Did the FBI ignore Code Red warning?

The Code Red threat seems to have finally halted its malicious crawl, but the security company that discovered the vulnerability that Code Red exploits says the swift-moving Internet worm might have been immobilized much sooner if not for U.S. federal agencies’ caution about publicizing security threats.

The worm hit more than 700,000 computers in July and August 2001, depositing a Trojan horse program on infected machines, which then simultaneously attacked a specific Internet Protocol address (initially, the White House Web site). The volume of messages slowed Internet traffic in general.

Now, details about an earlier Code Red-like worm that hit systems back in February 2001 are raising questions about the Federal Bureau of Investigation’s handling of computer virus outbreaks.

PCWorld.com has confirmed that a worm similar to Code Red appeared in February, March, and May 2001 on systems belonging to Sandia National Laboratories, a U.S. Department of Energy security research lab based in Livermore, Calif. and Albuquerque, N.M. The worm affected buffer overflow vulnerability in the .htr files of Microsoft Corp.’s IIS 4 servers; Code Red exploited a similar vulnerability in the .ida files of Microsoft IIS 5. The earlier worm propagated in a manner similar to Code Red, and it also targeted the White House Web site.

Familiar Intruder

“When we saw Code Red come around five months later, we realized it was different in the sense that it was going after IIS 5 servers and using a different overflow, but Code Red was obviously written by the same person as it was attacking the exact same addresses as the .htr worm attacked,” says Jim Toole, a network security administrator at Sandia.

Toole and Sandia colleague Jim Hutchins say the .htr worm they spotted in February failed to propagate successfully. It disappeared, but returned in March. They say they notified the Department of Energy’s Computer Incident Advisory Capability and the FBI, and gave them complete logs of the worm’s activity as well as a copy of the malicious code.

“Each time it happened we gave a heads-up to CIAC and the FBI,” Toole says. “We never heard anything back. We just make the reports; what they do with the info after that is up to them.”

Toole says the worm hit the same IP addresses at Sandia in all three of its attacks. Sandia’s computer system, however, is set up to trick malicious code into thinking it is propagating on the network, but it is safely contained and cannot propagate or infect other machines.

“But at the same time, the ‘network’ allows the worm to expose itself by letting it do what it’s supposed to do,” Toole adds. In other words, the intruder still releases its “exploit,” or malicious code.

Watching the Worm

Toole and Hutchins captured the exploit that the worm carried and released it on a test machine to see what would happen.

“As soon as we ran the exploit it started doing all of these Web requests to a very specific address – ww1.whitehouse.gov. Then it stopped after a while. Then it started doing more Web requests to random IP addresses that it was trying to reinfect,” Toole says. Two servers handle requests to the White House Web site: ww1.whitehouse.gov and ww2.whitehouse.gov, he adds. “The .htr worm exploit was directed to a specific server.”

Toole says the March attack came from the same five computers running Microsoft IIS 4 servers that attacked them in February; the machines also run Windows 2000. The .htr vulnerability the worm was trying to exploit was an old IIS 4 security hole announced by Microsoft back in June 1999. The vendor released a patch in July 1999.

The worm’s methods later proved similar to Code Red. Once the earlier worm had infected a random list of IP addresses, the worm reset itself to attack the same machines again.

Code Red Goes Public

When Code Red struck in July 2001, the Sandia system was among the first to be attacked.

“We saw it hitting our systems again on Thursday morning [July 12], before anyone else was noticing it,” Toole says. He and his colleagues were monitoring the activity remotely from the DefCon security conference they were attending in Las Vegas. By Friday morning, the e-mail security lists Toole subscribes to were full of discussions about the strange activity that network administrators were seeing on their systems.

That same day security company eEye Digital Security Inc. posted an announcement identifying the activity as a successful attempt to exploit an .ida vulnerability in IIS 5 that the company had discovered in June 2001.

“By then, we had already seen the worm about four times and we knew which five IP addresses it was going to go after first,” Toole adds. “By Sunday morning we were seeing 3200 attacks an hour from machines trying to run the exploit on our box. That’s a lot of attacks.”

His staff first assumed that it was the same author and the same code adapted for a different vulnerability. Why would the worm’s writer switch target systems? “Simple. A new vulnerability came out,” Toole says. “The number of IIS 4 servers out there is a lot less than the number of IIS 5 servers. So when the IIS 5 vulnerability was announced, it made sense for the author to adapt his worm for that. People assumed it was a new exploit and it was not.”

His suspicion of the earlier .htr worm: “It looked like someone was testing out a framework for spreading the worm.”