News

Code Red Carnage Continues

• By Stephen Swoyer
• 08/10/2001

Contributing to the sense of panic were reports that Code Red variants were also knocking out a variety of networking devices, including DSL routers manufactured by Cisco Systems Inc. Damage associated with Code Red had thus far been associated only with Windows NT or 2000 Servers running Microsoft’s IIS Web server platform.

Ko Kwang-sup, an official at South Korea’s Information and Communication Ministry, told Reuters that Code Red III is dangerous because it spreads even faster than its predecessors. Kwang-sup also claimed that the latest Code Red variant creates a bigger backdoor than Code Red II.

"About 10 damage reports have come in which were believed to have been the result of the latest Code Red III," Kwang-sup told Reuters.

Code Red in all of its variants exploits a known vulnerability in Windows NT 4.0's and Windows 2000's Web-based indexing and search facilities, which are dubbed, respectively, Index Server 2.0 or Indexing Service. If properly exploited by means of a buffer overflow attack, the indexing service vulnerability could enable an attacker to run code of his or her choice on a compromised server – with system-level privileges.

At the time of the vulnerability’s discovery in mid-June, Microsoft urged all customers to apply a hotfix that it made available to patch the problem.

As first reported by ENT, Code Red I, which initially appeared in mid-July, was a worm attack that infected a vulnerable server and then spawned 100 additional threads to seek out and infect other servers.

Code Red II, which debuted in early August, upped the ante in this respect by spawning 300 additional threads – up to 600 in Chinese language versions of Windows; by leveraging a more sophisticated IP address “seed” algorithm; and by exploiting the full scope of the indexing service vulnerability to gain system-level privileges on a compromised server. It is not known how many additional threads Code Red III is capable of spawning, nor is there any indication of how it expands upon the backdoor threat that was first introduced with Code Red II.

DSL Routers Also Affected

Friday, telecommunications giant Qwest Communications said that ICMP traffic associated with Code Red had succeeded in taking down the Cisco DSL routers of many of its broadband customers.

According to Cisco, it’s possible to lock-up 600 series routers by sending a large ICMP ECHO (PING) packet to them. Qwest DSL customers using Cisco 600 series DSL routers were apparently affected in this way. Cisco made a fix available for this vulnerability in December 2000, and at this moment it’s not clear whether or not Code Red itself incorporates support for an attack of this type, or whether excess network traffic associated with Code Red is responsible for the outages.

In the past week alone, Code Red II has compromised systems with SAP America Inc., Federal Express and even Microsoft itself.