The Code Red worm in all its variants continues its destructive spread, not only worming its way into hundreds of thousands of Microsoft Corp. Web servers, but also having a newly noticed impact on a broad range of Cisco Systems Inc. equipment, including DSL (digital subscriber line) routers within the Qwest Communications International Inc. network.

In addition, cable Internet providers, including Time Warner Cable Inc., AT&T Broadband Inc., Cox Communications Inc. and Excite@Home Inc., have experienced network slowdowns as the new, rewritten version of Code Red discovered last weekend continues to spread.

Cox spokeswoman Laura Oberhelman said: "We're monitoring the network for Code Red. Because of the high volume of traffic that the Code Red worm generates, we are having a traffic slowdown, particularly with e-mail."

When Cox technical staff identifies an infected Microsoft Web server on the Cox Internet cable service, the Cox personnel contacts the subscriber in order to temporarily disconnect them from the Cox network and assist the subscriber in eliminating the Code Red worm from the infected machine.

Cox would not say exactly how many of its subscribers were affected in this way, but said it was only a small percentage.

Dubbed Code Red II, the new computer worm, which includes a dangerous backdoor Trojan, has bogged down their networks by infecting Internet-connected machines where the Microsoft Web server is running.

Many enterprises were thrown into disarray this week by Code Red II.

The global news agency Associated Press found its Internet communications curtailed a few days last week as its IT staff "scrubbed clean" the array of Microsoft IIS Web servers used internally and for news distribution, said spokesman Jack Stokes. Code Red II delayed updates on AP's Web site and affected a photo service used by smaller newspapers. Unaffected were AP's satellite communications.

Motorola found Code Red II invading its global corporate intranet, forcing the company to shut it down to disinfect its Microsoft Web servers. Motorola employees switched to fax, phone and pager in place of e-mail.

Ironically, Microsoft's own MSN Hotmail servers were infected by the Code Red II worm because Microsoft had failed to patch its own servers.

Time-Warner's RoadRunner service issued an advisory to its customers this week, acknowledging that customers "may experience slow network response, flashing connectivity lights on the cable modem, and other activity, such as unusual port scan log activity or increased firewall activity." Time-Warner urged its customers to install the software patch Microsoft has made available to prevent Code Red from infecting Microsoft Windows NT or the Microsoft Windows operating system.

Other cable services also had problems.

"The day before yesterday, I couldn't even use my cable-modem service, AT&T Broadband," said Dennis Treece, director of the special operations group at vendor Internet Security Systems (ISS). As Code Red II worms its way into Web servers on the cable networks, it's having a particularly strong impact because the second version of Code Red "favors the neighborhood," says Treece.

The first version of Code Red, spotted in July, used a randomizer that looked for IP (Internet Protocol) addresses in a random way, often searching for addresses that weren't actually available. Code Red II scans more efficiently for IP blocks, which is probably the reason the cable-modem networks are becoming clogged.

The second version of Code Red also includes a dangerous back-door Trojan that can be used to totally commandeer a victim's machine.

The analysis ISS has done on Code Red II leads the company to believe that Code Red II may turn itself off in October. But if machine clocks in Microsoft Web servers are incorrectly set, the worm may re-awaken, as was the case with the earlier versions of Code Red.

As Code Red in its approximately four variations has spread, it has also impacted Qwest DSL customers, which saw their Cisco DSL routers knocked off-line.

The DSL routers appear to be have been knocked off-line due to a large Internet Control Messaging Protocol echo ping that can cause the router to lock up. Code Red is getting the blame for much of the damage.

Brian Allen, director of network services and operations at Streaming Media Systems, a division of Broadcast Media Systems, said he has experienced problems for about a month, but it has grown worse since Code Red II started spreading this week.

According to Allen, Qwest has attributed the Cisco DSL router problem to "older" Cisco gear, but Allen noted that his company got its Cisco DSL router just last May to provide Qwest DSL service and Internet access for a dozen employees in Seattle.

Qwest informed Allen that the Code Red virus was impacting the DSL gear, and that the Qwest call center was experiencing very high call volumes because of it. Qwest issued instructions at its Web site on how to fix the DSL routers.

In the wake of Code Red, it's becoming clear how many products have embedded the Microsoft Web server as a management interface. This equipment, though not always thought of as a Microsoft Web server, needs to receive the patch for the Code Red. The patch, available at the Microsoft Web site, prevents Code Red from exploiting a so-called buffer-overflow vulnerability to worm its way into the server.

Cisco, in its advisory issued July 31st, lists several types of Cisco equipment that are vulnerable to Code Red. These include Cisco CallManager; Cisco Utility Server; Cisco ICS7750; and Cisco Building Broadband Service Manager.

Cisco urges its customers to install the Microsoft patch for Code Red in these products.

In a more recent advisory, Cisco said that any router in the Cisco 600 family that is configured to allow Web access can be locked by sending a specific URL.

» posted by abennett

Network World Fusion

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine