ElMondoHummus
0.25 short of being half-witted
Oh, good Lord...
No. This is demonstrably true, and you have failed to comprehend how this worm functioned. You also fail to comprehend what I've been saying. All varients of Code Red, as well as many other worms - Sasser, Gaobot, sadmind, Blue Code, Nimda, etc. - attacked IIS and ALL of those opened up a product running IIS to remote control via some route of inserting and executing code. That's one of the two reasons I said there was nothing about the August version of the worm that was specific to remote control of systems employing IIS. You're describing a general behavior of not just that worm, but a whole entire class of IIS attacks. Ergo, that behavior is not specific to that variant of that worm.
The second reason I said that was because the code for CodeRed.d has been studied and is very, very well understood, and the ONLY modifications to it were 1. The IP address randomizer, and 2. A change in some of nonsense characters in the code in order to evade detection. You can verify this yourself. Go look up the various descriptions online; you can start at the CERT advisory page for the infection.
And why are you grasping at straws with your pulled quotes? The paragraph you took from Microsoft is discussing how to user their security gateway product - ISA (Internet Security and Acceleration) Server - to guard against propogation of this worm, and the rest of that article is nothing more than how to identify the specifics of such traffic.
The fact that there is no host logging from a CodeRed.d infection doesn't mean that traffic can be manipulated without notice. That's absurd. Like I said in my previous posts, the amount of traffic alone necessary to change the content would be noticible, let alone the fact that you'd see differences in the content itself. Furthermore, host logging cannot change the fact that devices external to a compromised router - such as the ISA Server product you yourself mentioned above, as well as common intrusion detection systems - would also notice problems.
The only thing the quote you're using is saying is that there is no local host logging that results from a CodeRed infection. That's it. That's not the same as saying an infection goes unnoticed, let alone saying that traffic manipulation would never be spotted.
Again, the simple presence of an exploited vulnerability does not change the fact that traffic manipulation would be noticed. There's a difference between simply breaking in and actually doing something once you're in, let alone doing something to traffic flow without being noticed. Simply having control of a router does not change any of that.
(*Facepalm*)
Ok, first of all, his name is Steve Gibson, not Bruce. Second of all, when you read his and every other security professional's concerns about CodeRed, it was the fact that its prevalence sucked up bandwidth and therefore created de facto denial of service issues. That is what worries him, and that is exemplified in the sentences you quote. Read his material instead of trying to mine it for what you think are scary sounding quotes about what Code Red can do. He's strictly speaking about it's abililty to suborn a system and create denial of service attacks. And that's all he's getting at.
You think wrong. The code has been analyzed extensively, and Code Red does nothing more than insert arbitrary code into a system, modify the Windows registry, and tries to replicate itself. The real scourge of infection are the fact that they can operate as a door through which malicious coders upload malicious code, and even if an infection goes that far, as I've said over and over, there's no way it would go unnoticed.
You've so far failed to acknowledge that your scenario falls flat at that point. Even if we grant you all the mumbo-jumbo about CodeRed that you ascribe to it - and just to be clear, we don't; you're off your rocker as to its capabilities - it still does nothing more than allow you to trojan a machine or router. You still have to upload code to modify traffic, and you still cannot modify it without being obvious.
Yes, I know. That was my whole point in what I said.
And again, this means what? Is there supposed to be some grand conspiracy to protect the author of the Code Red virus? I think you're trying to argue that it has to be deliberate coverup, when in fact it's nothing more than what I said earlier: It's damn near impossible to discover the origin of a virus on the net. Your attempts at counterexamples neglect the fact that in many of those cases, it wasn't internet logging or anything computing at all that led to the discovery of the creator but rather either stupidity or some external factor. The coder for Sasser was turned in by another teenager; he wasn't found by backtracking the source of infection. Blaster.b's "author" was a stupid "n00b" script kiddie who arranged for that virus to download code from a site he owned, thus making it ridiculously easy for people to track him. The Kournikova coder turned himself in. And to the best of my knowledge, Mydoom's author has never even been identified.
There is hardly a conspiracy to cover up exploit authors. Ones who are caught are exceptions, they're not the rule. Look through the news for stories about malicious coders that have been caught, then compare that to the number of infections that exist. You'll see that we're not even talking any more than single-digit percentages of coders who get caught. Your contention that there is something more to the nondiscovery of the CodeRed author than is immediately apparent is bunk. It's nothing more than the fact that origins are incredibly difficult to track.
Your first contention seems to be that there were no forensics conducted on Code Red's variants. This is demonstrably untrue. We know very well how the worm operated, and we know very well its effects. Furthermore, if your original contention about manipulating news traffic is still what you're trying to argue, then you would have had zero need to conduct forensic examinations on the computer systems themselves; all you would have had to do was have the authors/reporters of the stories verify that their articles or videos were intact and properly reflected what they wrote or recorded. Your identification of the lack of host based logging of such infections falls flat in the face of 1. Content never being identified as having been manipulated (point to any CNN, MSNBC, or any other source's story that's supposedly been tampered with), and 2. The fact that host based logging is not the only monitoring that would catch any such attempts at manipulation.
It may seem like possible evidence for the uninformed, but anyone who's worked in IT during those years can tell you that what you allege is not what happened. As I said, even if we grant you all the powers you seem to think Code Red has, you still cannot modify the traffic without anyone noticing. Why is it that you fail to understand that point?
No. This is demonstrably true, and you have failed to comprehend how this worm functioned. You also fail to comprehend what I've been saying. All varients of Code Red, as well as many other worms - Sasser, Gaobot, sadmind, Blue Code, Nimda, etc. - attacked IIS and ALL of those opened up a product running IIS to remote control via some route of inserting and executing code. That's one of the two reasons I said there was nothing about the August version of the worm that was specific to remote control of systems employing IIS. You're describing a general behavior of not just that worm, but a whole entire class of IIS attacks. Ergo, that behavior is not specific to that variant of that worm.
The second reason I said that was because the code for CodeRed.d has been studied and is very, very well understood, and the ONLY modifications to it were 1. The IP address randomizer, and 2. A change in some of nonsense characters in the code in order to evade detection. You can verify this yourself. Go look up the various descriptions online; you can start at the CERT advisory page for the infection.
And why are you grasping at straws with your pulled quotes? The paragraph you took from Microsoft is discussing how to user their security gateway product - ISA (Internet Security and Acceleration) Server - to guard against propogation of this worm, and the rest of that article is nothing more than how to identify the specifics of such traffic.
The fact that there is no host logging from a CodeRed.d infection doesn't mean that traffic can be manipulated without notice. That's absurd. Like I said in my previous posts, the amount of traffic alone necessary to change the content would be noticible, let alone the fact that you'd see differences in the content itself. Furthermore, host logging cannot change the fact that devices external to a compromised router - such as the ISA Server product you yourself mentioned above, as well as common intrusion detection systems - would also notice problems.
The only thing the quote you're using is saying is that there is no local host logging that results from a CodeRed infection. That's it. That's not the same as saying an infection goes unnoticed, let alone saying that traffic manipulation would never be spotted.
Again, the simple presence of an exploited vulnerability does not change the fact that traffic manipulation would be noticed. There's a difference between simply breaking in and actually doing something once you're in, let alone doing something to traffic flow without being noticed. Simply having control of a router does not change any of that.
(*Facepalm*)
Ok, first of all, his name is Steve Gibson, not Bruce. Second of all, when you read his and every other security professional's concerns about CodeRed, it was the fact that its prevalence sucked up bandwidth and therefore created de facto denial of service issues. That is what worries him, and that is exemplified in the sentences you quote. Read his material instead of trying to mine it for what you think are scary sounding quotes about what Code Red can do. He's strictly speaking about it's abililty to suborn a system and create denial of service attacks. And that's all he's getting at.
You think wrong. The code has been analyzed extensively, and Code Red does nothing more than insert arbitrary code into a system, modify the Windows registry, and tries to replicate itself. The real scourge of infection are the fact that they can operate as a door through which malicious coders upload malicious code, and even if an infection goes that far, as I've said over and over, there's no way it would go unnoticed.
You've so far failed to acknowledge that your scenario falls flat at that point. Even if we grant you all the mumbo-jumbo about CodeRed that you ascribe to it - and just to be clear, we don't; you're off your rocker as to its capabilities - it still does nothing more than allow you to trojan a machine or router. You still have to upload code to modify traffic, and you still cannot modify it without being obvious.
Yes, I know. That was my whole point in what I said.And again, this means what? Is there supposed to be some grand conspiracy to protect the author of the Code Red virus? I think you're trying to argue that it has to be deliberate coverup, when in fact it's nothing more than what I said earlier: It's damn near impossible to discover the origin of a virus on the net. Your attempts at counterexamples neglect the fact that in many of those cases, it wasn't internet logging or anything computing at all that led to the discovery of the creator but rather either stupidity or some external factor. The coder for Sasser was turned in by another teenager; he wasn't found by backtracking the source of infection. Blaster.b's "author" was a stupid "n00b" script kiddie who arranged for that virus to download code from a site he owned, thus making it ridiculously easy for people to track him. The Kournikova coder turned himself in. And to the best of my knowledge, Mydoom's author has never even been identified.
There is hardly a conspiracy to cover up exploit authors. Ones who are caught are exceptions, they're not the rule. Look through the news for stories about malicious coders that have been caught, then compare that to the number of infections that exist. You'll see that we're not even talking any more than single-digit percentages of coders who get caught. Your contention that there is something more to the nondiscovery of the CodeRed author than is immediately apparent is bunk. It's nothing more than the fact that origins are incredibly difficult to track.
Your first contention seems to be that there were no forensics conducted on Code Red's variants. This is demonstrably untrue. We know very well how the worm operated, and we know very well its effects. Furthermore, if your original contention about manipulating news traffic is still what you're trying to argue, then you would have had zero need to conduct forensic examinations on the computer systems themselves; all you would have had to do was have the authors/reporters of the stories verify that their articles or videos were intact and properly reflected what they wrote or recorded. Your identification of the lack of host based logging of such infections falls flat in the face of 1. Content never being identified as having been manipulated (point to any CNN, MSNBC, or any other source's story that's supposedly been tampered with), and 2. The fact that host based logging is not the only monitoring that would catch any such attempts at manipulation.
It may seem like possible evidence for the uninformed, but anyone who's worked in IT during those years can tell you that what you allege is not what happened. As I said, even if we grant you all the powers you seem to think Code Red has, you still cannot modify the traffic without anyone noticing. Why is it that you fail to understand that point?
