[ISN] Code Red the Dracula of worms?

From: InfoSec News (isnat_private)
Date: Tue Aug 28 2001 - 02:54:42 PDT

  • Next message: InfoSec News: "[ISN] Trojan horse goes on the offensive"

    By CNET News.com Staff 
    August 27, 2001, 9:35 a.m. PT 
    A new permutation of the Code Red II worm was discovered on Friday,
    and experts say that Code Red is now unlikely ever to disappear.
    The new variant has been dubbed CodeRed.d, and exploits the same flaw
    in Microsoft's Internet Information Server (IIS) software as the
    initial Code Red. According to Roger Thompson, technical director of
    malicious code research at antivirus firm TruSecure, who detected the
    variant, the appearance of a new worm indicates that we are stuck with
    the Code Red problem "forever."
    "This is pretty much noise level for Code Red II and CodeRed.d--it's
    not going to get any better or worse and will stay like this forever,"
    said Thompson. "Those machines that have not yet been patched never
    will be, meaning that the worm is here to stay."
    CodeRed.d is nearly identical to its predecessor, except for two minor
    pieces of code that make it slightly more malicious. Code Red II used
    a self-recognition string of code that prevented it from re-infecting
    the same machine. But in the new variant, the string of code is
    replaced with underscore characters, meaning that both Code Red II and
    CodeRed.d can re-infect the same machine at once.
    "People won't notice, but it will be banging out twice as many
    attempts to attack other PCs," said Thompson. "It randomly selects a
    range of addresses to attack other machines--each worm will be
    churning out 300 threads to try and infect 300 different addresses at
    any one time."
    And CodeRed.d can target a greater spread of IP addresses than could
    earlier versions of Code Red, said Thompson. "But this is mitigated by
    those who have patched their machines."
    Thompson discovered CodeRed.d after writing his WormCatcher program,
    which monitors for traffic on a Web server's port 80 and immediately
    detects any unknown worm variants. The first report of the new Code
    Red II permutation came from New Zealand, followed by a second from
    the U.S.
    "I am now getting 10 hits an hour of reported catches, but I suspect
    that this figure would have been much higher last month, when few
    people had installed the Microsoft patch," said Thompson.
    According to Thompson, four to five new worms are created by accident
    on the Internet every day--but CodeRed.d was intentional. "This didn't
    happen by accident--someone was trying to get Code Red to go again,
    and we will be seeing more variations of this worm," Thompson warned.
    Staff writer Wendy McAuliffe reported from London.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 04:56:21 PDT