http://www.newsbytes.com/news/01/169122.html By Brian McWilliams, Newsbytes MOUNTAIN VIEW, CALIFORNIA, U.S.A., 17 Aug 2001, 12:14 AM CST A minimum of eight servers operated by America Online's Netscape Communications division have been infected with the Code Red worm, according to independent intrusion monitoring services. The compromised systems, all with Internet addresses registered to Netscape, have probed dozens of healthy computers nearby in the past few days, in an attempt to spread the Code Red infection. At least six of the Netscape systems were still infected today. None of the machines responded to connection requests. Service to Netscape's homepage and other online services appeared unaffected by the malicious, self-propagating worm, as did the Internet properties of its parent, AOL. Netscape officials did not reply to interview requests. The infiltration of Netscape's network by Code Red comes as the Federal Bureau of Investigation issued a caution today about the original version of the worm. According to the FBI, Code Red I will commence a second denial of service attack against an IP address assigned to the Web site operated by the White House at 8:00 p.m. Eastern, Sunday August 19. Log file entries created by at least one of the infected Netscape servers indicate the machine has been compromised by the latest, more dangerous variant of the worm, known as Code Red II, according to Jay Dyson, an independent security consultant. Using Early Bird, an automated intrusion detection system he developed, Dyson was first to observe the compromise of Netscape's network and report it to the company Thursday. According to Dyson, he received no response to his e-mail to Netscape. Many of the worms' probes were recorded by system administrators who participate in MyNetWatchman, a free service that compiles firewall log files from computer operators and automatically escalates serious intrusions to the proper authorities. Code Red II, and its predecessor, Code Red I, both target vulnerable Windows systems running Microsoft's Internet Information Server (IIS) software. It was not immediately clear why Netscape, which develops its own suite of Web server software, Netscape iPlanet, was running Microsoft's IIS product. Nor was it apparent what task the infected servers were originally intended to perform. In addition to a high-traffic Web portal, Netscape operates numerous servers for downloading iPlanet components, as well as its Navigator browser and Communicator messaging software products. Netscape competes intensely against Microsoft offerings in each of those services and product lines. Earlier this month, Microsoft battled a Code Red infection of its own which compromised an undisclosed number of computers supporting the company's MSN Hotmail, a free Web-based e-mail service. While Code Red I was designed primarily to deface Web pages and launch a denial of service attack on the White House, Code Red II does not deface the home page of a target system. Instead, the newer worm secretly creates what security experts call a "back door" on the infected server, enabling the worm's author or any other attacker to remotely take complete control of the machine. Systems infected with both variants of Code Red automatically attempt to spread the malicious program by probing other Internet servers to determine if they are exposed to a security flaw discovered in June. As they scan other systems, the worms leave a unique fingerprint in the Web logs maintained by most servers. By compiling log files from numerous system administrators, services such as MyNetWatchman can help to quickly identify outbreaks of Internet infections. Microsoft released a patch for the vulnerability exploited by the worm, a bug known as the IDA flaw, on June 18. But hundreds of thousands of administrators of IIS servers failed to install it five weeks later, when Code Red I began to spread virulently. At its peak, the original worm burrowed into at least a quarter million IIS machines; Code Red II quickly infected approximately 150,000 Microsoft servers, according to the Computer Emergency Response Team (CERT), a federally funded security clearinghouse at Carnegie-Mellon University. Statistics compiled by Incidents.org, an intrusion reporting service operated by the SANS Institute, indicate that machines at more than 75,000 unique Internet protocol (IP) addresses are still infected with some form of Code Red today and actively probing other systems. According to the FBI's National Infrastructure Protection Center (NPIC), the threat posed by the upcoming attack is "significantly reduced," due in part to a reduction in the number of systems infected with Code Red I. Last month, White House system administrators dodged the first denial of service attack by disabling the IP address targeted by the worm and moving the site to a different address. Netscape Communications is at http://www.netscape.com MyNetWatchman is at http://www.mynetwatchman.com Early Bird is available at http://www.treachery.net/~jdyson/earlybird/ The NIPC warning is online at http://www.nipc.gov/warnings/assessments/2001/01-018.htm Reported by Newsbytes, http://www.newsbytes.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:19:11 PDT