Code Red version 3.0 is making waves in New Zealand with reports of thousands of hits on webservers being attributed to the new worm.
Code Red 3.0 uses the same buffer overflow exploit as the original Code Red but has a different payload -- it installs a backdoor on the infected server. Confusingly, this version refers to itself as Code Red II but has been designated version 3.0 by observers, among them anti-virus firm Symantec Corp., to differentiate between it and the first variation of the worm, which included some minor changes from the original.
Locally, a number of network managers are reporting a large number of hits from infected servers -- at one point up to 200 a minute on a number of sites around New Zealand. Brian Gibbons director of Outersite Technology, an Auckland-based internet solutions company, says end users may start to notice internet traffic problems because of the worm's proliferation. "Going to the States at the moment is pretty slow."
He says if an end user with a broadband connection gets infected they could end up with a very large bill from their ISP for bandwidth charges.
"Code Red could easily burn bandwidth at NZ$300 (US$125) per hour. It's fairly scary to come back on Monday to find your box has burnt NZ$15,000 over the weekend."
Gibbons says ISPs should do more to warn end users about the dangers of an "always on" connection but even dial-up users are at risk.
"You've only got to put a modem into a Windows 2000 server, which is temporarily connected to the internet and by default you've exposed yourself to Code Red."
Designed to attack webservers that run Microsoft's Internet Information Server (IIS) and haven't had the security patch applied, Code Red infected over 300,000 machines last month. A second wave of attacks hit around half that number in the first few days of August.
Code Red 3.0 is not related to the original, according to security monitoring website Incidents.org, but is instead an entirely new worm that works along similar lines. It is far more aggressive in nature than the first Code Red or the subsequent variation. Incidents.org is reporting that "due to the more malicious actions of this worm, patching and rebooting an infected server is no longer sufficient to clean the system".