- A new internet worm has been spotted that attacks Microsoft Internet Information Server (IIS) systems that are vulnerable to a month-old security flaw.
The worm could lead to denial of service attacks against affected sites, according to the researchers who discovered it.
The worm has been dubbed "Code Red" by the researchers at eEye Digital Security, who discovered it, both because the worm defaces web pages with the text "Hacked by Chinese" and because Code Red Mountain Dew soda fuelled an all night session in which the worm was identified and analysed, according to a posting to the Bugtraq email list by Marc Maiffret, chief hacking officer at eEye and one the discoverers of the worm.
Code Red attacks IIS servers vulnerable to the index server flaw discovered in June by eEye and for which Microsoft issued a patch. The worm, which allows a hole in the server to be exploited to gain complete control of affected system, can infect all unpatched servers running Windows NT 4, Windows 2000, Windows XP and IIS 4.0 or higher with indexing features enabled.
When the worm infects a system, it checks for the file c:\ notworm and if not does not find that file, the worm scans 100 random IP (Internet Protocol) addresses searching for new, vulnerable IIS servers, according to the advisory released by eEye. Though the worm was thought to be querying a website at http://www.worm.com, eEye's Maiffret now says that that now does not appear to be the case. If the server that the worm infects is running on an English-language version of Windows, the worm will deface the website to read "Welcome to http://www.worm.com! Hacked by Chinese!," according to eEye.
The use of worm.com in the defacement is nothing more than the equivalent of saying "Welcome to screw you.com," Maiffret says. The actual worm.com website has been taken offline, however, according to a Microsoft representative. Maiffret doubts that worm.com is actually part of the worm because "God, that would be really stupid and there are some really smart things in this code," he says.
If the worm finds other vulnerable systems, it will copy itself to them and repeat the process. Though the addresses are nearly random, each time the worm begins the scan, it starts from the same address list, meaning that addresses that come early in the sequence of those too be scanned are likely to be hit repeatedly as the worm spreads, the advisory says.
Additionally, the worm will check the infected system's date, and if it finds that the date is between the 20th and 27th of the month, the infected system will send 100K bytes of traffic to port 80 (the server address for HTTP, hypertext transfer protocol, traffic) to the Whitehouse.gov website, new research showed Thursday, according to Maiffret. From the 1st to the 19th, the worm spreads itself, and from the 28th to the end of the month, it lays dormant, he says.
The worm is "still continuing to grow, infecting more machines, which in turn, are launching more attacks," according to Russ Cooper, surgeon general of TruSecure and editor of the security email list NTBugtraq (which is distinct from BugTraq). "We're just lucky it doesn't do anything more malicious," he says.
Code Red is spreading quickly, Cooper says, pointing to figures from the security website DShield.org, which tracked the worm as being hosted on 27 IP addresses on July 13, resulting in 611 probes for new machines to infect. However, by July 16, DShield counts over 6150 infected machines, resulting in over 316,000 probes. EEye's Maiffret says that one system administrator who contacted the company said he had tracked over 15,000 infected systems. Additionally, a government agency who told Maiffret that they had to remain anonymous is also tracking the worm and has found over 68,000 infected systems, he says.
Microsoft is taking steps to both help its customers deal with the Code Red worm, as well as improve its security notifications, Culp says. First, the company contacted the host of the www.worm.com website and has had the site taken offline, he says. Also, the company is directly contacting a number of its customers about the worm and all IIS patches are now cumulative, that is, they include all previous patches, not just the most recent one, Culp says.
"The easier we make it for people to get the patches, the more likely it is they'll use them," he says.