'Code Red' worm exploits Windows NT flaw

ITworld.com –

A malicious worm, named Code Red, that exploits a buffer overflow vulnerability in certain configurations of Microsoft Corp.'s Windows NT and Windows 2000 operating systems has spread rapidly over the Internet, according to the CERT Coordination Center (CERT/CC). As many as 225,000 computers have been affected, the organization said.

Code Red exploits a buffer overflow in the Microsoft Internet Information Server (IIS) Indexing Service DLL (Dynamic Link Library), CERT/CC said. The vulnerability is present in most versions of IIS 4.0 and IIS 5.0, it said.

According to an announcement issued on June 19 that described the vulnerability, this buffer overflow allows an attacker to gain complete control of a targeted system.

If an affected host's default language is English, Code Red will deface all Web pages served by the affected host with the message "HELLO! Welcome to http://www.worm.com! Hacked By Chinese!" In addition to Web defacement, the worm causes a degradation in overall system performance as it scans other hosts in a bid to propagate itself, CERT/CC said.

If the default language on the host is not English, the worm will continue scanning but no defacement will occur, CERT/CC said. Code Red can also initiate "severe denial of service" attacks as it scans non-compromised systems and networks for the IIS Indexing Service DLL buffer overflow vulnerability, CERT/CC said.

A denial of service attack can occur because the worm uses the same random number generator seed to create the list of IP addresses it scans, CERT/CC said. As a result, all affected hosts scan the same IP addresses, it said.

The Web site of the White House, the official residence of the U.S. president, has been the target of a denial of service attack initiated by the Code Red worm, according to the National Infrastructure Protection Center (NIPC), which is run by the U.S. Federal Bureau of Investigation.

Code Red attacks the White House Web site by sending 100 simultaneous connections to its Web server, the NIPC said in a statement, adding the worm was programmed to begin the attack at 0:00 am GMT on July 20. At 9:30 am GMT, the White House site was seen to be operating normally.

"It seems that the worm is hardwired to attack 198.137.240.91, which is only one of the computers which provide the service known by name as 'www.whitehouse.gov'," said Paul Ducklin, head of global support at antivirus software vendor Sophos Pty Ltd. "It seems that this particular IP number has been disassociated from www.whitehouse.gov in a move which has allowed the site to keep working fine. This is good."

ISPs (Internet service providers) are also pitching in to stop the attempted denial of service attack.

"It also appears that many ISPs are blackholing that address," said Ducklin, referring to a technique that sees ISPs discard packets addressed to a specific IP address. "This defense is likely to work well in this case -- because the worm is capable of generating a lot of unnecessary Internet packets."

The NIPC calls the Indexing Service DLL vulnerability a "serious threat" and said it expects to see other attacks exploit the security flaw.

To guard against the attack and prevent the worm from spreading further, users should apply a security patch developed by Microsoft to address the vulnerability, Ducklin said. However, the patch must be widely applied to stop the work from spreading, he said.

"If only a small percentage (of users) apply the patch the worm will continue to spread and generate significant amounts of Internet traffic," Ducklin said.

Fortunately for users, Code Red's attempt to initiate a denial of service attack on the White House Web site provides an opportunity to patch their systems.

"It appears that all running instances of the worm are now in 'attack whitehouse.gov' mode. So instead of spreading, they will now spend a few days mounting the attack instead. This is an ideal time for people to patch their IIS servers and reboot," he said.

"Because this worm lives in memory only it doesn't make a permanent copy of itself to your hard disk. Rebooting after applying the patch not only gets rid of (the worm), it also makes sure that the worm can't reinfect your computer. So this course of action is good for your own site, and good for the Internet community as a whole," Ducklin said.

More information on the IIS Indexing Service DLL and patches that close the vulnerability are available on Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp.

CERT/CC, in Pittsburgh, can be contacted at +1-412-268-7090 or reached online at http://www.cert.org/. The NIPC, in Washington, D.C., can be reached at +1-202-323-3205 or via the Web at http://www.nipc.gov/.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies