[ISN] "Code Red" worm claims 12,000 servers

From: InfoSec News (isnat_private)
Date: Wed Jul 18 2001 - 19:30:06 PDT

  • Next message: security curmudgeon: "[ISN] YAGP (Yet Another Government Panel)"

    By Robert Lemos
    Special to CNET News.com 
    July 18, 2001, 1:35 p.m. PT 
    Almost 12,000 Web servers have been infected by a new Internet worm
    that takes advantage of a security flaw in Microsoft software to
    deface sites, security experts said Wednesday. The worm could also
    help attackers identify infected computers and gain control of them.
    Known as the Code Red worm because of evidence that it may have been
    launched from China, the self-spreading program infects servers using
    unpatched versions of Microsoft's Internet Information Server software
    and defaces the Web sites hosted by the servers.
    The code is still being analyzed to see if it does any further damage.
    But the way the worm is written, it could allow online vandals to
    build a list of infected systems and later take control of them, said
    Marc Maiffret, chief hacking officer with eEye Digital Security.
    "It is a very slick worm," Maiffret said. "Until all these people go
    out and patch their systems, it will keep going."
    eEye found the vulnerability in Microsoft's software--the so-called
    index-server flaw--last month and reported it to the software giant,
    which acknowledged the flaw June 18 and posted a downloadable fix on
    its Web site. Microsoft urged people to patch the hole before the
    Internet underground could produce tools to take advantage of the
    estimated 6 million vulnerable systems.
    "Obviously, not a lot of people patched it," Maiffret said. "Even with
    the press, a lot of people didn't hear about it."
    System administrators first detected the Code Red worm this past
    The worm spreads by selecting 100 IP addresses, scanning the computers
    associated with them for the hole, and spreading to the vulnerable
    machines. The worm then defaces any Web site hosted by the server with
    the text:
    Welcome to http://www.worm.com! 
    Hacked by Chinese! 
    Code Red seems to deface only English-language servers, going into
    hibernation on non-English versions of Microsoft's IIS software.
    Believing that Worm.com acted as a collection point for information
    sent from compromised servers, Microsoft has successfully requested
    that Worm.com's Internet service provider pull the plug on the site.
    If Worm.com had built such a list, it could have allowed online
    vandals to target computers known to be vulnerable.
    "That site was a collection point for data about what sites had been
    compromised," said Scott Culp, security program manager for
    Microsoft's security response center. "By taking it down, it prevents
    the malicious individual that created the worm from getting that
    information. It doesn't prevent the worm from spreading."
    But according to eEye's Maiffret, removing Worm.com from the Web will
    probably have no effect, because the way Code Red is programmed can
    allow anyone--including an online vandal or malicious hacker--to make
    a list of every system that has been compromised.
    That's because each instance of the worm will attack the same
    computers in the same order, according to eEye's analysis. Maiffret
    said that while the addresses of the computers attacked by the worm
    seem to be random, because the worm uses the same starting point, or
    "seed," to generate the list, the "random" lists that any two worms
    generate are identical. Like identical genes, which produce a clone,
    identical seed numbers produce attack lists that are the same.
    That means any computer on the "randomized" list will be attacked by
    every newly infected computer. By monitoring who attacks a target
    machine, a list of attacking--thus infected--computers can be made.
    One eEye client has done just that, said Maiffret, and found that
    almost 11,900 servers had been infected as of 7 a.m. PDT Wednesday.
    Unlike other worm attacks, where the actual number of infections can
    only be estimated, these numbers correspond to the actual infections,
    he said.
    Unfortunately, if attackers have access to a machine on the target
    list, they, too, can make a list of compromised machines. Later, an
    attacker can use the list to take control of the servers.
    For system administrators who have not patched their systems, now
    would be a good time, said Microsoft's Culp.
    "We are going back out to customers and telling them that if they
    didn't put the patch on before, this is all the reason they need to
    put the patch on now," he said.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 02:38:45 PDT