The return of Code Red
John McCormick
Published: 24 Mar 2003 11:23 GMT
A slight variant of the Code Red worm has appeared and is wreaking havoc in systems around the world despite having no new feature that would defeat any properly patched system or virtually any antivirus software. The major change in this version is the removal of the year limitation, which means it will essentially be with us forever. The fact that Code Red II (the previous incarnation of the worm) had a date limitation and has stopped spreading apparently led some administrators and users to ignore the patches that have been available since mid-2001.
Details
The original Code Red (now known as Code Red I) was designed to produce a distributed denial of service attack on the whitehouse.gov Web site, but it had no real effect because the payload targeted a specific IP. Once the worm was seen in the wild, the government simply changed the IP addresses for that server.
On June 18, 2001, Microsoft published a patch for the buffer overflow vulnerability in IIS file ldq.dll, which opened servers to this attack. That patch can block Code Red I, Code Red II, and this latest variant, Code Red.F.
Code Red II, which was first seen on August 4, 2001, took advantage of the same buffer overflow vulnerability in unpatched older Microsoft IIS Web Server versions. The big difference between Code Red I and II was that the payload carried by Code Red II wasn't a denial of service attack. Code Red II actually took over the server, allowing remote access to the infected system.
Code Red.F is a slight variant of the Code Red II worm. Like Code Red II, Code Red.F appears to differentiate between computers using the Chinese language and all others, but the difference is only one of timing and the intensity of the attack. After Code Red.F installs itself and its payload on Chinese systems, it sleeps for two or four days before it activates. On all other systems, it activates immediately upon installation.
It's likely that this Code Red variant is spreading once again because administrators of some infected machines don't realise they have IIS installed and therefore don't have any patches or service packs applied.
This latest version of the worm is variously known as Code Red.v3, Code Red.C, Code Red III, W32.Bady.C, and Code Red.F. Symantec reports that the backdoor planted by Code Red.F, Trojan.VirtualRoot, exploits a Windows 2000 vulnerability. To clear this vulnerability, install the security patch found in MS00-052, Relative Shell Path Vulnerability.
F-Secure provides a detailed analysis of this new version of Code Red with specific attention to the removal of date restrictions that killed off the Code Red II version at the end of 2002.
Code Red history lesson
31/07/2001: "Help & How-To: Code Red "
07/08/2001: "Code Red II: A double whammy "
24/08/2001: "Code Red is here to stay "
07/05/2002: "Code Red remains a major threat "
13/03/2003: "Code Red variant causes little alarm "
Applicability
In addition to Microsoft IIS 4.0 and 5.0 installations, other systems that are used to create Web pages, including those with FrontPage, may have IIS installed, perhaps without the knowledge of the user or administrator.
Previous
Did you find this article useful?
96 out of 171 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
