[ISN] The Code Red worm can cause minor Mac problems

From: InfoSec News (isnat_private)
Date: Sat Aug 18 2001 - 01:32:42 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - August 17th 2001"

    by Dennis Sellers, 
    August 17, 2001 7:00 am ET 
    There's still plenty of concern over Code Red, the computer "worm"
    that first struck last month, then returned last weekend in mutated
    form (Code Red II). The worm, having wreaked chaos with Web servers
    using Microsoft code, is also causing problems with residential and
    small-business users who have high-speed Internet connections. What
    does Code Red mean for Mac users?
    "The worm's only (intended) purpose is to infect some versions of IIS
    which runs on Windows 2000 Server and Windows NT Server," according to
    Robert Franklin, Symantec's senior product specialist. "However, for
    Mac users (9.x and under) the multiple number of port 80 attempts that
    infected machines generate can bring down Macintosh Personal Web
    Sharing. In addition, any Mac user on an infected network might notice
    network performance problems."
    Larry Herrmann, technology director for NAMM (the International Music
    Products Association), told MacCentral that Code Red hit two of their
    printers, even though they reside behind a SonicWall firewall.
    According to an HP tech support note regarding Hewlett-Packard
    LaserJet printers, the Code Red worm is capable of attacking HP's
    JetDirect cards and thereby reprogramming its firmware. Occasionally,
    the printer will print out a diagnostic page with a stack, register
    and memory dump while disrupting the print job and in some cases
    disabling the printer completely.
    The issue is with the JetDirect card or external printer server. Older
    models of JetDirect with Firmware G.05.35 may be affected by the virus
    as it hunts down IIS Web servers. When the JetDirect with the older
    firmware gets a signal from the virus, it doesn't quite understand
    what to do. This causes the card to lock up, and the printer, trying
    to recover from the error, prints out an error report (consisting of
    register dumps). The printer then tries to reset the card, sometimes
    successfully, other times not so successfully.
    One quick fix is to simply power cycle the printer. However, the best
    resolution is to upload the current firmware version, which has to be
    done from a machine running Windows 95/98/or NT 4.0. However, the
    printer doesn't get infected by the virus nor can it pass it on to
    other computers.
    NAMM mainly uses iMacs for their workstations, as well as some
    PowerBooks. Their servers are mainly Power Mac G3 desktop and towers
    and they have one Mac OS X server running CommuniGate pro. The NAMM
    art department resides on G4s.
    "We print to HP 4050's and a 5000, along with several smaller Epson
    inkjets," Herrmann said. "We run a T1 for data through a Cisco router,
    into a SonicWall firewall. We block almost everything. Until recently,
    I would have said we block everything, but Code Red got through
    CodeRed II was discovered on August 4, 2001. It has been called a
    variant of the original CodeRed Worm because it uses the same "buffer
    overflow" exploit to propagate to other web servers. Symantec
    AntiVirus Research Center received reports of a high number of IIS web
    servers that were infected. CodeRed II is considered to be a high
    The original CodeRed had a payload that caused a Denial of Service
    attack on the White House Web server. CodeRed II has a different
    payload that allows the hacker to have full remote access to the Web
    Recently, Code Red II attacked some of the Hong Kong government's
    internal service and caused temporary suspension of access. The
    intranet system is for the distribution of information within
    government department and bureaus. The government's public Web site
    was unaffected.
    And an article in "The Industry Standard" says that creators of worms
    are making them more effective, more accurately targeted, and harder
    to trace. Code Red and Code Red II are causing problems, but they're
    just a fraction of the damage a worm could do, said Jonathan Wignall,
    a member of the Data and Network Security Council, an independent
    information-security UK pressure group that promotes safer networking.
    Speaking at the Hackers at Large Conference in Enschede, Netherlands,
    Wignall said a well-programmed worm could cut off entire countries
    from the Internet by attacking Internet exchanges, according to the
    "It wouldn't take too much to design a worm that attacks key parts of
    the Internet. You could cause quite a problem for a country or a
    network. There are only a few ways into each country," he said.
    Wignall also predicted that worms would start using a new type of
    replication: the Web. Today's worms crawl from system to system via
    e-mail, and they typically require users to open an attachment, or
    they exploit server holes, according to the Standard.
    "There are tons of holes in Internet Explorer a worm could use to
    self-propagate," Wignall said. "Many people don't bother fixing holes
    in IE. The bulk of the system administrators see security as an
    inconvenience, rather than something they should implement."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 03:31:06 PDT