[ISN] Code Red: Is This the Apocalypse?

From: InfoSec News (isnat_private)
Date: Tue Jul 31 2001 - 00:33:25 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] Two CNET.com machines defaced"

    By Michelle Delio 
    6:09 a.m. July 30, 2001 PDT 
    If you do nothing else today, make sure you patch your computer system
    against the Code Red worm.
    Code Red, which reportedly has infected about 300,000 computers this
    month, may begin to wreak more havoc on the Internet when the
    time-conscious worm begins propagating again on Wednesday at midnight
    Greenwich Mean Time (July 31 at 7:00 p.m. EDT).
    Then again, Code Red might just deface some Web pages, cause a lot of
    extra work for systems administrators and slow the Internet down a
    tad, just like it did through the month.
    Microsoft, the FBI's National Infrastructure Protection Center, the
    CERT Coordination Center, SANS Institute and several other groups
    issued a joint alert Sunday evening, warning that the Code Red worm is
    a "very real" threat to the Internet, and setting July 31 as the
    deadline to protect systems against the worm.
    "If there's even one infected computer out there it will start
    infecting other computers again," Steve Trilling, director of research
    at Symantec's antivirus center, said in a press release.
    But Rob Rosenberger, webmaster of a site devoted to debunking myths
    about computer viruses, believes that mass e-mail warnings about the
    worm are more likely to gum up the works than the worm itself.
    "I'll make a simple prediction. E-mail servers will clog up on Monday
    and Tuesday with warnings about this 'horrifying' worm," Rosenberger
    said in his article about the worm.
    Rosenberger is happily planning to study the hysteria that he believes
    will be spawned by worm alerts this week. Overwrought alert or not,
    the patch that prevents against infection by Code Red should be
    applied by anyone who runs Windows NT or Windows 2000 and Microsoft's
    Internet Information Server (IIS) Web server software on their system.
    The worm's effects during its first run of infections were not as
    debilitating as some security experts predicted they would be. But
    machines should be patched anyway. The vulnerability that the worm
    takes advantage of also leaves systems open to attack by malicious
    hackers, allowing them to remotely control an infected system.
    Applying the patch is an easy download, can't hurt systems, and helps
    fight the spread of the worm.
    Even if your computer is not used as a server, IIS is installed
    automatically by many applications.
    Those who are unsure if they are running IIS can launch Task Manager
    by pressing the Control-Alt-Delete keys at the same time. Click on
    Task Manager in the dialog box, and select the Processes tab.
    Look for Inetinfo.exe in the image name column. If Inetinfo.exe
    appears, you are running IIS and need to install the necessary
    patches. If not, you are not running IIS and don't need to patch your
    To rid your machine of the worm, simply reboot your computer. To
    protect your system from new symptoms or re-infection, install
    Microsoft's Code Red vulnerability patch for Windows NT or Windows
    2000 Professional.
    Step-by-step instructions for applying the patch and purging systems
    of the worm have been posted by Digital Island Net.
    Since around July 13, several variants of the Code Red worm have been
    wiggling their way across the Internet, attacking servers and slowing
    Security company eEye Digital Security discovered the flaw in IIS that
    Code Red exploits on June 18, and warned that an exploit would soon be
    created to take advantage of the vulnerability. EEye also provided the
    first complete analysis of the worm after it was released on the
    Internet on or around July 13th.
    The worm was named in honor of a super-caffeinated soft drink, Code
    Red Mountain Dew, which the eEye crew drank during an all-night work
    session as they struggled to understand what the worm was capable of
    At least two new versions of the worm are also loose on the Net, and
    appear to be spreading more quickly than the original version of Code
    Red, said Marc Maiffret, chief hacking officer at eEye.
    After infecting a system, the worm scans the Internet, identifies
    other vulnerable systems, and then infects these systems by
    automatically installing itself through Port 80. Each newly installed
    worm then joins all the others in their search for more systems to
    CERT'S new advisory on the Code Red worm states that tens of thousands
    of systems are already infected or vulnerable to re-infection.
    Because the worm propagates so quickly, CERT experts believe it is
    likely that nearly all vulnerable systems will be compromised by Aug.
    2, during the anticipated next run of infections.
    Infected machines have the potential to disrupt business and personal
    use of the Internet by slowing servers' ability to process
    information, and perhaps bringing some systems to a complete halt.
    The first version of the worm was coded so that each infected machine
    would eventually return to and attack the machine that originally
    infected it. EEye suspects this may allow the coder to track the
    Using this feature of the worm, security experts at eEye were able to
    accurately track the initial spread of the worm. Every machine that
    was infected would eventually "call home," which allowed compromised
    systems to be logged and tracked. New versions of Code Red do not
    contain that coding error.
    The worm is coded to be time sensitive; its activity occurs based on
    the date (day of the month) of an infected system's clock.
    The worm is in "propagation mode" from the first through the 19th of
    the month. During that time, an infected computer attempts to send the
    worm out to other randomly chosen IP addresses using one of the
    computer's communication ports (TCP Port 80).
    The worm goes into "flood mode" from the 20th through 27th of the
    month, launching a denial-of-service attack against a specific IP
    address that is embedded in the worm's program code. With current
    versions of the worm, the attack is launched against the White House's
    Last month the White House dodged the attack without going offline by
    redirecting all Internet traffic to an IP address that the worm was
    not programmed to recognize, and blocking all requests to the address
    that the worm was coded to attack.
    Clearing the worm from systems can be time-consuming. Last week, the
    Pentagon temporarily shut down public access to all of its websites to
    purge and patch its networks, an action that some security experts
    felt was a bit of overkill.
    The worm enters "termination" or "hibernation mode" after the 27th day
    of the month, remaining in infected systems but otherwise staying
    inactive until the first day of each month.
    The first version of the worm, if it infects a Web server, also
    defaces the contents of a website with the words "Hello! Welcome to
    http://www.worm.com! Hacked by Chinese!"
    The defaced page will stay in place for 10 hours, and then revert to
    normal. New variants do not deface websites hosted by infected
    computers, but are more apt to crash servers since they infect
    computers multiple times, eEye's Maiffret said.
    Microsoft's "windowsupdate.microsoft.com" site displayed that message
    for a few hours on June 20, an obvious sign that the company did not
    update all of its own servers with its own security patches.
    Steve Lipner, head of Microsoft's security response center, said the
    company is looking for new ways to distribute its security patches
    more efficiently.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 03:59:15 PDT