http://maccentral.macworld.com/news/0108/17.codered.shtml by Dennis Sellers, dsellersat_private August 17, 2001 7:00 am ET There's still plenty of concern over Code Red, the computer "worm" that first struck last month, then returned last weekend in mutated form (Code Red II). The worm, having wreaked chaos with Web servers using Microsoft code, is also causing problems with residential and small-business users who have high-speed Internet connections. What does Code Red mean for Mac users? "The worm's only (intended) purpose is to infect some versions of IIS which runs on Windows 2000 Server and Windows NT Server," according to Robert Franklin, Symantec's senior product specialist. "However, for Mac users (9.x and under) the multiple number of port 80 attempts that infected machines generate can bring down Macintosh Personal Web Sharing. In addition, any Mac user on an infected network might notice network performance problems." Larry Herrmann, technology director for NAMM (the International Music Products Association), told MacCentral that Code Red hit two of their printers, even though they reside behind a SonicWall firewall. According to an HP tech support note regarding Hewlett-Packard LaserJet printers, the Code Red worm is capable of attacking HP's JetDirect cards and thereby reprogramming its firmware. Occasionally, the printer will print out a diagnostic page with a stack, register and memory dump while disrupting the print job and in some cases disabling the printer completely. The issue is with the JetDirect card or external printer server. Older models of JetDirect with Firmware G.05.35 may be affected by the virus as it hunts down IIS Web servers. When the JetDirect with the older firmware gets a signal from the virus, it doesn't quite understand what to do. This causes the card to lock up, and the printer, trying to recover from the error, prints out an error report (consisting of register dumps). The printer then tries to reset the card, sometimes successfully, other times not so successfully. One quick fix is to simply power cycle the printer. However, the best resolution is to upload the current firmware version, which has to be done from a machine running Windows 95/98/or NT 4.0. However, the printer doesn't get infected by the virus nor can it pass it on to other computers. NAMM mainly uses iMacs for their workstations, as well as some PowerBooks. Their servers are mainly Power Mac G3 desktop and towers and they have one Mac OS X server running CommuniGate pro. The NAMM art department resides on G4s. "We print to HP 4050's and a 5000, along with several smaller Epson inkjets," Herrmann said. "We run a T1 for data through a Cisco router, into a SonicWall firewall. We block almost everything. Until recently, I would have said we block everything, but Code Red got through apparently." CodeRed II was discovered on August 4, 2001. It has been called a variant of the original CodeRed Worm because it uses the same "buffer overflow" exploit to propagate to other web servers. Symantec AntiVirus Research Center received reports of a high number of IIS web servers that were infected. CodeRed II is considered to be a high threat. The original CodeRed had a payload that caused a Denial of Service attack on the White House Web server. CodeRed II has a different payload that allows the hacker to have full remote access to the Web server. Recently, Code Red II attacked some of the Hong Kong government's internal service and caused temporary suspension of access. The intranet system is for the distribution of information within government department and bureaus. The government's public Web site was unaffected. And an article in "The Industry Standard" says that creators of worms are making them more effective, more accurately targeted, and harder to trace. Code Red and Code Red II are causing problems, but they're just a fraction of the damage a worm could do, said Jonathan Wignall, a member of the Data and Network Security Council, an independent information-security UK pressure group that promotes safer networking. Speaking at the Hackers at Large Conference in Enschede, Netherlands, Wignall said a well-programmed worm could cut off entire countries from the Internet by attacking Internet exchanges, according to the Standard. "It wouldn't take too much to design a worm that attacks key parts of the Internet. You could cause quite a problem for a country or a network. There are only a few ways into each country," he said. Wignall also predicted that worms would start using a new type of replication: the Web. Today's worms crawl from system to system via e-mail, and they typically require users to open an attachment, or they exploit server holes, according to the Standard. "There are tons of holes in Internet Explorer a worm could use to self-propagate," Wignall said. "Many people don't bother fixing holes in IE. The bulk of the system administrators see security as an inconvenience, rather than something they should implement." [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 03:31:06 PDT