[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Newsbytes 6.8.01: Code Red 'Hype' Helps Blunt Impact Of Evil Cousin
Code Red 'Hype' Helps Blunt Impact Of Evil Cousin
By Steven Bonisteel, Newsbytes
PITTSBURGH, PENNSYLVANIA, U.S.A.,
06 Aug 2001, 5:59 PM CST
After the resurgence of the notorious Code Red worm failed to snarl Internet traffic last week, government and industry security officials behind an unprecedented public education campaign faced accusations of a "Chicken Little" response to the Web server intruder. But even staunch critics may be glad that a new worm following in Code Red's wake was not the first self-propagating code to take advantage of the same vulnerability in many Microsoft Windows-based servers.
Internet security watchers say that another worm that was first noticed Saturday is designed to race across the Net and effectively unlock the door of every vulnerable host running certain configurations of Microsoft's IIS Web server software. Capable of spreading even faster than its predecessor, the worm that has been dubbed Code Red II leaves behind a "backdoor" on compromised servers that could allow even meagerly skilled "hackers" to have their way with them.
Exactly how many Web servers are still vulnerable to the attacks that work like Code Red is difficult to determine, but Chad Dougherty, an Internet security analyst with the CERT Coordination Center (CERT/CC), a computer security clearing house in Pittsburgh, told Newsbytes that between 120,000 and 150,000 would be a good estimate.
Ironically, the best count of machines likely to be hit by Code Red II - believed to be an original creation - is based on logs of servers currently infected by variations of the original Code Red worm. Infected servers announce their presence by scanning the Internet in search of new hosts to infiltrate.
Dougherty said any server that is infected by the older Code Red can be infected by the new worm. And, since both worms are theoretically capable of infecting all vulnerable servers within a day, it's unlikely that many vulnerable servers will be spared unless they are patched with software available from Microsoft.
The CERT/CC estimate of servers still vulnerable to both worms appears in line with data collected by the Cooperative Association for Internet Data Analysis (CAIDA) in La Jolla, Calif., which has been monitoring Windows-based hosts running Microsoft's IIS Web server software since the fastest-spreading version of the Code Red appeared in mid-July.
David Moore, a technical manager at CAIDA, told Newsbytes last week that a count of the total number of machines infected at any one time after Code Red's highly publicized resurgence Aug. 1 had dropped 120,000 from some 130,000 at its peak.
Data published on the CAIDA Web site put the total number of infected machines today closer to 100,000.
Steve Trilling, director of research at software maker Symantec's Anti-virus Research Center (SARC), said it is likely that many of the remaining vulnerable IIS servers are operated by companies or individuals who don't even know their computers are running Web server software.
Moore had said that CAIDA's tracking on infected servers had shown that some 12 percent of the nearly 300,000 servers initially infected by Code Red's first wave ending July 19 were likely operated by subscribers of cable mode or digital subscriber line (DSL) services - indicating home users or small businesses.
The worms take advantage of a hole in program code supporting functionality known as Microsoft Index Server 2.0 on Windows NT and as Indexing Services on Windows 2000 and XP. Even if administrators have no plans to use the indexing technology, a default installation of IIS will load software supporting the technology. That software fails to ensure that incoming data will fit within the computer memory reserved for it, leaving the system vulnerable to what's known as a buffer overrun.
EEye Digital Security, the Aliso Viejo, Calif., company that discovered the Web-server vulnerability exploited by the worms, reported that, while the new worm is not simply another version of Code Red, it does use a nearly identical method to force compromised servers to begin executing its rogue code. That means that, like Code Red, the new worm is successful in infecting only Windows 2000 and IIS 5.0 installations. On machines running Windows NT and IIS 4.0, the worm can cause the Web server to crash, but it can't use such hosts to spread.
However, eEye had also estimated that it would take a minor change to the Code Red software to make the worm capable of attacking IIS 4.0 servers.
Researchers said it's clear the new worm's author was inspired by the headline-grabbing Code Red because the program contains the text "CodeRedII" within it. The original Code Red worm wasn't named by its author. Instead, it got its moniker from researchers at eEye while they were disassembling the program.
Marc Maiffret, "chief hacking officer" at eEye, and colleague Ryan Permeh said in a security bulletin Sunday that Code Red II takes a double-barreled approach to ensuring infected servers can later be commandeered by the worm's author or by others.
The pair said their analysis showed the worm packed a Trojan component that copied the systems command shell (CMD.EXE) to files named ROOT.EXE in directories normally accessible via the Web server. In addition - as a sort of backup - the worm changes the system file EXPLORER.EXE so that, whenever it is run, it makes all file on drives C: or D: available via the Web.
Later, eEye said, by sending commands to ROOT.EXE (or CMD.EXE in its original Location), a hacker could enjoy full control of the server.
SARC's Trilling said his company's virus-fighting software can clean up the command shell backdoor, but server operators need to know that once a hacker has actually taken advantage of that opening there is no way to be sure what files on the system may have been compromised.
All the security experts recommend that IIS users apply a patch for the vulnerability that Microsoft has had available on its Web site since June 18.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.