At least two New Zealand organisations were affected in the second round of attacks by the Code Red worm, according to Auckland security specialist Co-Logic.
By Thursday morning, a "large company with an e-commerce presence" and a customer of an internet service provider had been hit by the worm, says Co-Logic managing director Arjen de Landgraaf, who runs security alert service E-Secure IT.
De Landgraaf says Code Red re-activated later than expected, making its first attacks on E-Secure IT’s own servers at 1am on today (New Zealand time).
There had been 20 attempts on its servers by 9.30am today, de Landgraff says.
Microsoft New Zealand senior developer and account manager Richard Burte says the company, which issued a patch after Code Red first appeared on July 19, had received few calls about the worm as of this morning.
“There’s been a lot of publicity about it and that’s a good thing, because it’s sent the message that servers have to be maintained; they have to be patched and kept up to date.”
The worm exploits a hole in the company’s Internet Information Services (IIS) 4.0 and 5.0, part of Windows NT and 2000.
Systems administrators and individual users in New Zealand, the US and other western nations may have generally made use of the patch, but the greatest impact of Code Red will probably be in Asia, de Landgraaf says.
“In China there are a lot of pirated versions of Windows NT and users won’t download the patch for fear of being found out.”
One of Code Red’s calling cards is the the appearance on an infected site of the message “welcome to www.worm.com – this site has been hacked by Chinese”.
(A story in Computerworld last week about an attack on Ansett Australia’s website turned out to be a case of Code Red. See Ansett frequent flyer site suffers "mystery" disruption).
With the media focusing on Code Red in the past few days, it’s important to remember the Sircam virus is far more dangerous, de Landgraff says.
“Code Red is a worm and Sircam a virus – they’re two quite different things.”