[ISN] Code Red II Variant on the Prowl

From: InfoSec News (isnat_private)
Date: Tue Mar 11 2003 - 23:00:23 PST

  • Next message: InfoSec News: "[ISN] Bank security falls victim to moles"

    By Dennis Fisher
    March 11, 2003 
    Security experts are watching a new variant of the Code Red II worm
    that began appearing on some monitoring networks Tuesday. The worm is
    nearly identical to its ancestor, save for a modified drop-dead date
    that is now several thousand years in the future.
    Known as Code Red.F, the worm uses the same infection method as the
    previous versions, attacking Web servers running Microsoft Corp.'s IIS
    software. The worm so far has infected only a few machines, and
    because most administrators patched their servers after the initial
    Code Red outbreak in 2001, it is unlikely to spread extensively,
    experts say.
    All of the Code Red worms exploit an unchecked buffer in the Index
    Server in the IIS software. They then spread by infecting one machine
    and then scanning a list of random IP addresses and attempting to
    connect to port 80. The original Code Red, which struck in July 2001,
    infected several hundred thousand IIS servers and caused massive
    traffic disruptions on some portions of the Internet.
    Roger Thompson, the technical director of malicious code research at
    TruSecure Corp., in Herndon, Va., first began seeing new worm activity
    Tuesday morning. His WormCatcher network of distributed hosts
    monitoring activity on ports that worms commonly use started catching
    packets that were 3,818 bytes long coming in on port 80.
    "After looking at it, it was quite obviously a Code Red II variant,"  
    he said. "It's not going to be as bad as the previous version, but it
    will stay with us."
    Thompson said he had seen 20 unique infections as of Tuesday
    Like the first Code Red, this version of the worm code contains a date
    on which it is set to stop attempting to propagate itself. Code Red II
    died in October 2001, but Code Red.F won't exhaust itself for about
    30,000 years, Thompson said.
    The change in the drop-dead date and the fact that the buffer overflow
    is caused with a multitude of Xs instead of Ns are the only
    differences between Code Red II and its offspring.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Mar 12 2003 - 01:28:49 PST