Sounding the Code Red Alarm

  07/31/2001 3:06:17 PM MDT Albuquerque, Nm
  By Dustin D. Brand; Owner AMO

Code Red infected 250,000 Servers in it's first day, bunker down and fix the vulerbility before it strikes again.
  In a rare meeting of the FBI and industry leaders today in Washington D.C., a unique warning about the Code Red Internet Worm stated that it will surface again today for another round of attacks.

  "Users must act quickly to mitigate damage from the worm," cautioned Ronald Dick, director of FBI's National Infrastructure Protection Center (NIPC) in Washington. "Government and industry are doing all we can to get the word out," Dick continued.

  Code Red is unique because it feeds on a bug in Microsoft Windows NT and 2000 Index Server which was fixed June 18, and Code Red Surfaced July 19th. The bug/flaw allows the Code Red program to run, scan for more victims, and then attack in unison.

  Because of the scale at which Code Red proliferated, and mainly because of it's ability to attack areas of the internet in unison, Code Red needs to be prevented from spreading immediately.

  The White House was one such target, but was easily fixed by changing it's IP Addresses and patching the vulnerability.

  The first 19 days of a month the worm is set up to scan and infect, but from day 20 until day 27 the worm floods a certain IP address.

  "We have no idea what the ultimate target is. The proliferation of the worm and the volume of its impact are now of ultimate concern," Dick said. Code Red is a self-propagating worm. It scans the Internet for vulnerable systems and infects these systems by installing itself. Once it has nestled itself on a server, it uses that server to scan the Internet for other vulnerable servers and infects those. Web pages on compromised servers are altered. In the first nine hours of its outbreak on July 19, Code Red infected more than 250,000 systems, according to the CERT.

  "When the worm was first discovered, it infected servers for a couple of days. Administrators had started patching servers but may have stopped, thinking the threat was gone," Leech said. "We've got to make sure everybody applies the patch. We could be facing an Internet meltdown, depending on how many unpatched servers are out there. It's going to come down to how many vigilant administrators are out there."

  More information on the IIS Indexing Service DLL flaw and the software fix are available on Microsoft's TechNet Web site at security/bulletin/MS01-033.asp. IIS Web Administrators should check for installation of the patch and run it immediately if IIS has not been updated.

  Related AMO Articles:
   Sircam worm still spreading; stop it.
   Sircam worm, protect yourselves, heres how.