Analysis: Code Red worm set to return

The Code Red virus, which wormed its way into an estimated two or three hundred thousand Microsoft Internet Information Servers (IIS) during the past few weeks, failed to launch a denial-of-service IP (Internet protocol) attack against its sole target, Whitehouse.gov.

The attack, which was launched on July 20, failed because administrators for the Whitehouse.gov Web site simply changed its IP address. The Code Red worm was not clever enough to do more than attempt to send packets to a fixed IP address.

The worm exploits a buffer-overflow vulnerability in IIS, which was identified last June by security firm eEye Digital Security Inc. The flaw allowed the worm to leap into an IIS Server where the administrator failed to apply a patch posted by MicrosoftBut this isn't the last we'll hear about the Code Red worm. Between July 21 and 28 the computer worm is timed to go into dormancy in infected machines. But if the infected IIS Server isn't scrubbed clean of the infection, Code Red will reawaken and seek to infect and re-infect other vulnerable IIS servers that aren't protected by the Microsoft software patch. By August 20, servers infected with Code Red will try to launch yet another attack on Whitehouse.gov at the same fixed IP address the worm was originally programmed to attack.

The ceaseless round of dormancy and renewed attempts to attack probably won't affect the White House Web site in the immediate future. But it does demonstrate a disturbing proof-of-concept in computer virus propagation that could lead to further refinements to create more dangerous ones, say security experts.

"As a distributed denial-of-service tool, you could say it wasn't particularly successful, but as a worm, it was successful," said Vincent Weafer, director of the Symantec Anti-Virus research Center. Symantec will post a free scanning tool on its Web site to allow administrators to check if their IIS Web servers have been infected. "We're seeing the merging of computer viruses and attack tools. There are bound to be variants on this," said Weafer.

On the same day the Whitehouse.gov site was supposed to be attacked, eEye Digital Security also identified a variant of the original worm, which has already been dubbed Code Red version 2 and is also programmed to attack the White House Web site.

According to eEye, the new worm is probably based on the original, but uses a slightly different randomness in the Web page hack procedure, which makes it harder to spot using the analysis tools developed for the original version.

The arrival of Code Red and its variant has security experts not only preparing defenses as they would any other computer virus, but also debating how much the public should be told about software vulnerabilities in vendor products.

Some security firms believe that the publication of details about the IIS Server vulnerability last June probably made it easier for the Code Red worm author to create the exploit. Although the worm leaves a message stating it originated with Chinese hackers, there is no evidence yet that Code Red came from mainland China.

Security management tools vendor, Internet Security Systems believes that it was ethically questionable for eEye to publish details of the IIS vulnerability. It notes that it would be better practice to work with the vendor whose product was vulnerable to quickly come up with a fix and then inform the public about the problem in general terms but not in specifics.

Other vendors say it's reasonable to criticize eEye but acknowledge that the security firm did what it thought was best, rather than grandstanding for attention.

"When [eEye] posted the code last month, its intent was to educate security professionals," said Symantec's Weafer. This philosophy represents the so-called "open source model," he noted, but added that Symantec does not publish specific hacker exploits it may discover.

For its part, eEye, which sells a product called SecureIIS and is always on the look-out for Code Red-type holes, has defended its actions. It says such "full disclosure" helps alert systems administrators to the seriousness of the situation. That view is also supported by other security experts.

"[eEye] didn't necessarily have to show the whole world this," said Scott Blake, director of security product strategy at BindView, a security product vendor. "But my philosophy is, the more scared people are, the more likely they are to implement the patch."

Blake said it's hard to get systems administrators to install every security patch, and the demonstration code provided by eEye last month, which appeared after Microsoft released its fix for the vulnerability, contributed to the sense of urgency that administrators must apply the update immediately. Blake also added that BindView does not itself publish such demonstration code.

According to estimates, two or three hundred thousand IIS servers were infected over two weeks by Code Red v. 1. Blake notes that some rough statistics about the number of IIS servers deployed on the Internet can be gauged by NetCraft's published estimates of 6 million IIS Servers.

"But I know of IIS servers that haven't downloaded Microsoft's fix for Code Red that haven't been infected yet," Blake concluded. On August 20, a new round of infections will commence anew, raising afresh an issue that just won't go away.

Join the newsletter!

Error: Please check your email address.

More about BindvieweEye Digital SecurityInternet Security SystemsMicrosoftNetcraftSecurity SystemsSymantec

Show Comments