Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Microsoft IE exploit code unreliable, but more coming
Microsoft begins paving path for IT, cloud integration
Ciena will pay $769M for Nortel's metro Ethernet business
Malware enlists jailbroken iPhones for botnet
Check Point tackles Web 2.0 apps and social-site widget control
Cisco's free iPhone app grabs security feeds
New attack fells Internet Explorer
Global warming research exposed after hack
The broadband gap: Is FCC grabbing for the wrong tool?
Verizon suit a 'gamble worth taking' for AT&T, says IP lawyer
IBM smartphone software translates 11 languages
Intel: Don't look for one device to do it all
Google adding IPv6 to YouTube
Atlantis astronauts: Final spacewalk, preparing for Earth trip
Broadband stimulus grants delayed
Security /

Code Red worm exploits Windows NT flaw

Related linksToday's breaking news
Send to a friendFeedback

By Sumner Lemon
IDG News Service, 07/20/01

A malicious worm, named Code Red, that exploits a buffer overflow vulnerability in certain configurations of Microsoft's Windows NT and Windows 2000 operating systems has spread rapidly over the Internet, according to the CERT Coordination Center (CERT/CC). As many as 225,000 computers have been affected, the organization said.

Code Red exploits a buffer overflow in the Microsoft(r) Internet Information Server (IIS) Indexing Service DLL, CERT/CC said. The vulnerability is present in most versions of IIS 4.0 and IIS 5.0, it said.

According to an announcement issued on June 19 that described the vulnerability, this buffer overflow allows an attacker to gain complete control of a targeted system.

If an affected host's default language is English, Code Red will deface all Web pages served by the affected host with the message "HELLO! Welcome to www.worm.com! Hacked By Chinese!" In addition to Web defacement, the worm causes a degradation in overall system performance as it scans other hosts in a bid to propagate itself, CERT/CC said.

If the default language on the host is not English, the worm will continue scanning but no defacement will occur, CERT/CC said.

Code Red can also initiate "severe denial-of-service" attacks as it scans non-compromised systems and networks for the IIS Indexing Service DLL buffer overflow vulnerability, CERT/CC said.

A denial-of-service attack can occur because the worm uses the same random number generator seed to create the list of IP addresses it scans, CERT/CC said. As a result, all affected hosts scan the same IP addresses, it said.

The Web site of the White House, the official residence of the U.S. president, has been the target of a denial of service attack initiated by the Code Red worm, according to the National Infrastructure Protection Center (NIPC), which is run by the U.S. Federal Bureau of Investigation.

Code Red attacks the White House Web site by sending 100 simultaneous connections to its Web server, the NIPC said in a statement, adding the worm was programmed to begin the attack at 0:00 a.m. GMT on July 20. At 9:30 a.m. GMT, the White House site was seen to be operating normally.

"It seems that the worm is hardwired to attack 198.137.240.91, which is only one of the computers that provide the service known by name as 'www.whitehouse.gov'," said Paul Ducklin, head of global support at antivirus software vendor Sophos. "It seems that this particular IP number has been disassociated from www.whitehouse.gov in a move that has allowed the site to keep working fine. This is good."

ISPs are also pitching in to stop the attempted denial-of-service attack.

"It also appears that many ISPs are blackholing that address," said Ducklin, referring to a technique that sees ISPs discard packets addressed to a specific IP address. "This defense is likely to work well in this case - because the worm is capable of generating a lot of unnecessary Internet packets."

The NIPC calls the Indexing Service DLL vulnerability a "serious threat" and said it expects to see other attacks exploit the security flaw.

To guard against the attack and prevent the worm from spreading further, users should apply a security patch developed by Microsoft to address the vulnerability, Ducklin said. However, the patch must be widely applied to stop the work from spreading, he said.

"If only a small percentage (of users) apply the patch, the worm will continue to spread and generate significant amounts of Internet traffic," Ducklin said.

Fortunately for users, Code Red's attempt to initiate a denial-of-service attack on the White House Web site provides an opportunity to patch their systems.

"It appears that all running instances of the worm are now in 'attack whitehouse.gov' mode. So instead of spreading, they will now spend a few days mounting the attack instead. This is an ideal time for people to patch their IIS servers and reboot," he said.

"Because this worm lives in memory only, it doesn't make a permanent copy of itself to your hard disk. Rebooting after applying the patch not only gets rid of (the worm), it also makes sure that the worm can't reinfect your computer. So this course of action is good for your own site, and good for the Internet community as a whole," Ducklin said.

More information on the IIS Indexing Service DLL and patches that close the vulnerability are available on Microsoft's Web site at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp

CERT/CC, in Pittsburgh, is at www.cert.org/

The NIPC, in Washington, D.C., is at www.nipc.gov/

The IDG News Service is a Network World affiliate.

Related Links

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.