Code Red a Warmup?
By: Dennis Fisher, eWEEK
August 10, 2001 Total posts: 1


 As the Code Red II worm tore through the Internet this week, infecting servers at Microsoft Corp. and causing outages around the country, security experts worried that this latest attack is just a dry run for crackers who may be gearing up for something far worse.
 The worm, which first appeared Aug. 4, uses the widely publicized .ida buffer-overflow vulnerability in Microsoft's Internet Information Server 4.0 and 5.0 Web software to compromise machines running Windows 2000 and plant a backdoor, opening the infected machines up to future attacks.
However, unlike the earlier Code Red worms, this latest piece of so-called "malware" cannot compromise servers running Windows NT 4.0, which represent the vast majority of the nearly 6 million IIS machines on the Internet.
 When it attacks a machine running NT 4.0, Code Red II is able to execute its buffer-overflow attack. But the worm then jumps to the wrong portion of memory space and is unable to install the backdoor, so it simply crashes the server instead, according to Dan Ingevaldson, senior researcher with the X-Force at Internet Security Systems Inc., in Atlanta.
 The decision by the Code Red II worm's author to attack the smaller base of Windows 2000 machines leads many experts to believe that it is simply a warm-up for a future attack.
 "It would be pretty simple to make it attack NT 4.0 machines," Ingevaldson said. "I think it's pretty obvious that the lessons learned from the first Code Red worm were used to write this one. The next big vulnerability could be mated to a worm like this and then we're off and running."
 Buffer overflows are among the most common software vulnerabilities, and Ingevaldson and others say it would not be difficult for a worm author to adjust his or her code to exploit another such flaw.
 Officials at Microsoft, which had some of the servers used by its Hotmail e-mail server infected by Code Red, say the fact that Code Red II compromises only Windows 2000 servers is superfluous and was likely just an arbitrary choice by the worm's author.
 Security experts disagree, saying that the lack of a compromise for NT 4.0 is likely a mistake that either the worm's creator or another cracker will find and fix soon enough.
  And, in a related development, it turns out that some servers running IIS 4.0 are still vulnerable to the original Code Red worm after a patch is installed. If the server has URL redirection enabled, one of the buffer overflow's processes will crash the server, according to a bulletin on the SANS Institute's Web site.
 The workaround for the problem is to remove all URL redirections from the server, SANS said. In related news, Reuters reported Friday that a Code Red III virus may have been found in Asia




(BACK)

 
Station Designed by SCI-POWER Development Team
Copyright by SCI-POWER Electronic Information Group Ltd.