Commentary: Beware collateral damage from Red Code

While the bulk of the damage done by the Code Red and Code Red II worms was done through infecting computers, that's not the whole picture, says columnist Robert Vamosi.
Written by Robert Vamosi, Contributor on
In the first few days of August, Code Red and Code Red II scoured the Internet for Windows NT and 2000 systems that had Microsoft's IIS 4.0 and 5.0 vulnerabilities.

While their scanning failed to bring the Internet to a crawl, the Code Red worms did produce some very interesting side effects beyond those warned about by Microsoft and the government. You may have heard about the problems with Cisco routers, but did you know that Hewlett-Packard and Xerox printers were also affected by these worms?

Code Red aggravated a series of known vulnerabilities with the Cisco 600 family of routers. When Code Red began scanning the Internet on August 1, the scans (with their malformed requests) locked up the routers. Cisco released patches, and most warnings about the Code Red worms included some mention of the available patches.

Unfortunately, independent ISPs, who sold Cisco routers to home users as part of their DSL package, did not always share that information, and users were sometimes told by ISP support staff to cycle the power on their routers when a permanent solution was available.

Some ISPs, such as Qwest, did post notices on their sites with links to Cisco's downloads; however, other ISPs simply decided to disable all incoming port 80 requests to their customers.

Port 80 is what the Code Red worms used to scan the Internet. Port 80 is also the port home Web servers use for people to access their site. So, in the first two weeks of August, a few mom-and-pop Web sites simply went down--collateral damage from Code Red.

Besides affecting the firmware in Cisco routers, Code Red's scans also sideswiped networked printers from HP and Xerox. When corporate and university networked HP JetDirect printers got scanned by either Code Red worm, the printers didn't know what to do with the request.

Printers with older firmware (version G.05.35 and earlier) locked up and, in distress, spat out pages and pages of error (in this case, a register dump). Like the router solution, the temporary fix is to cycle the printer, however, the permanent solution is to upgrade the firmware.

Xerox N40 printers had similar problems, but tracking down this fix took a lot more time. Xerox's n4018725.exe driver is available, but not widely known. I'm not sure why this wasn't better publicized.

In the above cases, the printers themselves were not infected with the worm, nor can the printers spread it. Rather, the printers are sent signals over the Internet and don't know how to handle them. Therefore, it is always a good idea to disable all unused protocols and print services on any networked printer.

I also heard from Mac users who felt Code Red. The sheer number of focused port 80 requests brought down some Mac-based Web servers. Users of Quid Pro Quo 1.0.2 can vaccinate themselves from future Code Red scans with a Code Red Killer plug-in (available with instructions in English and Japanese) or simply upgrade to version 2.0.

Unfortunately, these current Code Red worms are just a sample of what's to come. Future variations may target specific ISPs and may uncover more hardware bugs as a side result. Stay tuned: There's only nine more shopping days until Code Red wakes up again.

Editorial standards