On August 4th, a new worm was discovered attacking servers around the world. Dubbed "Code Red II", this new worm is not a variation of the original worm, but is in fact a completely separate worm. Code Red II attacks servers running Microsoft IIS using the same vulnerability as the original, but once the new worm has compromised the machine it performs a different and much more sinister set of attacks.
The original Code Red worm gained steam for most of the day Wednesday August 1st and may result in clogged Web traffic. Infections jumped to about 115,000 at 3:30 p.m. ET from about 1,000 systems at 5 a.m. ET, and government officials say it is on pace to infect 250,000 systems before the day ends. Still, the malicious program's spread appears to be slowing down, and Web traffic remains undisturbed by the worm, according to Internet traffic measurement companies.
On July 31st, security experts were saying the speed and stability of the Internet were at risk because of Code Red, a malicious worm that takes advantage of a hole in Microsoft's Internet Information Server (IIS) Web server software. The worm, which was first analyzed by eEye on July 17th 2001, infected more than 300,000 servers and attacked the White House Web site last month before going into hibernation.
The worm was set to become active again at 5 p.m. PDT Tuesday July 31st, launching a new round of infections that could generate enough traffic to slow parts of the Internet.
Unlike other major systems attacks which spread via e-mail, Code Red infects servers than run Web sites. Ordinary computer users -- who can prevent the spread of a virus by avoiding suspicious-looking emails -- can still catch the worm if they run Microsoft's Windows NT or Windows 2000 operating systems on their home or work computer.
The Code Red worm, named for the new flavor of Mountain Dew soda preferred by the eEye Digital Security team, sends probes across the Internet, looking for computers to break into. When it finds a computer with a security weakness (a computer that has not been patched for the .ida vulnerability), it sneaks in, sets up a home base, and starts the search process over again. The worm does little damage to the computers it infects. The danger of Code Red lies in the pressure it puts on Internet infrastructure.
Code Red is programmed to actively propagate between the 1st and 19th day of each month. On the 20th day of each month, all of the infected computers launch an attack on the server hosting the White House Web site to try to crash it with a flood of data and traffic. The White House has since moved its Web site, so it will not be affected, but the attack will continue and may affect the overall performance of the Internet.
eEye Digital Security was first to disassemble the Code Red worm, dissect its functionality and understand its ultimate goal. Read the initial technical analysis of the worm here: http://www.eeye.com/html/Research/Advisories/AL20010717.html
eEye has created a free tool that you can run against your IIS servers to see if they are vulnerable the Code Red worm. Read more about this tool and download it here: http://www.eeye.com/html/Research/Tools/codered.html
How To Secure Your System From The Code Red Worm
Three steps to removing the worm from your servers:
1. Download the Microsoft patch for the .ida vulnerability:
2. Reboot your system
3. Run a network scanner to ensure that your system is secure and to identify other patches that need installing. eEye provides a high-end network scanner: http://www.amtsoft.com/retina
How do I protect myself from future attacks like this one?
A more proactive way to protect your Web server is to install a new class of products called Application Firewalls. Application Firewalls are products specifically designed to protect a certain susceptible network application.
SecureIIS, Application Firewall for Microsoft's IIS Web server.
All trademarks are property of their respective owners or holders. Information subject to change without notice
Copyright © 2000 - 2015 AMT Software. All rights reserved.