3-Aug-01
SirCam, Code Red Ravage Windows

A one-two punch against Windows Web servers and PCs highlights chronic security problems with Microsoft software.

Home
Home

News
News

Topic
Topics

AAx
AAx

SirCam - Many businesses have suffered embarrassment as Microsoft Outlook repeatedly e-mailed the SirCam worm to their entire customer list. This is not what you'd call good public relations.

SirCam is also a privacy problem because it includes a real document or spreadsheet from you hard disk with every transmission. There's been some pretty interesting stuff floating around out there. For one of our clients it was a customer list, and yes, it was probably sent to some of their competitors.

In previous major virus outbreaks we have found one or two infected attachments in our email boxes. With SirCam we have received over 30 in two weeks, mostly from businesses. It's an interesting way to find out who has your address in their address book. Of course since we run OS/2, not Windows, the nature of the attachments is immediately obvious and they can't do any damage.

Code Red - On the Web, businesses using Microsoft IIS (Internet Information Server) are being embarrassed when visitors get a page announcing "Hacked by Chinese" instead of the company's home page.

[ UPDATE: 06-Aug-01 - Code Red II is hitting Microsoft IIS based Web servers. It is not related to Code Red, but exploits the same vulnerability. Unlike Code Red, it does not deface the site, instead it installs a "root exploit" that allows any semi-skilled hacker, cracker or script kiddie to log into the server over the Internet using telnet. Once logged in, the perpetrator has total control of the computer and can do anything he wants, include wipe the hard disk. ]

[ UPDATE: 09-Aug-01 - Microsoft has confirmed that Code Red has hit a number of their HotMail servers, but claim these have been fixed. On another front, word is leaking out that Microsoft's Redmond headquarters is completely riddled with Code Red. One source indicated an unpatched IIS machine would be infected in about 5 seconds of coming on the network.

Federal Express has also admitted it missed some deliveries because its servers were infected with Code Red. On the bright side, hysterical claims that Code Red would shut down the Internet have been proved totally wrong. There just aren't that many Microsoft IIS servers out there, and they're all either already infected or fixed. ]

About 20% of Web sites use IIS, but it accounts for over 60% of successful hacks, thefts, and defacements. Most are small e-commerce sites (the same ones that have been bleeding credit card information (see Russian Mafia)). About 60% of Web sites use the Apache server (an Open Source product) which is much more secure and unaffected by Code Red. These tend to be larger, more professional sites.

Analysis

Microsoft's recommendation to prevent Outlook from spreading worms and viruses is simple, "Tell the stupid users to stop opening email attachments". Obviously this isn't working, because the worm / virus problem is getting rapidly worse. It doesn't even work at Microsoft where they've had to take their e-mail servers off line several times recently. It's so bad this April 1st article is funny, Foot-and-Mouth believed to be first virus unable to spread through Microsoft Outlook.

Had the message in SirCam been in smoother English this infection would have been a whole lot worse. Clumsy phrasing tipped off many users who otherwise saw only a legitimate looking title and attachment from someone they knew. SirCam is an annoyance, but does no serious damage ( Our description & fix), but how long will this luck hold? SirCam could have as easily been in a well crafted email that carried a destructive payload.

Despite the high cost of clean-up, damage to reputation, privacy concerns, and the certainty this will happen again and again, few are taking the simple and effective step of replacing Microsoft Outlook with another e-mail reader, because few understand this is an Outlook problem and only an Outlook problem, and even fewer realize there is an easy fix.

Our favorite e-mail reader is PMMail, an extraordinarily powerful reader designed for multiple users and multiple email accounts. Sure, it costs $39.96, but we'd not be willing to do without it. Some viruses will still be able to infect your Windows computer, but at least they won't be telling the whole world what a dumb klutz you are.

Of course Microsoft is trying to plug this escape. MSN (Microsoft Network) and other components of their .NET initiative now require Outlook (as of July 2001) - no other email reader will work. If you are a business, medical institution, criminal, government agency, or anyone else with a need for security and privacy, avoid Microsoft services. It is bad now, but it's going to get much worse with .NET.

And the IIS Web sites? Insurance companies were already raising rates for hacker insurance on IIS sites months ago. It's not that IIS sites can't be secure. It's just a big hassle because so many major security holes keep getting found. IIS tends to be used by less experienced businesses trying to set up e-commerce sites using Microsoft's "easy to use, point and click" software rather than hiring experienced (color them expensive) Internet technicians. It is a false economy.

All in all, Microsoft issued over 100 security patches in 2000, mostly for Outlook, Internet Explorer and Internet Information Server, and were up to about 49 by July for 2001. To set up a new IIS server may require installing over 50 patches, then updating it with a new patch every couple of weeks.

The reasons for lack of security in Microsoft products are well known and will continue to plague their products for some time to come. The moral of this story? Use Microsoft software all you want, just don't let it anywhere near the Internet.

- Andrew Grygus

Links

©:Andrew Grygus - Automation Access - www.aaxnet.com - aax@aaxnet.com
Velocity Networks: Network Consulting Service - Internet Service Provider - Web Page Design and Hosting
All trademarks and trade names are recognized as property of their owners