Code Red Tribulation is nigh, Steve Gibson warns

The first Angel blew his trumpet,
And there followed hail and fire mixed with blood,
Which fell upon the Earth....
   --Revelation 8:7

Techno-hypemeister and headline glutton Steve Gibson has joined the Electronic Pearl Harbor dog and pony show alongside numerous clueless mainstream press columnists, bellowing and trumpeting about lakes of fire to be ignited by the Code Red IIS worm which is due to return from dormancy this week.

The worm went silent on the 28th, though a few machines with incorrectly set clocks will undoubtedly continue to scan, perpetuating the infection somewhat.

However, according to Gibson's hysterical reasoning, this represents nothing short of a catastrophe. Referring to a report by CAIDA (the Cooperative Association for Internet Data Analysis), he borrows a few charts and graphs and technical-sounding phrases and runs us through the grease:

"Be sure to notice that the vertical axis of Figure 3 is LOGARITHMIC, so that nice straight and linear 'growth line' is actually exponential!" he warns us frantically.

He's saying that a handful of machines will manage to re-infect the entire Internet in short order.

So to break it down: during this current period of dormancy, remnants of the first worm, along with a second strain possessed of a more random IP generator, have been scanning for and infecting vulnerable machines, and will continue doing so until all the infected machines begin packeting the former IP of whitehouse.gov on 20 August.

This they will do mercilessly through the 27th; and during this electronic Tribulation the worm will devour enough bandwidth to bring all of Christendom to its knees.

Now get this: the real burn here, Gibson reckons, comes from the presumption of a single IIS machine, or a small handful of them, with incorrectly set clocks, which will re-ignite the whole thing after 31 August, keeping us at the mercy of badly-set clocks for all eternity.

"Note that at the start of NEXT MONTH it will only take ONE SINGLE MACHINE -- with an out-of-sync date whose infection threads have remained active in a mistaken belief that the date is < 20 -- to re-initiate an exponential growth starting at midnight of August 31st," Gibson writes. [hyperventilation original]

The rational observation that this dependence on out-of-date clocks will greatly reduce the seed population has somehow passed through that scientifically-tuned and reputedly immense brain of his without effect. The rational observation that the media have been banging out Code Red headlines for all they're worth, and will continue (and so inspire a considerable patching of systems) has, similarly, failed to make an impression on the Digital Messiah's rarified gray matter.

No, he's been far too busy to use his head: "This weekend I have been in dialog with eEye's Marc Maiffret, law enforcement agencies of the US government, NAI, cert.org, and others," Gibson informs us, bolstering that phony authority on which he trades so slickly.

"After finally making time to examine the Code Red worm code, I have been trying to assemble a picture of the next 23 days," he claims.

One wonders if he's even seen the Code Red worm code, much less 'examined' it. We wonder because he keeps telling us what others imagine it will and won't do next month.

Damned sockets

Naturally Gibson can't resist trying to persuade us that Code Red beefs up his absurd paranoia regarding Win-XP raw sockets. "Imagine if this powerful autonomous replication capability -- enhanced with Windows XP full raw sockets -- had gone out to the Windows XP audience -- as it almost did," he frets.

"Oh well, everyone knows I tried hard to prevent it," the Prophet finally sighs.

In fact, raw sockets have no relevance to this particular worm. I actually have examined it, and while I'm impressed by its compactness and power, and the speed with which it was hacked out, it's clear that the author wanted to know which machines it had infected. Packet spoofing would have frustrated that ambition perfectly. (Oh, and because the .IDA hole which the worm exploits yields system-level access, knowing which among thousands of boxes are infected is a whole lot nastier than any spoofed-packet flood could hope to be.)

I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself, has debunked Gibson at length before an ungrateful army of GRC patsies, agrees.

"[Gibson] contends Code Red would've been more effective if it used raw sockets. I contend it would've been less effective. The router/spoofing RFCs would've negated some of the zombies by refusing to let them push," Rosenberger says.

"Gibson is so overly paranoid about raw sockets that he can no longer see the obvious," he added.

It's interesting to note that Rosenberger's latest column exposes Gibson's utter fraudulence in the area of virus research -- in particular his prediction nine years ago that the "Dark Avenger Mutation Engine" was going to make all anti-virus software permanently ineffective.

It was, Stevarino assured us, going to spawn the Mother of all polymorphic viruses, because it involved "a sophisticated reversible encryption algorithm generator."

And that's why we all depend on Steve Gibson's genius. He, unique among mortal creatures, can understand such techno-superstitious gobbledygook. ®

Related Stories

Internet survives Code Red
IIS worm made to packet Whitehouse.gov
Steve Gibson really is off his rocker
Security geek developing WinXP raw socket exploit
MS security chief talks raw sockets with the Reg

Related Links

The relevant MS security bulletin
The Win-NT 4.0 patch
The Win-2K Pro and Advanced Server patch