viruses, Code Red and many of its notorious predecessors are technically considered worms. A virus must incorporate itself into another program to run and replicate. In contrast, a worm is a self-replicating, self-contained program.
Two Days in the Life of a Worm
"On July 19, 2001, more than 359,000 computers were infected with the Code Red worm in less than 14 hours," says David Moore of the Cooperative Association for Internet Analysis. "At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute." Forty-three percent of all infected hosts were in the U.S., he adds. The traffic jam generated by so many computers attempting to co-opt other machines began to overload the capacity of the Net in the U.S. By midafternoon that day, the Global Internet Storm Center at incidents.orgthe computer security industrys watchdog for Internet healthwas reporting orange alert status, one step below its most dire condition, red alert, which signals total meltdown.
Then, at midnight, all Code Red zombies quit searching for new victims. Instead the horde of enthralled computers all focused on flooding one of the servers that hosts the White House Web site with junk connectionsthreatening its shutdown. "The White House essentially turned off one of its two DNS servers, saying that any requests to whitehouse.gov should be rerouted to the other server," says Jimmy Kuo, a Network Associatess McAfee fellow who assisted the White House in finding a solution ("White House Dodges Massive Ddos," Shawna Mcalearney, Security Wire Digest, Vol. 3, No. 58, July 26, 2001). Luckily, Code Red couldnt cope with the newly altered address and waged war on the inactive site. "The public didnt notice anything because any requests went to the other server," Kuo says.
By the end of Friday, July 20, all Code Red had directed all of its remotely controlled thralls to go to sleep. But that might not be the end of the onslaught, for the zombies are expected to reawaken on Wednesday, August 1, and start causing havoc once more. "We believe the worm will begin propagating again on August 1, 2001, 0:00 GMT," warns the Computer Emergency Response Team (CERT) at Carnegie Mellon University, a federally funded Web watchdog organization. "Because the worm propagates very quickly, it is likely that nearly all vulnerable systems will be compromised by August 2." Fearing that occurrence, Web security volunteers are now sorting through logs to identify the infected parties, contacting their owners and providing instructions for how to release them from their secret spell.
If the hundreds of thousands of Code Red zombies can be fixed, is the problem solved? Maybe not. Code Red spread by taking advantage of a "hole," or weakness in the security system, of Microsofts IIS. Estimates by Netcraft, an Internet consultancy based in Bath, England (http://netcraft.com), indicate that some 20 percent of all Internet Web servers run on IIS. As that site tracks some 28 million Web sites, the implication is that there are at least four million vulnerable IIS servers out there. A computer infected by Code Red uses a "GET" command (what you normally type into the location window of your Web browser) to inject an infected file into every Web server it finds. If the target server was running the vulnerable IIS, Code Red successfully zombified the victim. (Because home computers typically use the Microsoft Personal Web Server, most users are safe from Code Red.)
The first version of Code Red (CRv1) spread slowly, taking over only some 10,000 servers before it was discovered on July 17. Each CRv1 zombie hosting an English language Web site defaced it with the message: "Hacked by Chinese." This announcement, however, should not necessarily be taken at face value. The message suggests that Code Red may have been yet another outbreak of the U.S. vs. China hacker war that broke out after the April 1 collision between an American spy plane and a Chinese fighter.
According to the official Chinese publication Peoples Daily, "Soon after the mid-air collision was an all-out offensive on Chinese websites by U.S. hackers.... By the end of April over 600 Chinese websites had come under fire or totally broke down.... Many hackers organizations known as China Honkers Union and Hackers Union of China promptly responded in an all-out cyberwar against their U.S. counterparts May 1 to 7." Clearly Peoples Daily was eager for China to take credit for attacks through May 7. But it has been silent on Code Red.
"It could even have been the U.S. government," cautions Larry Leibrock, a leading American researcher in computer forensics and a professor at the University of Texas at Austin. "Perhaps they wanted to show how precarious our situation is."
Distributed Hacker Attack
Worms are the nightmare of the Internet. The first one, the 1988 Morris worm, crashed the infant Net. Since then, however, no worm has managed to take down a major portion of the Internet, including (so far) Code Red. So why do many researchers say Code Red is an omen of troubles far worse than those caused by Melissa, or the worm du jour, SirCam? (These prior invaders took over Windows computers and sent out enough junk messages to crash e-mail servers around the world. SirCam also sends out attached files chosen at random from the victim computer.)
For one thing, Code Red, unlike many earlier worms, did not require user interaction. But that is hardly its most worrying feature. The greater danger was the bandwidth (data transmission capacity) Code Red consumed during its July peak. "In cyberwarfare, bandwidth is a weapon," says Greggory Peck, a senior security engineer for FC Business Systems in Springfield, Va., which works to defend U.S. government clients against computer crime.
In a bandwidth attack, a control computer will command many zombies to throw garbage traffic at a victim in an attempt to use up all available bandwidth. As noted, this approach is known as a distributed denial of service attack. This sort of assault first made the news last year when DDOS attacks laid Yahoo, Ebay and other top dot-coms low. More recently, during the recent cyberwar between the U.S. and China some 1,400 American sites were shut down when they were overwhelmed in this manner.
As previously mentioned, these DDOS incidents mustered only hundreds to, at most, thousands of zombies because attackers had to break into each prospective zombie by hand. Code Red, being a worm, spreads automaticallyand exponentially. This fact provides it with hundreds of times more zombies and hence hundreds of times the ability to saturate all available Internet bandwidth rapidly.
The nasty thing about a bandwidth attack is that there is no easy solution. A fiber-optic cable can carry only so much signal. Saturate it and the only solution is to cut off the incoming signal flow. Until the zombies can be located and disarmed, normal Internet traffic must be discarded along with the junk.
The Code Red assault was just a taste of what a concerted cyberwar could become, writes Stuart Staniford, president of Silicon Defense of Eureka, Calif. If zombie computers "had a long target list, and a control mechanism to allow dynamic retargeting, [they] could have DDOSed ones used to map addresses to contact information, the ones used to distribute patches, the ones belonging to companies that analyze worms or distribute incident response information.... Code Red illustrates that its not much harder for a worm to get *all* the vulnerable systems than it is to get some of them. It just has to spread fast enough."
Code Red already offers a deadly leverage for nefarious operators, according to Marc Maiffret, who bills himself as "chief hacking officer" of eEye. "The way the worm is written, it could allow online vandals to build a list of infected systems and later take control of them."
Get enough zombies attacking enough targets, and the entire Internet could become unusable. Even the normal mechanisms for repairing itdownloads of instructions and programs to fix zombies and the power to shut off rogue network elementscould become infeasible. In addition, hackers constantly publicize new ways to break into computers that could be used by new worms. A determined attacker could throw one devastating worm after another into the Internet every time it struggles back, overpowering it.
What would be the consequences of such an onslaught? Well, were looking at something far worse than not being able to shop on Ebay.
Today many businesses use the Internet to order parts and arrange shipments. Failure of the Internet would break down "just-in-time" manufacturing, in which parts reach the production line within a day or two to save money. Shut down the Internet and most of the manufacturing industry in the developed world would grind to a halt. Many retail stores also rely on the Net to keep their shelves stocked. Within days, shelves will be emptying.
By then you may not be able to use your checkbook or ATM card as well. "Banks are saving a hell of a lot of money" by using the Internet nowadays instead of dedicated lines, states Winn Schwartau, author of Information Warfare. In a world where a small change in the Federal Reserve Banks prime interest rate sends shock waves through Wall Street, a weeks disruption in global manufacturing, distribution and banking could create economic chaos.
What about the telephone system? Many phones will still work if the Internet crashes, experts say, but a few years from now, we may be in for big trouble. Internet telephony started as a way for geek hobbyists to get free long distance phone calls. Today, however, many phone calls that originate from an ordinary phone travel part of the way over the public Internet. If this trend continues, within a few years an Internet crash could take the entire phone system with it.
Meanwhile unclassified communications of the U.S. armed services go through NIPRNET (Non-Secure Internet Protocol Router Network), which uses public Internet communications. Peck says the Department of Defense is now "immensely dependent" on NIPRNET.
At the moment, the Computer Emergency Response Team is begging computer professionals to get the word out to home users to check for zombies. Says Peck: thats because our worst Internet nightmare is the grandma who uses her DSL to shop on Ebay. Many home users have lots of bandwidth. That translates into lots of junk that a home zombie can pump into the Internet.
Unfortunately, few home users are rushing to eradicate their zombies. A zombie computer can wait for years without ever doing anything to bother its user. Its a time bomb waiting to explode. Worse yet, seemingly innocent programs may hide zombies. "If theres no reason to gripe about it, no ones going to take a generic file and see if it harbors malicious code," explains Mark Ludwig, author of the Little Black Book of Computer Viruses and the upcoming Little Black Book of Internet Viruses. "By the time it goes off, its too late."
"What Ive found particularly disquieting is how little public fuss theres been," says Richard E. Smith, a researcher with National Security Agency contractor, Secure Computing, Inc., of San Jose, Calif., and author of the upcoming book Authentication. "The general press has spun the story as being an unsuccessful attack on the White House as opposed to being a successful attack on several hundred thousand servers. Ha, ha. We dodged the bullet! A cynic might say this demonstrates how intrusion tolerant IIS isthe sites are all penetrated but arent disrupted enough to upset the owners or generate much press comment. The rest of us are waiting for the other shoe to drop."
Says Harlan Carvey: "The question for security enthusiasts and professionals alike is, how do we prepare for whats around the corner?"
Editors note: An earlier version of this story included a quoted speculation that eEye Digital Security might have been involved in the creation of the Code Red worm. EEye denies any such involvement. We apologize for including that inadequately supported statement in our report.
Look for a more in-depth analysis of this topic in the October 2001 issue of Scientific American.
Originally published online July 30, 2001.