The malicious Code Red worm, which affected more than 280,000 systems earlier this month, is expected to begin propagating itself again on Aug 1 ( 5 pm PDT, July 31), and is likely to re-infect tens of thousands of systems.
Anti-virus experts are warning that when the system clocks roll over to next month, the Code Red worm will quickly propagate itself and compromise all vulnerable systems by August 2. The US-based computer security warning organization Cert said in an alert today that widespread denial of service attacks will hit unpatched servers using versions of Microsoft's Internet Information Server (IIS) software within 18 hours.
"It is pseudo-random, and will try to attack the same list of servers as before," said Mark Read, systems security analyst for computer security company MIS Corporate Defence Solutions. "But there is a high chance that two servers will follow the same attacking path and generate the same IP address, which will greatly reduce the span of the attack."
The time-sensitive worm replicates between Windows 2000 servers, and exploits the so-called Index Server flaw. The addresses of the servers that Code Red attacks are generated randomly, but because of a bug, each copy of the worm will try to attack the same list of servers. Once executed, the worm will start to create copies of itself in memory, in order to attack even more IIS servers at the same time.
If systems become simultaneously infected with multiple copies of the worm, degradation can be severe, and may cause some services to grind to a complete halt. The risk of this happening is increased by the fact that after showing the defaced version of the page for 10 hours, the worm reverses the process, and removes itself from the chain of functions used to sabotage the Web page. The infected IIS server is then able to return to the normal pages when requested. "It is clever and appears to have cleared itself out of the system, with administrators thinking that things are back to normal," explained Read.
Microsoft is urging system administrators to patch the hole before the second wave of programmed attacks occurs.
"This is certainly the future for viruses--people are now more aware that if they receive an executable attachment they should not click on it," said Read. "The way forward is now viruses that replicate themselves through poorly administered servers."