Code Red II spreading in Asia

The Code Red II worm has hit much of Asia-Pacific hard this week and is continuing to spread quickly in some areas.

Infection by Code Red II has been widespread in Taiwan and China this week, according to antivirus software vendor Trend Micro. Japan's national police organization reported Wednesday that it has received reports of more than 200 servers in the country being attacked by the virus. In Hong Kong, an official with the territory's Computer Emergency Response Team (CERT) said Internet access has been severely affected at some companies.

Code Red II, officially dubbed Code Red 3.0, is similar to the Code Red worm that attacked systems worldwide at the beginning of August, but with a more dangerous effect: It creates a "backdoor" to Web servers that lets hackers easily get in and steal or change information and passwords.

In Taiwan, infections by the worm were highest on Tuesday and Wednesday, and a total of more than 100 Trend Micro customers there have reported infection, according to John DeRiso, a spokesman for the company in Taipei. Many others probably were infected but did not contact Trend because they were able to fix their servers themselves, he added. From Monday, Trend classified the worm as a "red alert" in Taiwan because of its rapid spread, while worldwide it called Code Red II a less urgent "yellow alert."

The key reason for the more widespread impact in Taiwan is that a smaller percentage of servers there had been patched for protection against the worm, DeRiso said.

"The IS people here tend not to add the latest patches. They tend to value system stability over having the latest patches," DeRiso said.

In mainland China, Code Red II hit hard Wednesday and on Thursday continued to infect many sites, particularly large organizations such as banking and financial companies and government agencies, DeRiso added.

The Hi-Tech Crime Task Force of Japan's National Police Agency (NPA), which oversees all of the country's local police forces, in a Wednesday statement confirmed that local police departments had reported more than 200 servers had been compromised by the worm. NPA ordered local police to investigate how each compromised system has been damaged. It warned there probably have been many more attacks than were detected or reported. In Japan, each intrusion by the worm is a crime and must be reported.

The Hong Kong CERT by the end of the day Wednesday had received reports of two servers in Hong Kong infected by Code Red II and five by the original Code Red worm, said Roy Ko, central manager of the HKCERT coordination center, in an interview Thursday. Yet, despite the relatively small number of infections reported to the CERT, Internet performance for some organizations in the territory has been significantly affected, he added.

"We know there were a lot of scanning activities going on in the Internet . . . it's making the Internet quite busy these days," Ko said.

Even servers correctly patched to prevent infection have been affected in this way, he added. "Although you have fixed all the vulnerabilities, you still suffer from a lot of scanning activity; it's still knocking on your door." One such company reported to CERT that it had been scanned hundreds of times.

Logs of infection attempts at some organizations showed a large number of Code Red II infection attempts coming from local sources, Ko added. This is because rather than creating random IP (Internet Protocol) addresses through which to propagate itself as did Code Red, the new worm uses a different algorithm that seems to choose more addresses that are similar to its current host machine, Ko said. As for where Code Red II came from, as with the original Code Red, it's hard to trace, he added.

As in Japan and Taiwan, the reported attacks may be just the tip of the iceberg in Hong Kong, Ko said.

"Definitely there are a lot of machines infected, but they aren't aware of it or didn't report it to us," he said.

Symantec Corp.'s Symantec Antivirus Research Center (SARC) in Sydney, which covers all of Asia, as of Wednesday had received 60 automatic notifications that Code Red II had infected systems, according to David Banes, SARC regional manager. Some corporate customers also called on Symantec for help with recovery tasks such as fixing a server's file registry, he added.

However, Banes believes that as Code Red and its variants become more widely publicized, each outbreak will be less significant.

Nevertheless, the rapid transformation of Code Red into a more harmful virus raises the specter of even more severe virus problems in the future, according to Ko, of the Hong Kong CERT.

"(Code Red II) is now using just one vulnerability. There will be new vulnerabilities (presented) by Microsoft in future or by any other software vendors, and it's possible for hackers to take advantage of these vulnerabilities to create new worms," Ko said.

Additional reporting by IDG News Service Tokyo Correspondent Kuriko Miyake.

Join the newsletter!

Error: Please check your email address.

More about CERT AustraliaComputer Emergency Response TeamMicrosoftSymantecTrend Micro Australia

Show Comments