Concerning the legal ramifications of a default IIS install, and a
(possibly) legal solution
Background
With the explosive growth of the internet's popularity, the last few
years have seen a number of high-profile court cases involving people who engage in naghty
behavior on the internet. Although
this phenomenon is still young, such trials have caused the accumulation of a small body
of caselaw which will serve as a guide to the judges who try internet offenders in the future.
So far, the emerging trend is that the hacker is always at fault; that when a system is
penetrated, it is the initiator of the attack only that can be held accountable; and that,
in the case of distributed attacks like virii and worms, the author of the malicious
code is solely responsible for all damage (including bandwidth charges, etc) incurred by the
offending code.
The Code Red virus, now in its second major revision and still going strong,
may cause us to re-evaluate this legal model. The author of Code Red, while still unknown,
is almost certainly not a US citizen, and hence not subject to American criminal law. However,
the damage cause by Code Red is real - the hundreds of thousands of servers infected by this
virus are busily scanning their subnets, looking for new hosts to infect, with the aggregate
effect of a nebulous, sourceless Denial of Service attack against internet users in general. It seems
likely that the author of this virus will never be identified or brought to justice in a
criminal proceeding, but other parties involved in its dissemination may be identified; it is
the purpose of this article to discuss these other parties, and the legal responsibility they may
bear in the Code Red fiasco specifically, and in internet-related crime generally.
The dangers of owning an angry pitbull
Let us begin with an analogy to real-world law: the case of vicious dogs.
US law has held that it is an owner's responsibility to keep their dog from attacking others.
When a vicious dog attacks someone, it is up to the courts to determine whether the dog's owner
was negligent in this responsibility; if so, the owner is criminally
liable. The owner doesn't need to train the dog to attack to get jail time -
all they need to do is neglect the poor thing and then leave the gate open.
The underlying assumption here is that when an individual interacts
with society, they have a responsibility to ensure that society isn't endangered by the
interaction. Creating an inherently harmful (or potentially harmful) situation is considered a
harmful act, and the responsibility for causing the harm resides, at least partially, with the
party that introduced the situation.
The case against the Admins
By now, you'll have guessed where I'm going with this. Owning and
operating a default installation of the IIS web server is directly analogous to owning
a vicious dog. Allowing anyone on the internet to connect to your IIS server
is analogous to leaving the dog's gate open. Neglecting to apply security patches is
analogous to starving and neglecting the dog until he's a danger to you and everyone else on the block.
Taken together, running and ignoring
a default installation of IIS is a hostile act towards the internet at large, just as hostile as
letting a pitbull run loose in an unsuspecting neighborhood.
Granted, even the best Systems Administrator gets caught unawares
by a new virus now and then; that's what backups are for. Code Red, however, has been so
heavily covered in the media that little old ladies are calling their ISP support
lines asking about it - it's hard to imagine
anyone who takes even an occasional glance at the computer news being totally ignorant.
Most of the infected hosts are Windows 2000 boxes on broadband connections, sometimes
with a rudimentary, long-forgotten webpage, and sometimes with nothing but the "Under Construction"
image. Most likely, the Code Red install base is almost entirely made up of servers that have been
forgotten by their owners, if they ever realized that they were running a server at all.
Once, perhaps, running an un-administered webserver was a harmless, if stupid, act; the existence
of virii like Code Red demonstrates that that's no longer the case.
The case against the Author
"But what about whoever wrote the damn thing?" I hear you ask.
OK, sure, he or she deserves some of the blame, but let's be realistic here. First of all,
virus authors have about the same odds of seeing jailtime as shady Wall street executives
(unless the virus author launches from an AOL account...). Second of all, legal threats
aren't historically much of a deterrant to
vandalism (the category that virus writing should probably fall into). But that being said,
if the malicious Chinese programmer who produced this nuisance were to stroll into an FBI
office with a copy of the Code Red source in one hand and a signed confession in the other,
I wouldn't picket for a light sentence.
But the enablers of the virus should be judged differently. The fact is that as long
as it doesn't require advanced skill, the existence of so many juicy, vulnerable potential
hosts is what causes virii to be written for them. From the persepctive of an
Admin, or from the perspective of a software manufacturer, black hats are a fact of life
and a cost of doing business, and not taking precautions against them is purely negligent.
As long as there are restless kids with spare time, there will be malicious code, and to produce
or run software without adequate protection against remote attacks is to ignore the danger
that malicious code represents. As has been demonstrated, in the days before
distributed denial of service attacks, this kind of negligence only hurt the owner of the
software; in this day and age, software owners and administrators must be made aware that
their action (or inaction) has repercussions beyond the boundaries of their own networks.
Isn't this just Code Red hysteria-mongering?
Possibly, but it doesn't seem so to me. The first variety of
Code Red (the one that uses capital N's to overflow the buffer) was relatively benign -
the only thing really dangerous about it was that it exploited a relatively
recently discovered vulnerability, meaning that there were many infectable hosts to
choose from. By now, most sources estimate the number of infected servers at around a
quarter-million, though
that number must be decreasing slowly as people get around to applying the patch.
The second revision is more efficient at propagating itself, and installs a rather outdated
backdoor on each box it touches, but as virii go, it's still remarkably harmless.
Code Red wasn't a trivial virus to write, but it wasn't tremendously complicated, either.
Code to exploit the unchecked buffer vulnerability is available and well-documented on the
web, so anyone with a modicum of programming skill and an axe to grind is free to write their
own variant. Of course, control of these webservers may not be a very enticing prize to blackhats.
It may seem that the damage one could cause with this vulnerability would be limited, since the
quarter-million or so hosts now infected are, by virtue of the fact that their administrators
are so disinterested, probably the least-important webservers on the net. After all, defacing a
page that never had any content in the first place only barely qualifies as damage.
However, consider the hypothetical
case of a virus author who isn't as friendly as the producers of Code Red. Consider a variant that
does something more troublesome to the internet at large, like one that sends out large numbers of
packets as a bandwidth-killer, rather than as a means of propagation. If someone were to write
such a virus, they already know it would work - the exploitability of the unchecked indexing buffer
has been well established by Code Red. Furthermore, this hypothetical hacker has (if he runs
a webserver) a list of hundreds of IP addresses which are known to be susceptible to that exploit,
so launching the virus would be a piece of cake. Beyond that, since Code Red spread via HTTP, each
infected server contains the IP address of the box that infected it, as well as any others that have
tried. If this hypothetical virus is
bright enough to recursively use the IIS logs of each infected host, it could probably spread
to practically every vulnerable server on Earth inside of an hour.
Therein lies the real danger of Code Red - a quarter million machines with broadband connections
under the control of a single malicious hacker could cause unimaginable problems. In a worst-case
scenario, millions of us could be subject to repeated intrusion attempts or denial of service,
and we only have three groups to blame: the virus authors, the lackadaisical Admins, and Microsoft.
The case against Microsoft
Microsoft's role in this whole shebang is pretty straightforward,
but we should touch on it briefly for the sake of completeness. Microsoft has contributed to
the dangers of this virus in several ways: by producing software with security holes, and
by marketing Windows 2000 to home-users
who have no business administering a webserver that requires as much maintenance as IIS.
To say that Microsoft is lax in security isn't really the case; it would be more accurate to say
that Microsoft doesn't even consider security as a criteria in the decision-making proces.
When it came time to decide whether
IIS should be installed by default, Microsoft had to weigh an enormous security risk
against a miniscule inconvenience for novice users, and they chose the novice's convenience.
And why shouldn't they? They've made billions so far from a software line with a history
of security flaws and questionable features so long it's practically inimical to the average user.
This may or may not have been a sound business decision on Microsoft's part, but I think it may be
safely said that the only time Microsoft does something not in their own best interest is when
a Federal judge tells them to... sometimes. If Code Red has taught us anything, it has taught
us that waiting for Microsoft to release a patch, and then waiting for its install base to
apply the patch is not a workable solution.
Conclusions and Suggestions
Right now, messageboards and forums are filling up with broadband users complaining
that their downloads have slowed to a crawl. Rumor has it that several mega-ISPs have blocked
port 80 throughout their users' networks, and right about the time they get things up to speed
again, they'll be wondering who to blame/sue. The virus author would make a lovely target,
but suing him or her wouldn't appear to be an option. Arresting owners of the infected
boxes en masse, though poetic, seems similarly impractical. A court case against Microsoft
for negligence would be great fun for enemies of the behemoth, but would probably
accomplish about as much as... well, the last one. Are we really so powerless? Perhaps its
time for us ("us" referring to internet users generally) to take the law into our own hands.
We have procedures in place for adding new protocols and new standards
to the internet - why not new virii? The problem isn't so much that virus authors are so
skillful or abundant, the problem is that the whitehats have to restrict themselves to passive,
reactive defenses. Well, it's about time to even the playing field. What we need is a meta-virus
that uses IIS vulnerabilities to execute IIS patches.
I have every confidence that eEye (who
originally discovered the unchecked indexing buffer), or other whitehats, could've created an
"antidote" - a virus that uses the indexing buffer overflow to patch the indexing buffer overflow -
within a few days. Judging from what we've seen over the last few weeks, I suppose it would be
advantageous to avoid releasing the antidote until a good many boxes are infected, on the grounds
that it's a one-shot cure. After all, you can't patch a box and then later use it to launch
patches at other
machines. Earlier in this article, I estimated that a new Code Red-style virus that utilizes
the servers' logfiles could spread to practically every vulnerable machine in less than an hour;
well, right now, the same would be true of the antidote.
Is this a peachy-keen, smoking hot idea? Probably not. First there'd be 30 different RFC's on
how the virus ought to be written, then legal threats from the FBI and Microsoft of the dire
fait awaiting anyone bold enough to tamper with the problem, and finally someone would just
write an amateurish version of the antidote and release it on their own. The aftermath would
include "I got infected by Code Red"
t-shirts and a sorrowful column by Jon Katz bemoaning the loss of privacy the poor victims of
the antidote virus have suffered. Well, it's not perfect, but at least it's something. After
all; to paraphrase Ben Franklin, they that will give up essential security to obtain a little
temporary convenience deserve (and currently have) neither.
Code Red wasn't a trivial virus to write, but it wasn't tremendously complicated, either.
Code to exploit the unchecked buffer vulnerability is available and well-documented on the
web, so anyone with a modicum of programming skill and an axe to grind is free to write their
own variant. Of course, control of these webservers may not be a very enticing prize to blackhats.
It may seem that the damage one could cause with this vulnerability would be limited, since the
quarter-million or so hosts now infected are, by virtue of the fact that their administrators
are so disinterested, probably the least-important webservers on the net. After all, defacing a
page that never had any content in the first place only barely qualifies as damage.