Code Red: Worm poised to strike again

A consortium of companies, institutions and government agencies warned organizations running Internet Information Services to protect their Windows NT and Windows 2000 systems against the Code Red Worm before Tuesday night.

The worm, which infected 250,000 systems within a few days of its emergence in mid-July, exploits a buffer overflow in Microsoft's Index Server 2.0.

While Microsoft issued a patch for that buffer overflow back in June, the number of machines affected indicated that patch was not widely deployed.

"Code Red is likely to start spreading again on July 31, 2001 8:00 PM EDT and has mutated so that it may be even more dangerous," according to the bulletin issued by Microsoft Corp., The National Infrastructure Protection Center, CERT Coordination Center, SANS Institute and four other organizations.

The worm's behavior of infecting systems and then using the systems' resources to scan the Internet for other vulnerable systems has the potential to decrease the speed of the Internet and cause outages.

The original Code Red was written to spend the first 19 days of the calendar month scanning for vulnerable systems. The worm was set to spend the next nine days in a denial-of-service attack against, although government IT officials redirected the Web site to avoid the attack.

The worm also defaced English-language Web sites of infected hosts with the message: "Welcome to! Hacked by Chinese!" Because the worm lived in memory, IT administrators can rid their machines of the current worm by rebooting. Protecting the system from re-infection requires the installation of Microsoft's patch.

The original Code Red worm apparently only defaced Web pages on affected systems, but the denial-of-service vulnerability could be used for more nefarious purposes if the hole is not patched because it gives an attacker complete control of the victim system.

Related Articles:
IIS Web Servers Hacked Over the Weekend (July 17)

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


comments powered by Disqus

Subscribe on YouTube