{"id":10909,"date":"2022-08-05T13:11:54","date_gmt":"2022-08-05T10:11:54","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10909"},"modified":"2022-08-05T13:11:54","modified_gmt":"2022-08-05T10:11:54","slug":"history-lessons-code-red","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/history-lessons-code-red\/10909\/","title":{"rendered":"G\u00fcvenli\u011fin evrimi: Code Red’in hikayesi"},"content":{"rendered":"

Code Red, Microsoft IIS (Internet Information Services for Windows Server) y\u00fckl\u00fc Windows tabanl\u0131 sistemleri hedef alan bir solucand\u0131. Hikayesi en az\u0131ndan iyi ba\u015flam\u0131\u015ft\u0131: K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m\u0131n yay\u0131ld\u0131\u011f\u0131, salg\u0131n\u0131n en ba\u015f\u0131nda tespit edildi. Code Red\u2019i ke\u015ffedenler<\/a> (13 Temmuz 2001), o s\u0131rada tesad\u00fcfen Microsoft IIS g\u00fcvenlik a\u00e7\u0131klar\u0131 i\u00e7in bir sistem geli\u015ftirmekte olan eEye Security ara\u015ft\u0131rmac\u0131lar\u0131yd\u0131. Birdenbire test sunucular\u0131 yan\u0131t vermemeye ba\u015flad\u0131. Bunu, sistem g\u00fcnl\u00fcklerinde salg\u0131na dair izler arayarak ge\u00e7irdikleri uykusuz bir gece izledi. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131ma, yorgun g\u00f6zlerine ilk \u00e7arpan nesnenin, bir kutu Mountain Dew Code Red i\u00e7ece\u011finin ad\u0131n\u0131 verdiler.<\/p>\n

Ne var ki erken tespit edilmesi salg\u0131n\u0131 durdurmaya yetmedi. K\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m daha fazla sald\u0131r\u0131 ger\u00e7ekle\u015ftirmek i\u00e7in halihaz\u0131rda vir\u00fcsl\u00fc sistemleri kullanarak g\u00fcnler i\u00e7inde d\u00fcnya \u00e7ap\u0131na yay\u0131ld\u0131. Uygulamal\u0131 \u0130nternet Veri Analizi Merkezi (CAIDA) daha sonras\u0131nda 19 Temmuz\u2019un istatistiklerini yay\u0131nlad\u0131. Yay\u0131nlanan istatistiklerde Code Red\u2019in yay\u0131lma h\u0131z\u0131 a\u00e7\u0131k bir \u015fekilde g\u00f6r\u00fcl\u00fcyordu. \u00c7e\u015fitli kaynaklara g\u00f6re toplamda 300.000\u2019den fazla sunucuya sald\u0131r\u0131lm\u0131\u015ft\u0131.<\/p>\n

\"\"

19 Temmuz 2001 itibar\u0131yla Code Red solucan\u0131n\u0131n yay\u0131l\u0131m\u0131. Kaynak<\/a>.<\/p><\/div>\n

\u00a0<\/p>\n

Code Red\u2019in \u00e7al\u0131\u015fma bi\u00e7imi<\/h2>\n

\u0130nternet solucan\u0131, web sunucusu mod\u00fcllerinden birindeki \u00f6nemsiz bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131, veri indekslemeye yarayan bir uzant\u0131y\u0131 k\u00f6t\u00fcye kullan\u0131yordu. idq.dll kitapl\u0131\u011f\u0131nda bir arabellek ta\u015fmas\u0131 hatas\u0131 vard\u0131. G\u00fcvenlik a\u00e7\u0131\u011f\u0131na MS01-33<\/a> numaras\u0131 verildi. Hatay\u0131 k\u00f6t\u00fcye kullanmak kolayd\u0131, yaln\u0131zca sunucuya \u015funun gibi fazlaca uzun bir istek g\u00f6ndermek yeterliydi:<\/p>\n

GET \/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a\u00a0 HTTP\/1.0<\/p>\n

Bunun sonucunda \u00e7ok say\u0131da N karakterinin ard\u0131ndan gelen veri bir y\u00f6nerge olarak yorumlan\u0131yor ve y\u00fcr\u00fct\u00fcl\u00fcyordu. K\u00f6t\u00fc ama\u00e7l\u0131 y\u00fck\u00fcn tamam\u0131 do\u011frudan iste\u011fin i\u00e7erisinde bulunuyordu. Yani, Microsoft IIS\u2019in g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan bir y\u00fcklemesi mevcutsa sisteme an\u0131nda vir\u00fcs bula\u015fmas\u0131 kesindi. Vir\u00fcs\u00fcn en g\u00f6r\u00fcn\u00fcr sonucu, web sunucusunun sundu\u011fu sitelerin tahrif edilmesiydi. Sitelerin normal i\u00e7erikleri yerine a\u015fa\u011f\u0131daki ekran g\u00f6r\u00fcnt\u00fcleniyordu:<\/p>\n

\"\"

Code Red bula\u015fan bir web sunucusunun g\u00f6r\u00fcn\u00fcm\u00fc. Kaynak<\/a>.<\/p><\/div>\n

\u00a0<\/p>\n

Kaspersky\u2019ye<\/a> g\u00f6re tahrif kal\u0131c\u0131 de\u011fildi. Solucan ba\u015far\u0131l\u0131 bir sald\u0131r\u0131dan 10 saat sonra web sitesinin normal i\u00e7eri\u011fini geri y\u00fckl\u00fcyordu. Di\u011fer eylemler ise sald\u0131r\u0131n\u0131n ger\u00e7ekle\u015fti\u011fi tarihe ba\u011fl\u0131yd\u0131. Solucan her ay\u0131n 1\u2019i ile 19\u2019u aras\u0131nda rastgele IP adreslerine k\u00f6t\u00fc ama\u00e7l\u0131 istekler g\u00f6ndererek kendi kendini yay\u0131yordu. 20\u2019sinden 27\u2019sine kadar \u00e7e\u015fitli sabit IP adreslerine DDoS sald\u0131r\u0131s\u0131 yap\u0131l\u0131yordu, bu sald\u0131r\u0131ya u\u011frayanlar aras\u0131nda ABD Ba\u015fkanl\u0131k Dairesi\u2019nin web sitesi de vard\u0131. 28\u2019inden ay sonuna kadar ise Code Red i\u015flere ara veriyordu.<\/p>\n

2022\u2019den bak\u0131\u015f<\/h2>\n

G\u00fcn\u00fcm\u00fczde de hala benzer sald\u0131r\u0131lar oluyor fakat bunlar \u00e7o\u011funlukla aktif bir sald\u0131r\u0131y\u0131 incelerken tespit edilen s\u0131f\u0131r g\u00fcn g\u00fcvenlik a\u00e7\u0131klar\u0131yla ba\u011flant\u0131l\u0131 olarak ger\u00e7ekle\u015fiyorlar. Buna tipik bir \u00f6rnek olarak Microsoft Exchange posta sunucunda bulunan ve tespit edildi\u011fi s\u0131rada aktif \u015fekilde k\u00f6t\u00fcye kullan\u0131lan bir dizi g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131<\/a> g\u00f6sterebiliriz. D\u00fcnya \u00e7ap\u0131nda 30.000\u2019den fazla kurulu\u015f etkilendi, bir\u00e7ok \u015firketteki e-posta hizmeti y\u00f6neticisi yamay\u0131 y\u00fcklemekte ge\u00e7 kald\u0131\u011f\u0131n\u0131 fark ederek halihaz\u0131rda vir\u00fcs bula\u015fm\u0131\u015f olma ihtimaline kar\u015f\u0131l\u0131k g\u00fcvenlik denetimi yapmak zorunda kald\u0131.<\/p>\n

Bu \u00f6rnek yaln\u0131zca sald\u0131r\u0131lar\u0131n \u00e7ok daha karma\u015f\u0131k hale geldi\u011fini g\u00f6stermekle kalm\u0131yor, ayn\u0131 zamanda savunma y\u00f6ntemlerinin de ilerledi\u011fini ortaya koyuyor. Code Red bir s\u0131\u0131fr g\u00fcn g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 de\u011fil, salg\u0131ndan bir ay \u00f6nce tespit edilen ve kapat\u0131lan bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 k\u00f6t\u00fcye kullanm\u0131\u015ft\u0131. Ancak o zamanlar g\u00fcncelleme y\u00fcklemenin yava\u015fl\u0131\u011f\u0131, otomatik y\u00fckleme ara\u00e7lar\u0131n\u0131n eksikli\u011fi ve kurumsal kullan\u0131c\u0131lar\u0131n bu konuda fark\u0131ndal\u0131klar\u0131n\u0131n d\u00fc\u015f\u00fck olmas\u0131 b\u00fcy\u00fck rol oynam\u0131\u015ft\u0131. Code Red ile g\u00fcn\u00fcm\u00fczdeki modern sald\u0131r\u0131lar aras\u0131ndaki bir di\u011fer \u00f6nemli fark da Code Red\u2019in sald\u0131r\u0131y\u0131 paraya \u00e7evirmemi\u015f olmas\u0131yd\u0131. G\u00fcn\u00fcm\u00fczde g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan bir \u015firket sunucusu hacklendi\u011finde ard\u0131ndan ka\u00e7\u0131n\u0131lmaz olarak ya veri h\u0131rs\u0131zl\u0131\u011f\u0131 ya da \u015fifreleme ve fidye talebi gelir. Ayr\u0131ca g\u00fcn\u00fcm\u00fczde siber su\u00e7lular hackledikleri siteleri \u00e7o\u011funlukla tahrif etmezler, aksine \u015firketin BT altyap\u0131s\u0131ndaki ayak izlerini saklamak i\u00e7in m\u00fcmk\u00fcn olan her ad\u0131m\u0131 atarlar.<\/p>\n

Ac\u0131 bir ders<\/h2>\n

Code Red sahneden \u00e7abuk ayr\u0131ld\u0131. 2001\u2019in A\u011fustos ay\u0131nda, solucan\u0131n ilk varyant\u0131 taraf\u0131ndan \u201cziyaret edilmi\u015f\u201d sistemlere vir\u00fcs bula\u015ft\u0131rabilen, ilkinin biraz de\u011fi\u015ftirilmi\u015f bir s\u00fcr\u00fcm\u00fc olan Code Red II<\/a> ortaya \u00e7\u0131kt\u0131. \u00d6te yandan 2000\u2019lerin ba\u015f\u0131nda genel olarak benzer senaryolara sahip bir\u00e7ok sald\u0131r\u0131 daha ger\u00e7ekle\u015fti. Eyl\u00fcl 2001\u2019de ayn\u0131 \u015fekilde Microsoft IIS\u2019te \u00e7oktan yamalanm\u0131\u015f g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 kullanan Nimda<\/a> solucan\u0131 salg\u0131n\u0131yla kar\u015f\u0131la\u015ft\u0131k. 2003\u2019te ise Blaster<\/a> solucan\u0131 her yere yay\u0131ld\u0131. Sonunda kurumsal yaz\u0131l\u0131mlardaki kritik g\u00fcvenlik a\u00e7\u0131klar\u0131na y\u00f6nelik yamalar\u0131n m\u00fcmk\u00fcn oldu\u011funca k\u0131sa s\u00fcrede y\u00fcklenmesi gerekti\u011fi anla\u015f\u0131ld\u0131. Bir g\u00fcncelleme yay\u0131nland\u0131\u011f\u0131nda siber su\u00e7lular bunu dikkatle inceliyor ve baz\u0131 kullan\u0131c\u0131lar\u0131n\u0131n hala bu a\u00e7\u0131\u011f\u0131 yamalamam\u0131\u015f olmas\u0131 umuduyla hemen g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 k\u00f6t\u00fcye kullanmaya ba\u015fl\u0131yordu. Ancak \u015fimdi bile bu problemin tamamen \u00e7\u00f6z\u00fcld\u00fc\u011f\u00fc s\u00f6ylenemez. 2017\u2019deki WannaCry sald\u0131r\u0131s\u0131 gibi daha yeni \u00f6rnekler var.<\/p>\n

\u00d6te yandan \u015funu s\u00f6yleyebiliriz ki Code Red ve d\u00fcnya \u00e7ap\u0131nda y\u00fczbinlerce sisteme vir\u00fcs bula\u015ft\u0131rmaktan sorumlu \u00e7ok say\u0131da di\u011fer k\u00f6t\u00fc ama\u00e7l\u0131 program, g\u00fcn\u00fcm\u00fczde bize yol g\u00f6steren kurumsal g\u00fcvenlik yakla\u015f\u0131mlar\u0131n\u0131n \u015fekillenmesine yard\u0131mc\u0131 oldu. 21 y\u0131l \u00f6ncesinin aksine \u015fu anda ileti\u015fimden \u00f6demeye kadar her \u015fey i\u00e7in BT sistemlerine bel ba\u011fl\u0131yoruz. Kritik altyap\u0131lardan bahsetmeye bile gerek yok. Siber sald\u0131r\u0131lara kar\u015f\u0131 kendimizi nas\u0131l savunaca\u011f\u0131m\u0131z\u0131 \u00f6\u011frendik fakat hala siber d\u00fcnyadaki t\u00fcm kurumsal sorunlar\u0131 ortadan kald\u0131racak tek bir sihirli \u00e7\u00f6z\u00fcm geli\u015ftirebilmi\u015f de\u011filiz. Siber g\u00fcvenlik ka\u00e7\u0131n\u0131lmaz olarak geli\u015firken kusursuz g\u00fcvenli\u011fin sabit bir durum olmad\u0131\u011f\u0131n\u0131, s\u00fcrekli devam eden bir m\u00fccadele oldu\u011funu anlamal\u0131y\u0131z.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Kurumsal BT altyap\u0131lar\u0131na d\u00fczenlenen ilk ciddi sald\u0131r\u0131n\u0131n hikayesi.<\/p>\n","protected":false},"author":665,"featured_media":10910,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194,1727],"tags":[2575,1790,1256,2002,2574,552],"class_list":{"0":"post-10909","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"category-smb","10":"tag-chronicle","11":"tag-hikaye","12":"tag-salgin","13":"tag-solucanlar","14":"tag-tahrif","15":"tag-tarih"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/history-lessons-code-red\/10909\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/history-lessons-code-red\/25146\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/history-lessons-code-red\/27478\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/history-lessons-code-red\/33795\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/history-lessons-code-red\/45082\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/history-lessons-code-red\/19258\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/history-lessons-code-red\/19826\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/history-lessons-code-red\/29122\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/history-lessons-code-red\/25320\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/hikaye\/","name":"hikaye"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10909","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/665"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=10909"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10909\/revisions"}],"predecessor-version":[{"id":10915,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/10909\/revisions\/10915"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/10910"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=10909"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=10909"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=10909"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}