Code Red II: A double whammy

A new worm is on the loose, and it's hitting systems harder than Code Red did last week. It does more than just overwhelm networks--it opens a back door for hackers.
A new worm, similar to Code Red but perhaps more virulent, was spreading across the Internet on Monday, infecting systems and potentially leaving them vulnerable to further attacks.

"Compared to last week's (Code Red) attacks, this one is hitting harder," said Matt Fearnow, a security expert who tracks computer viruses and hacking incidents for the Systems Administration, Networking and Security Institute (SANS).

The new worm, which was discovered Friday, does more than just overwhelm networks. After it infects a computer server, it reboots the computer and leaves behind a "back door" that could allow a hacker to gain control of or access the infected systems, Fearnow said.

Security information service SecurityFocus has posted an alert on the new bug, warning that it is potentially more damaging than the relatively benign original that infected hundreds of thousands of systems beginning July 11.

SecurityFocus said it has tracked about 170,000 IP addresses from systems that have been infected, which the company estimates means there are probably about 400,000 systems that have been compromised.

“This thing has been spreading real, real quickly,” said Ryan Russell, an incident analyst at SecurityFocus. “It’s only been since Saturday morning that (Code Red II) started."

The original Code Red worm prompted the White House to move the address of its Web site and led to government warnings from the FBI. But the reactivated worm was seen as having tapered off by the end of last week.

The new worm, which some are calling Code Red II, attacks the same vulnerability--originally reported in June--in Windows 2000 and Windows NT servers running Microsoft's Internet Information Service (IIS) Web server software.

The two major differences between the original Code Red worm and the new variant is the way the latest bug spreads itself and the establishment of the back door.

Security experts said the new worm has the potential to spread faster and consume more network bandwidth.

"Whether it is attacking more systems than the one last week, I don't know for sure," said Jerry Freese, director of intelligence at Vigilinx, a New Jersey-based network security company. "But I do know that this one can spread a little quicker based on its addressing scheme."

Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the IIS flaw, said the same techniques will prevent infection with the new bug, including installing Microsoft's patch for the IIS hole. But once a computer is infected with the latest strain, there are several additional files that must be deleted to remove the back door.

The new strain is also busier. Whereas the original Code Red looked for 100 systems at a time to infect, the new strain looks for 300 at a time, unless the infected computer is running a Chinese-language version of Windows NT or Windows 2000, in which case it looks for 600 computers at a time, Maiffret said.

The new bug also uses the attacked computer's Internet Protocol (IP) address to look for nearby systems to infect, operating on the theory that if there is one vulnerable computer, there could be others nearby, Maiffret said.

The appearance of the variant confirms worries that the Code Red bug would lead to other, more damaging infections, Maiffret said.

"Even this, it's more malicious but it is not nearly as bad as it could have been," Maiffret said. But while an even worse bug could be in the offing, Maiffret said more and more people are installing the patch that protects against the original Code Red and the new strain.

"Each one of these, in a way, is helping to secure things," Maiffret said.

Fearnow said SANS is working on posting instructions for removing the back door created by the new worm.

Bruce Pennypacker, who works for an Internet search company in Massachusetts, said that at last check his personal system had 939 probes by the two Code Red worms, with 793 coming from the new variant.

"I'm seeing an average of about 10 to 50 scans per hour at this point, mostly from RoadRunner (cable modem) IP addresses," Pennypacker said in an email interview.

Russell of SecurityFocus said many of those being hit with the new bug are those infected by the original Code Red.

“We’re seeing a very large correlation rate between IP addresses from the last Code Red, which unfortunately means people just aren’t paying attention and getting the patches installed,” Russell said.

Such bugs will not go away if people don’t close the vulnerability, he said. “These will keep going until everybody gets cleaned up.”

For those that have been hit with Code Red II, SecurityFocus has posted instructions to remove the back door, but Russell and others recommend reinstalling a backed up version of the server’s software in case any other intrusions were made while the system was compromised.

Editorial standards