Code Red attacks - backdoors are wide open

The new Code Red worm has left thousands of servers around the world open and vulnerable to attack from outside and many of the administrators running them don't even realise it.

The new Code Red worm has left thousands of servers around the world open and vulnerable to attack from outside and many of the administrators running them don't even realise it.

Code Red 3.0 uses the same buffer overflow exploit as the original Code Red but has a different payload - it installs a backdoor on the infected server. This backdoor leaves the machine open to just about anything.

"I'm looking at over 1000 servers just in this region that have tried to infect my machines. I could do just about anything I wanted to any of them," says Auckland-based internet consultant Dylan Reeve.

"Anything" in this instance includes sending data to those machines, deleting files, copying files, activating applications running on that machine or even formatting the hard drive.

"There's a lot of talk about simply going into these infected machines and switching off [Microsoft Internet Information Server] IIS for them, but there are ethical questions involved with that." Reeve says he has seen discussion on IRC about whether the infected users should be helped or taken advantage of - just how long it is before someone starts damaging or destroying these infected machines is another question.

"Some of them will be running small business sites and they'll have credit card information or billing addresses and so on".

While Microsoft can come in for a lot of flack for security breaches and the like, Reeve says in this case Microsoft had released a patch for the buffer overflow problem in June, a full month before Code Red was released.

"Sometimes yes, it is Microsoft's problem. But this time it's just as much the fault of administrators not knowing enough to patch their systems."

Reeve says however that some admins have been caught out by a recent Microsoft move."A lot of administrators disabled the extension that would enable Code Red to infiltrate their system when they installed it, but a service pack re-activated it without them knowing."

Microsoft is coming under fire in the US as well for its security record. Last year Microsoft issues 100 security bulletins and this year has come up with another 42 already. Microsoft's manager for the security response centre Steve Lipner says the company undertakes a massive effort to find security flaws in products "before they get out the door".

Lipner's team uses an application called Prefix which scans the entire code base of the Windows operating system as well as all Office products for potential vulnerabilities. It's an effort that represents a "significant investment" across the company and "absolutely has commitment from the top" according to Lipner.

Join the newsletter!

Error: Please check your email address.

Tags Code Red

More about Microsoft

Show Comments
[]