HAWAIIRR.COM | FIXRR.COM | RRHAWAII.COM
808hi.com  808news.com

MAIN PAGE - Hawaii Road Runner Refund?

CODE RED II!
Last updated 12-Aug-01 @ 9:25am HST

If you want less than adequate information on Code Red & Hawaii Road Runner: See the official Hawaii Road Runner Network Status Page. (On Aug 7, Oceanic mailed an alert to all customers. THIS MESSAGE IS NOT SUFFICIENT! SEE VERY BOTTOM OF THIS PAGE.)

Update: Aug 12: While the Code Red II worm still lives and a number of machines (including more than 6 connected to Hawaii Road Runner) are still infected, the number has been reduced enough that most of the time there is no longer a noticeable slowing of regular traffic on Hawaii Road Runner. But, the computers that still have the virus/back-door have been totally compromised, and anyone in the world with Internet access can gain almost unrestricted access to these computers! Some of these computers have had other trojans/viruses/backdoors installed on them.

Code Red II is slowing down the Internet. Especially hard hit is the Big Island, because all traffic must pass on an interisland link that is especially susceptible to Code Red traffic (because it's so small to begin with - see graphic below). As I write this, I have a 1052ms latency to reach the local Road Runner server. (Aug 6, 19:18HST) I'm getting throughput of 31kbps and less. Update: Aug 7 - 6:30pm - RR speed to the Big Island was good up until about 3:30pm today; after 3:30pm there have been several periods of high latency and throughputs at or below dial-up modem speeds. My firewall log indicates HI RR IPs identified over 48 hours ago are still infected, probing and attempting to spread the worm. This is in part due to RR's incomplete alert to users - the action RR has told them to take will not eliminate the virus! This is ridiculous! [As of 7:40pm Wednesday, Aug 8, my firewall log is still getting probed by Hawaii Road Runner customers infected with Code Red, and include IPs which I identified and e-mailed to Hawaii Road Runner support on Aug 5!]

Late on the evening of August 6 (after 10pm), for my area of the Big Island (that's all I can see as a customer), the severe latency disappeared. It may be the result of RR's "proactive actions" - and/or a combination of other factors. Below is trace to local news server. Note the 3 timeline graphs at bottom - The first - 10.8.184.1 is the local node which shows no unusual problems except for a few spikes. The 2nd graph is the Interisland hop from Kona to Oahu. Note the scale: top of the line is 5.888 seconds (5688ms). Since the slowdown occurs on Interisland link, traffic to anything beyond (in this case the news server - the 3rd graph) will track the Interisland latency:

Click here for more info on Ping Plotter

Lava.net first alerted us in Hawaii to Code Red - it affected their network on July 19, and they took steps to address problems. (And, unlike Hawaii Road Runner, Lava.net has a security alert explaining the danger of Code Red variants and what they are doing about it.)

I believe that Code Red may have started affecting the Big Island even earlier than July 19.

On August 5 I did some reading and discovered that a new Code Red variant was propagating: unlike the original Code Red, this one leaves a "back door" into the affected computer. It then starts looking for other computers to infect. Cable modem light flashing: originally thought to be yet another variant of Code Red II, it is now believed that this is a side-effect of the design of local broadband cable systems and the Code Red II probing: requests for non-assigned IPs may be causing this activity and resulting in Denial of Service to some customers (due to volume of these bad requests).

When the worm looks for other computers, any user with a firewall and logging will be able to see the IP of the infected machine: in effect an invitation saying, "Here I am, want to look at my files? Delete them? Make my machine unbootable?" It is relatively simple to gain control of the machine, and the URL information to do so is readily available on the Internet.

Only computers running Windows NT or Windows 2000 with Microsoft IIS enabled can be infected.
The newest spreading variant can and is making Windows98 machines temporarily unusable. (The attack on Windows98 machines is not believed to cause any permanent damage, and the attack can be stopped by powering off the cable modem or disconnecting the cable modem from your computer's network card.)

There are a number of computers connected to Hawaii Road Runner that are infected and have probed my machine. I have confirmed the infection on over 12, and have reported this information to Hawaii Road Runner.

Over 24 hours since my first e-mail to Road Runner support - having sent 6 messages, I finally received a reply indicating they do want reports of infected machines, and that they are unable to respond to all messages. The reply indicated they do want users to report local Hawaii IPs probing with Code Red.

The last messages I sent to Road Runner support:

Hello,

I have sent you 4 separate messages with Hawaii Road Runner customers who are infected and spreading CodeRed.

The new variant is particularly dangerous in that it puts in place a back door on the infected computer that allows anyone on the Internet to gain control of the machine, bypassing all security.

If I were one of your customers that was infected and DIDN'T KNOW it, and I learned that you were MADE AWARE I WAS INFECTED and took no action to disable my Internet connection, especially when it's also in your interest to disable it - disabling my unintended scanning activity - I wouldn't know what to think.

At least if you 'pull the plug' on their connection, they'll have to call you if they notice they're not connected to the Internet.....

Aloha,
Richard Gamberg

 

I sent my first Code Red e-mail to Road Runner support at 5:26pm on Aug. 5. By 7:40am Aug. 6, I had sent them four messages. It was not until around 11AM Aug. 6 that the Road Runner Network Status Page had any Code Red advisories, and this is the first time the page attributes slow browsing, high latency, etc., to Code Red (which has been around for over 3 weeks). I have been complaining for over 3 weeks of 'slow browsing', and latency problems here on the Big Island, and have sent e-mail and trace information to Road Runner support on July 12, July 14, July 15, July 18, July 23, July 30, and August 4.

And this is what they send back to me almost every time:

Thank you for your e-mail concerning the issue that you have encountered. This issue is currently under investigation. Once the investigation is completed, we will take appropriate action. May we ask that you send us any additional information (ping times, trace routes, etc.) to aid us in our investigation.

And, most of the time, that's all I'll ever hear from them on the issue I have encountered. Ever.

Code RED would not be as bad as it is if we all acted sooner.
Boy, I wish Lava.net DSL were available in my area................

ALSO SEE:

Flashing Cable Lights - ARP effect - Steve Gibson's explanation
Steve Gibson's Code Red Advisory
-
He thinks it will be around for a long time....
Microsoft Security Bulletin - Posted June 18, 2001 (The 'patch' that prevents infection)
Microsoft Code Red II Removal Tool - New: Eliminates "obvious effects" of Code Red II Worm
Digital Island - Code Red Status
- Includes patch instructions.
NSClean - Code Red Removal Freeware -
Checks for and disables Code Red on WinNT,2K & XP machines

Note: There are some reports that machines infected with new Code Red II variants may need to have hard drives re-formatted (and re-install of OS) to completely remove the worm. After re-installing Windows, it is necessary to apply the Microsoft patch.

WARNING!!! - From NSClean.com -

  If your machine has been determined to be infected with the Code Red II worm, be advised that intruders have had access to the entire contents of your machine throughout, including system files, web sites hosted on it and any other confidential information located anywhere on the machine.

  If you are a computer professional, and possess antitrojan and antivirus tools that you trust to be thorough and effective, and possess the expertise to audit your system to locate and remove any and all tampered with contents, then CR2KILL should suffice, along with tools such as our BOClean or similar software, then the system can be returned to service following a comprehensive examination of the system. If you are not in a position to be absolutely certain that no additional compromises have taken place, the infected computer and its contents MUST be destroyed and reformatted.

NEWSGROUP:

In my opinion, it's become obvious that a responsible ISP must take proactive action to identify and shut-off customers who are infected. Some are doing a better job than others as this post from Rob in Australia to news://news.grc.com/grc.news.feedback indicates:

I just phoned up my ISP, the infamous Big Pong - Telstra Bigpond in Australia. My modem has been going crazy since Saturday and I thought I had better log a call about slow service and ARP flooding.

I was kept waiting a whole two minutes, and the guy who picked up the phone told me that my problem was the Code Red worm "stage 3." I was impressed. I expected to have trouble even getting the call logged call.

He went on to explain that Bigpond had been tracing infected machines on their network and disconnecting them until they had been patched. I mentioned that I had a long Zone Alarm log showing Port 80 scans and he asked me to read out the IP addresses from the most recent ones. He asked me to mail more scan results to him as I get them.

As I type this I notice that I have not seen one scan in over 15 minutes.
The ARP flooding is continuing for the moment.

I am really impressed!

As of 7AM August 7, I am still receiving probes from infected Hawaii Road Runner machines.

ROADRUNNER ALERT - Inaccurate and insufficient
It's like telling you "get a flu shot" -
but not telling you the shot won't work if you already have the flu!

As of 10:30AM HST Aug. 7- Hawaii Road Runner has sent e-mail to all customers. This notice is misleading and inadequate:
It implies that all a IIS user needs to do is get and install the patch from Microsoft. While this may prevent re-infection, it does not remove the existing Code Red worm. With advice like this, we're going to be in trouble for a while longer..... It doesn't appear that the people responsible for providing us service understand the problem.

ROAD RUNNER ALERT

VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has today experienced an attack on its network which is apparently attributable to the Code Red virus. It is possible that this virus has infected the PC's of Road Runner's subscribers using the Microsoft Windows NT or Microsoft Windows 2000 operating systems. Infected PC's may continue to flood the Internet and Road Runner's network with virus generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem and to instruct them on where to find and install the patch necessary to eliminate the virus. In the meantime, Road Runner subscribers may experience slow network response, flashing connectivity lights on the cable modem, and other symptoms (such as unusual port scan log activity or increased firewall activity) while Road Runner and the Internet community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE (www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOU ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the

Internet community to address this virus.

Thank you.

 

 Site 2001, Richard Gamberg 808hi.com    Feedback & Contact Info